bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Browse Source 
Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/app/Http/Controllers/Api/V1/EventController.php
View File

@@ -29,9 +29,7 @@ final class EventController extends Controller
public function show(Organisation $organisation, Event $event): JsonResponse
{
Gate::authorize('view', $event);
abort_unless($event->organisation_id === $organisation->id, 404);
Gate::authorize('view', [$event, $organisation]);
return $this->success(new EventResource($event->load('organisation')));
}
@@ -47,9 +45,7 @@ final class EventController extends Controller
public function update(UpdateEventRequest $request, Organisation $organisation, Event $event): JsonResponse
{
Gate::authorize('update', $event);
abort_unless($event->organisation_id === $organisation->id, 404);
Gate::authorize('update', [$event, $organisation]);
$event->update($request->validated());

6
api/app/Http/Controllers/Api/V1/MeController.php
View File

@@ -5,7 +5,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Resources\Api\V1\UserResource;
use App\Http\Resources\Api\V1\MeResource;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
@@ -13,8 +13,8 @@ final class MeController extends Controller
{
public function __invoke(Request $request): JsonResponse
{
$user = $request->user()->load(['organisations', 'events']);
$user = $request->user()->load(['organisations', 'roles', 'permissions']);
return $this->success(new UserResource($user));
return $this->success(new MeResource($user));
}
}

2
api/app/Http/Controllers/Api/V1/OrganisationController.php
View File

@@ -41,6 +41,8 @@ final class OrganisationController extends Controller
$organisation = Organisation::create($request->validated());
$organisation->users()->attach(auth()->id(), ['role' => 'org_admin']);
return $this->created(new OrganisationResource($organisation));
}

2
api/app/Http/Requests/Api/V1/StoreOrganisationRequest.php
View File

@@ -19,7 +19,7 @@ final class StoreOrganisationRequest extends FormRequest
return [
'name' => ['required', 'string', 'max:255'],
'slug' => ['required', 'string', 'max:255', 'unique:organisations,slug', 'regex:/^[a-z0-9-]+$/'],
'billing_status' => ['sometimes', 'string', 'in:active,trial,suspended'],
'billing_status' => ['sometimes', 'string', 'in:trial,active,suspended,cancelled'],
'settings' => ['sometimes', 'array'],
];
}

34
api/app/Http/Resources/Api/V1/MeResource.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
declare(strict_types=1);
namespace App\Http\Resources\Api\V1;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
final class MeResource extends JsonResource
{
public function toArray(Request $request): array
{
return [
'id' => $this->id,
'name' => $this->name,
'email' => $this->email,
'timezone' => $this->timezone,
'locale' => $this->locale,
'avatar' => $this->avatar,
'email_verified_at' => $this->email_verified_at?->toIso8601String(),
'organisations' => $this->whenLoaded('organisations', fn () =>
$this->organisations->map(fn ($org) => [
'id' => $org->id,
'name' => $org->name,
'slug' => $org->slug,
'role' => $org->pivot->role,
])
),
'app_roles' => $this->getRoleNames()->values()->all(),
'permissions' => $this->getAllPermissions()->pluck('name')->values()->all(),
];
}
}

16
api/app/Models/Event.php
View File

@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace App\Models;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Concerns\HasUlids;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
@@ -52,4 +53,19 @@ final class Event extends Model
{
return $this->hasMany(UserInvitation::class);
}
public function scopeDraft(Builder $query): Builder
{
return $query->where('status', 'draft');
}
public function scopePublished(Builder $query): Builder
{
return $query->where('status', 'published');
}
public function scopeActive(Builder $query): Builder
{
return $query->whereIn('status', ['showday', 'buildup', 'teardown']);
}
}

25
api/app/Models/Scopes/OrganisationScope.php
View File

@@ -9,19 +9,32 @@ use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Scope;
/**
* Explicit organisation filter for queries ({@see Builder::withGlobalScope()}).
* Event data is currently scoped via the {@see Organisation} relationship and policies;
* when you add child models (persons, shifts, ), consider a global scope driven by
* the authenticated users active organisation (see `.cursor/rules/102_multi_tenancy.mdc`).
* Global scope that filters event-related models by organisation_id.
*
* Resolves the organisation from (in order):
* 1. An explicitly provided organisation ID (constructor)
* 2. The route parameter 'organisation'
*
* IMPORTANT: This scope is route-dependent it only works when the
* 'organisation' parameter is present in the URL (e.g. /organisations/{organisation}/events).
* Routes without an organisation segment (e.g. GET /events/{event}) will NOT be scoped,
* silently bypassing multi-tenancy. All new routes that touch organisation-owned
* data MUST be nested under /organisations/{organisation}/... to guarantee scoping.
*/
final class OrganisationScope implements Scope
{
public function __construct(
private readonly string $organisationId,
private readonly ?string $organisationId = null,
) {}
public function apply(Builder $builder, Model $model): void
{
$builder->where($model->getTable() . '.organisation_id', $this->organisationId);
$id = $this->organisationId
?? request()->route('organisation')?->id
?? (is_string(request()->route('organisation')) ? request()->route('organisation') : null);
if ($id) {
$builder->where($model->getTable() . '.organisation_id', $id);
}
}
}

6
api/app/Models/User.php
View File

@@ -7,6 +7,7 @@ namespace App\Models;
use Illuminate\Database\Eloquent\Concerns\HasUlids;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
use Illuminate\Database\Eloquent\Relations\HasMany;
use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
@@ -57,4 +58,9 @@ final class User extends Authenticatable
->withPivot('role')
->withTimestamps();
}
public function invitations(): HasMany
{
return $this->hasMany(UserInvitation::class, 'invited_by_user_id');
}
}

12
api/app/Models/UserInvitation.php
View File

@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace App\Models;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Concerns\HasUlids;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
@@ -46,4 +47,15 @@ final class UserInvitation extends Model
{
return $this->belongsTo(Event::class);
}
public function scopePending(Builder $query): Builder
{
return $query->where('status', 'pending');
}
public function scopeExpired(Builder $query): Builder
{
return $query->where('status', 'expired')
->orWhere(fn (Builder $q) => $q->where('status', 'pending')->where('expires_at', '<', now()));
}
}

29
api/app/Policies/EventPolicy.php
View File

@@ -16,8 +16,12 @@ final class EventPolicy
|| $organisation->users()->where('user_id', $user->id)->exists();
}
public function view(User $user, Event $event): bool
public function view(User $user, Event $event, ?Organisation $organisation = null): bool
{
if ($organisation && $event->organisation_id !== $organisation->id) {
return false;
}
return $user->hasRole('super_admin')
|| $event->organisation->users()->where('user_id', $user->id)->exists();
}
@@ -30,19 +34,34 @@ final class EventPolicy
return $organisation->users()
->where('user_id', $user->id)
->wherePivotIn('role', ['org_admin', 'org_member'])
->wherePivot('role', 'org_admin')
->exists();
}
public function update(User $user, Event $event): bool
public function update(User $user, Event $event, ?Organisation $organisation = null): bool
{
if ($organisation && $event->organisation_id !== $organisation->id) {
return false;
}
if ($user->hasRole('super_admin')) {
return true;
}
return $event->organisation->users()
// org_admin at organisation level
$isOrgAdmin = $event->organisation->users()
->where('user_id', $user->id)
->wherePivotIn('role', ['org_admin', 'org_member'])
->wherePivot('role', 'org_admin')
->exists();
if ($isOrgAdmin) {
return true;
}
// event_manager at event level
return $event->users()
->where('user_id', $user->id)
->wherePivot('role', 'event_manager')
->exists();
}
}

8
api/database/factories/EventFactory.php
View File

@@ -14,12 +14,14 @@ final class EventFactory extends Factory
/** @return array<string, mixed> */
public function definition(): array
{
$name = fake()->unique()->words(3, true);
$startDate = fake()->dateTimeBetween('+1 week', '+3 months');
$city = fake('nl_NL')->city();
$year = fake()->year('+2 years');
$name = "Festival {$city} {$year}";
$startDate = fake()->dateTimeBetween('+1 month', '+6 months');
return [
'organisation_id' => Organisation::factory(),
'name' => ucfirst($name),
'name' => $name,
'slug' => str($name)->slug()->toString(),
'start_date' => $startDate,
'end_date' => fake()->dateTimeBetween($startDate, (clone $startDate)->modify('+3 days')),

6
api/database/factories/OrganisationFactory.php
View File

@@ -13,12 +13,12 @@ final class OrganisationFactory extends Factory
/** @return array<string, mixed> */
public function definition(): array
{
$name = fake()->unique()->company();
$name = fake('nl_NL')->unique()->company();
return [
'name' => $name,
'slug' => str($name)->slug()->toString(),
'billing_status' => 'active',
'slug' => str($name)->slug()->append('-' . fake()->numerify('##'))->toString(),
'billing_status' => fake()->randomElement(['trial', 'active', 'suspended', 'cancelled']),
'settings' => [],
];
}

38
api/database/migrations/2026_04_07_250000_fix_organisations_and_invitations.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
// Fix billing_status default from 'active' to 'trial'
Schema::table('organisations', function (Blueprint $table) {
$table->string('billing_status')->default('trial')->change();
});
// Fix invited_by_user_id: nullOnDelete instead of cascadeOnDelete
Schema::table('user_invitations', function (Blueprint $table) {
$table->dropForeign(['invited_by_user_id']);
$table->foreignUlid('invited_by_user_id')->nullable()->change();
$table->foreign('invited_by_user_id')->references('id')->on('users')->nullOnDelete();
});
}
public function down(): void
{
Schema::table('organisations', function (Blueprint $table) {
$table->string('billing_status')->default('active')->change();
});
Schema::table('user_invitations', function (Blueprint $table) {
$table->dropForeign(['invited_by_user_id']);
$table->foreignUlid('invited_by_user_id')->change();
$table->foreign('invited_by_user_id')->references('id')->on('users')->cascadeOnDelete();
});
}
};

23
api/tests/Feature/Auth/MeTest.php
View File

@@ -6,6 +6,7 @@ namespace Tests\Feature\Auth;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
@@ -14,6 +15,12 @@ class MeTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
}
public function test_authenticated_user_can_get_profile(): void
{
$user = User::factory()->create();
@@ -29,13 +36,27 @@ class MeTest extends TestCase
'success',
'data' => [
'id', 'name', 'email', 'timezone', 'locale',
'organisations',
'organisations', 'app_roles', 'permissions',
],
]);
$this->assertCount(1, $response->json('data.organisations'));
}
public function test_me_returns_app_roles_and_permissions(): void
{
$user = User::factory()->create();
$user->assignRole('super_admin');
Sanctum::actingAs($user);
$response = $this->getJson('/api/v1/auth/me');
$response->assertOk();
$this->assertContains('super_admin', $response->json('data.app_roles'));
$this->assertIsArray($response->json('data.permissions'));
}
public function test_unauthenticated_user_cannot_get_profile(): void
{
$response = $this->getJson('/api/v1/auth/me');

106
api/tests/Feature/Event/EventTest.php
View File

@@ -18,6 +18,7 @@ class EventTest extends TestCase
private User $admin;
private User $orgAdmin;
private User $orgMember;
private User $outsider;
private Organisation $organisation;
@@ -34,6 +35,9 @@ class EventTest extends TestCase
$this->orgAdmin = User::factory()->create();
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->orgMember = User::factory()->create();
$this->organisation->users()->attach($this->orgMember, ['role' => 'org_member']);
$this->outsider = User::factory()->create();
}
@@ -51,6 +55,18 @@ class EventTest extends TestCase
$this->assertCount(3, $response->json('data'));
}
public function test_org_member_can_list_events(): void
{
Event::factory()->count(2)->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
$response->assertOk();
$this->assertCount(2, $response->json('data'));
}
public function test_outsider_cannot_list_events(): void
{
Sanctum::actingAs($this->outsider);
@@ -114,6 +130,20 @@ class EventTest extends TestCase
]);
}
public function test_org_member_cannot_create_event(): void
{
Sanctum::actingAs($this->orgMember);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Member Event',
'slug' => 'member-event',
'start_date' => '2026-07-01',
'end_date' => '2026-07-03',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_create_event(): void
{
Sanctum::actingAs($this->outsider);
@@ -140,6 +170,21 @@ class EventTest extends TestCase
$response->assertUnauthorized();
}
public function test_store_with_end_date_before_start_date_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Bad Dates',
'slug' => 'bad-dates',
'start_date' => '2026-07-05',
'end_date' => '2026-07-01',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors(['end_date']);
}
// --- UPDATE ---
public function test_org_admin_can_update_event(): void
@@ -156,6 +201,36 @@ class EventTest extends TestCase
->assertJson(['data' => ['name' => 'Updated Festival']]);
}
public function test_event_manager_can_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$eventManager = User::factory()->create();
$this->organisation->users()->attach($eventManager, ['role' => 'org_member']);
$event->users()->attach($eventManager, ['role' => 'event_manager']);
Sanctum::actingAs($eventManager);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Manager Updated',
]);
$response->assertOk()
->assertJson(['data' => ['name' => 'Manager Updated']]);
}
public function test_org_member_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Hacked',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
@@ -171,7 +246,7 @@ class EventTest extends TestCase
// --- CROSS-ORG ---
public function test_event_from_other_org_returns_404(): void
public function test_show_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
@@ -180,6 +255,33 @@ class EventTest extends TestCase
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
$response->assertNotFound();
$response->assertForbidden();
}
public function test_update_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
Sanctum::actingAs($this->admin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Cross-org hack',
]);
$response->assertForbidden();
}
// --- UNAUTHENTICATED ---
public function test_unauthenticated_user_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Anon Update',
]);
$response->assertUnauthorized();
}
}

68
api/tests/Feature/Organisation/OrganisationTest.php
View File

@@ -41,7 +41,7 @@ class OrganisationTest extends TestCase
{
$user = User::factory()->create();
$ownOrg = Organisation::factory()->create();
$otherOrg = Organisation::factory()->create();
Organisation::factory()->create(); // other org
$ownOrg->users()->attach($user, ['role' => 'org_member']);
@@ -109,6 +109,28 @@ class OrganisationTest extends TestCase
$this->assertDatabaseHas('organisations', ['slug' => 'test-org']);
}
public function test_store_attaches_creator_as_org_admin(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', [
'name' => 'New Org',
'slug' => 'new-org',
]);
$response->assertCreated();
$org = Organisation::where('slug', 'new-org')->first();
$this->assertDatabaseHas('organisation_user', [
'user_id' => $admin->id,
'organisation_id' => $org->id,
'role' => 'org_admin',
]);
}
public function test_non_admin_cannot_create_organisation(): void
{
$user = User::factory()->create();
@@ -123,6 +145,36 @@ class OrganisationTest extends TestCase
$response->assertForbidden();
}
public function test_store_with_invalid_data_returns_422(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', []);
$response->assertUnprocessable()
->assertJsonValidationErrors(['name', 'slug']);
}
public function test_store_with_duplicate_slug_returns_422(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Organisation::factory()->create(['slug' => 'taken-slug']);
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', [
'name' => 'New Org',
'slug' => 'taken-slug',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors(['slug']);
}
// --- UPDATE ---
public function test_org_admin_can_update_organisation(): void
@@ -155,4 +207,18 @@ class OrganisationTest extends TestCase
$response->assertForbidden();
}
public function test_non_member_cannot_update_organisation(): void
{
$user = User::factory()->create();
$org = Organisation::factory()->create();
Sanctum::actingAs($user);
$response = $this->putJson("/api/v1/organisations/{$org->id}", [
'name' => 'Hacked Name',
]);
$response->assertForbidden();
}
}