bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 06:38:19 +02:00
parent 1028498705
commit 090d2b7d89
40 changed files with 603 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
api/tests/Feature/Api/V1/EventImageUploadTest.php
View File

@@ -134,7 +134,7 @@ class EventImageUploadTest extends TestCase
]
);
$response->assertForbidden();
$response->assertNotFound();
}
public function test_registration_data_includes_branding_fields(): void

6
api/tests/Feature/Event/EventTest.php
View File

@@ -255,7 +255,7 @@ class EventTest extends TestCase
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
$response->assertForbidden();
$response->assertNotFound();
}
public function test_update_event_from_other_org_is_blocked(): void
@@ -269,7 +269,7 @@ class EventTest extends TestCase
'name' => 'Cross-org hack',
]);
$response->assertForbidden();
$response->assertNotFound();
}
// --- UNAUTHENTICATED ---
@@ -370,7 +370,7 @@ class EventTest extends TestCase
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
$response->assertForbidden();
$response->assertNotFound();
}
public function test_soft_deleted_event_not_in_index(): void

4
api/tests/Feature/Event/FestivalEventTest.php
View File

@@ -550,9 +550,9 @@ class FestivalEventTest extends TestCase
'allow_overlap' => false,
]);
// Create a person
// Create a person (on festival level, per schema design)
$person = Person::factory()->create([
'event_id' => $this->subEvent->id,
'event_id' => $this->festival->id,
'crowd_type_id' => $this->crowdType->id,
]);

297
api/tests/Feature/Security/MultiTenancyIsolationTest.php Normal file
View File

@@ -0,0 +1,297 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Security;
use App\Models\Company;
use App\Models\CrowdList;
use App\Models\CrowdType;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\Shift;
use App\Models\ShiftAssignment;
use App\Models\TimeSlot;
use App\Models\User;
use App\Models\UserInvitation;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
final class MultiTenancyIsolationTest extends TestCase
{
use RefreshDatabase;
private Organisation $orgA;
private Organisation $orgB;
private Event $eventA;
private Event $eventB;
private User $adminA;
private User $adminB;
private CrowdType $crowdTypeA;
private CrowdType $crowdTypeB;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
// Organisation A
$this->orgA = Organisation::factory()->create();
$this->adminA = User::factory()->create();
$this->orgA->users()->attach($this->adminA, ['role' => 'org_admin']);
$this->crowdTypeA = CrowdType::factory()->systemType('VOLUNTEER')->create(['organisation_id' => $this->orgA->id]);
$this->eventA = Event::factory()->create([
'organisation_id' => $this->orgA->id,
'status' => 'registration_open',
]);
// Organisation B
$this->orgB = Organisation::factory()->create();
$this->adminB = User::factory()->create();
$this->orgB->users()->attach($this->adminB, ['role' => 'org_admin']);
$this->crowdTypeB = CrowdType::factory()->systemType('VOLUNTEER')->create(['organisation_id' => $this->orgB->id]);
$this->eventB = Event::factory()->create([
'organisation_id' => $this->orgB->id,
'status' => 'registration_open',
]);
}
// --- Cross-tenant event access ---
public function test_cannot_view_other_org_event(): void
{
Sanctum::actingAs($this->adminA);
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventB->id}");
$response->assertNotFound();
}
public function test_cannot_list_other_org_events(): void
{
Sanctum::actingAs($this->adminA);
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events");
$response->assertOk();
$eventIds = collect($response->json('data'))->pluck('id');
$this->assertContains($this->eventA->id, $eventIds->all());
$this->assertNotContains($this->eventB->id, $eventIds->all());
}
// --- Cross-tenant person assignment ---
public function test_cannot_create_person_with_other_org_crowd_type(): void
{
Sanctum::actingAs($this->adminA);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
'crowd_type_id' => $this->crowdTypeB->id,
'first_name' => 'Test',
'last_name' => 'User',
'email' => 'test@example.com',
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('crowd_type_id');
}
public function test_cannot_assign_person_from_other_org_to_shift(): void
{
Sanctum::actingAs($this->adminA);
$personB = Person::factory()->approved()->create([
'event_id' => $this->eventB->id,
'crowd_type_id' => $this->crowdTypeB->id,
]);
$sectionA = FestivalSection::factory()->create(['event_id' => $this->eventA->id]);
$timeSlotA = TimeSlot::factory()->create(['event_id' => $this->eventA->id]);
$shiftA = Shift::factory()->create([
'festival_section_id' => $sectionA->id,
'time_slot_id' => $timeSlotA->id,
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
['person_id' => $personB->id]
);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('person_id');
}
// --- Cross-tenant crowd list operations ---
public function test_cannot_add_person_from_other_org_to_crowd_list(): void
{
Sanctum::actingAs($this->adminA);
$personB = Person::factory()->approved()->create([
'event_id' => $this->eventB->id,
'crowd_type_id' => $this->crowdTypeB->id,
]);
$crowdListA = CrowdList::factory()->create([
'event_id' => $this->eventA->id,
'crowd_type_id' => $this->crowdTypeA->id,
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
['person_id' => $personB->id]
);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('person_id');
}
// --- Cross-tenant bulk operations ---
public function test_cannot_bulk_approve_other_org_assignments(): void
{
Sanctum::actingAs($this->adminA);
$sectionB = FestivalSection::factory()->create(['event_id' => $this->eventB->id]);
$timeSlotB = TimeSlot::factory()->create(['event_id' => $this->eventB->id]);
$shiftB = Shift::factory()->create([
'festival_section_id' => $sectionB->id,
'time_slot_id' => $timeSlotB->id,
]);
$personB = Person::factory()->approved()->create([
'event_id' => $this->eventB->id,
'crowd_type_id' => $this->crowdTypeB->id,
]);
$assignmentB = ShiftAssignment::factory()->create([
'shift_id' => $shiftB->id,
'person_id' => $personB->id,
'time_slot_id' => $timeSlotB->id,
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/shift-assignments/bulk-approve",
['assignment_ids' => [$assignmentB->id]]
);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('assignment_ids.0');
}
// --- Cross-tenant invitation revocation ---
public function test_cannot_revoke_other_org_invitation(): void
{
Sanctum::actingAs($this->adminA);
$invitationB = UserInvitation::factory()->create([
'organisation_id' => $this->orgB->id,
'invited_by_user_id' => $this->adminB->id,
]);
$response = $this->deleteJson(
"/api/v1/organisations/{$this->orgA->id}/invitations/{$invitationB->id}"
);
$response->assertNotFound();
}
// --- Cross-tenant company reference ---
public function test_cannot_create_person_with_other_org_company(): void
{
Sanctum::actingAs($this->adminA);
$companyB = Company::factory()->create(['organisation_id' => $this->orgB->id]);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
'crowd_type_id' => $this->crowdTypeA->id,
'first_name' => 'Test',
'last_name' => 'User',
'email' => 'test@example.com',
'company_id' => $companyB->id,
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('company_id');
}
// --- Cross-tenant crowd list creation ---
public function test_cannot_create_crowd_list_with_other_org_crowd_type(): void
{
Sanctum::actingAs($this->adminA);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/crowd-lists", [
'crowd_type_id' => $this->crowdTypeB->id,
'name' => 'Test List',
'type' => 'accreditation',
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('crowd_type_id');
}
// --- Cross-tenant event parent reference ---
public function test_cannot_set_parent_event_from_other_org(): void
{
Sanctum::actingAs($this->adminA);
$response = $this->putJson(
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}",
['parent_event_id' => $this->eventB->id]
);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('parent_event_id');
}
// --- OrganisationScope filters correctly ---
public function test_organisation_scope_filters_persons(): void
{
$personA = Person::factory()->approved()->create([
'event_id' => $this->eventA->id,
'crowd_type_id' => $this->crowdTypeA->id,
]);
Person::factory()->approved()->create([
'event_id' => $this->eventB->id,
'crowd_type_id' => $this->crowdTypeB->id,
]);
Sanctum::actingAs($this->adminA);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/persons");
$response->assertOk();
$personIds = collect($response->json('data'))->pluck('id');
$this->assertContains($personA->id, $personIds->all());
$this->assertCount(1, $personIds);
}
// --- Portal cross-event access ---
public function test_portal_me_cannot_access_other_org_event(): void
{
$volunteer = User::factory()->create();
Person::factory()->approved()->create([
'event_id' => $this->eventA->id,
'crowd_type_id' => $this->crowdTypeA->id,
'user_id' => $volunteer->id,
'email' => $volunteer->email,
]);
Sanctum::actingAs($volunteer);
// Volunteer tries to access event from org B (where they have no person record)
$response = $this->getJson("/api/v1/portal/me?event_id={$this->eventB->id}");
$response->assertNotFound();
}
}