security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/UpdatePersonRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 final class UpdatePersonRequest extends FormRequest
 {
@@ -16,14 +17,16 @@ final class UpdatePersonRequest extends FormRequest
     /** @return array<string, mixed> */
     public function rules(): array
     {
+        $orgId = $this->route('event')->organisation_id;
+
         return [
-            'crowd_type_id' => ['sometimes', 'ulid', 'exists:crowd_types,id'],
+            'crowd_type_id' => ['sometimes', 'ulid', Rule::exists('crowd_types', 'id')->where('organisation_id', $orgId)],
             'first_name' => ['sometimes', 'string', 'max:255'],
             'last_name' => ['sometimes', 'string', 'max:255'],
             'date_of_birth' => ['nullable', 'date', 'before:today'],
             'email' => ['sometimes', 'email', 'max:255'],
             'phone' => ['nullable', 'string', 'max:30'],
-            'company_id' => ['nullable', 'ulid', 'exists:companies,id'],
+            'company_id' => ['nullable', 'ulid', Rule::exists('companies', 'id')->where('organisation_id', $orgId)],
             'status' => ['sometimes', 'in:invited,applied,pending,approved,rejected,no_show'],
             'is_blacklisted' => ['sometimes', 'boolean'],
             'admin_notes' => ['nullable', 'string'],