feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend: - Consolidate duplicate API layers into single src/lib/axios.ts per app - Remove src/lib/api-client.ts and src/utils/api.ts (admin) - Add src/lib/query-client.ts with TanStack Query config per app - Update all imports and auto-import config Backend: - Fix organisations.billing_status default to 'trial' - Fix user_invitations.invited_by_user_id to nullOnDelete - Add MeResource with separated app_roles and pivot-based org roles - Add cross-org check to EventPolicy view() and update() - Restrict EventPolicy create/update to org_admin/event_manager (not org_member) - Attach creator as org_admin on organisation store - Add query scopes to Event and UserInvitation models - Improve factories with Dutch test data - Expand test suite from 29 to 41 tests (90 assertions) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
--- a/api/app/Http/Controllers/Api/V1/EventController.php
+++ b/api/app/Http/Controllers/Api/V1/EventController.php
@@ -29,9 +29,7 @@ final class EventController extends Controller

    public function show(Organisation $organisation, Event $event): JsonResponse
    {
-        Gate::authorize('view', $event);
-
-        abort_unless($event->organisation_id === $organisation->id, 404);
+        Gate::authorize('view', [$event, $organisation]);

        return $this->success(new EventResource($event->load('organisation')));
    }
@@ -47,9 +45,7 @@ final class EventController extends Controller

    public function update(UpdateEventRequest $request, Organisation $organisation, Event $event): JsonResponse
    {
-        Gate::authorize('update', $event);
-
-        abort_unless($event->organisation_id === $organisation->id, 404);
+        Gate::authorize('update', [$event, $organisation]);

        $event->update($request->validated());

--- a/api/app/Http/Controllers/Api/V1/MeController.php
+++ b/api/app/Http/Controllers/Api/V1/MeController.php
@@ -5,7 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api\V1;

 use App\Http\Controllers\Controller;
-use App\Http\Resources\Api\V1\UserResource;
+use App\Http\Resources\Api\V1\MeResource;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;

@@ -13,8 +13,8 @@ final class MeController extends Controller
 {
    public function __invoke(Request $request): JsonResponse
    {
-        $user = $request->user()->load(['organisations', 'events']);
+        $user = $request->user()->load(['organisations', 'roles', 'permissions']);

-        return $this->success(new UserResource($user));
+        return $this->success(new MeResource($user));
    }
 }
--- a/api/app/Http/Controllers/Api/V1/OrganisationController.php
+++ b/api/app/Http/Controllers/Api/V1/OrganisationController.php
@@ -41,6 +41,8 @@ final class OrganisationController extends Controller

        $organisation = Organisation::create($request->validated());

+        $organisation->users()->attach(auth()->id(), ['role' => 'org_admin']);
+
        return $this->created(new OrganisationResource($organisation));
    }

--- a/api/app/Http/Requests/Api/V1/StoreOrganisationRequest.php
+++ b/api/app/Http/Requests/Api/V1/StoreOrganisationRequest.php
@@ -19,7 +19,7 @@ final class StoreOrganisationRequest extends FormRequest
        return [
            'name' => ['required', 'string', 'max:255'],
            'slug' => ['required', 'string', 'max:255', 'unique:organisations,slug', 'regex:/^[a-z0-9-]+$/'],
-            'billing_status' => ['sometimes', 'string', 'in:active,trial,suspended'],
+            'billing_status' => ['sometimes', 'string', 'in:trial,active,suspended,cancelled'],
            'settings' => ['sometimes', 'array'],
        ];
    }
--- a/api/app/Http/Resources/Api/V1/MeResource.php
+++ b/api/app/Http/Resources/Api/V1/MeResource.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Resources\Api\V1;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\JsonResource;
+
+final class MeResource extends JsonResource
+{
+    public function toArray(Request $request): array
+    {
+        return [
+            'id' => $this->id,
+            'name' => $this->name,
+            'email' => $this->email,
+            'timezone' => $this->timezone,
+            'locale' => $this->locale,
+            'avatar' => $this->avatar,
+            'email_verified_at' => $this->email_verified_at?->toIso8601String(),
+            'organisations' => $this->whenLoaded('organisations', fn () =>
+                $this->organisations->map(fn ($org) => [
+                    'id' => $org->id,
+                    'name' => $org->name,
+                    'slug' => $org->slug,
+                    'role' => $org->pivot->role,
+                ])
+            ),
+            'app_roles' => $this->getRoleNames()->values()->all(),
+            'permissions' => $this->getAllPermissions()->pluck('name')->values()->all(),
+        ];
+    }
+}
--- a/api/app/Models/Event.php
+++ b/api/app/Models/Event.php
@@ -4,6 +4,7 @@ declare(strict_types=1);

 namespace App\Models;

+use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Concerns\HasUlids;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -52,4 +53,19 @@ final class Event extends Model
    {
        return $this->hasMany(UserInvitation::class);
    }
+
+    public function scopeDraft(Builder $query): Builder
+    {
+        return $query->where('status', 'draft');
+    }
+
+    public function scopePublished(Builder $query): Builder
+    {
+        return $query->where('status', 'published');
+    }
+
+    public function scopeActive(Builder $query): Builder
+    {
+        return $query->whereIn('status', ['showday', 'buildup', 'teardown']);
+    }
 }
--- a/api/app/Models/Scopes/OrganisationScope.php
+++ b/api/app/Models/Scopes/OrganisationScope.php
@@ -9,19 +9,32 @@ use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Scope;

 /**
- * Explicit organisation filter for queries ({@see Builder::withGlobalScope()}).
- * Event data is currently scoped via the {@see Organisation} relationship and policies;
- * when you add child models (persons, shifts, …), consider a global scope driven by
- * the authenticated user’s active organisation (see `.cursor/rules/102_multi_tenancy.mdc`).
+ * Global scope that filters event-related models by organisation_id.
+ *
+ * Resolves the organisation from (in order):
+ * 1. An explicitly provided organisation ID (constructor)
+ * 2. The route parameter 'organisation'
+ *
+ * IMPORTANT: This scope is route-dependent — it only works when the
+ * 'organisation' parameter is present in the URL (e.g. /organisations/{organisation}/events).
+ * Routes without an organisation segment (e.g. GET /events/{event}) will NOT be scoped,
+ * silently bypassing multi-tenancy. All new routes that touch organisation-owned
+ * data MUST be nested under /organisations/{organisation}/... to guarantee scoping.
 */
 final class OrganisationScope implements Scope
 {
    public function __construct(
-        private readonly string $organisationId,
+        private readonly ?string $organisationId = null,
    ) {}

    public function apply(Builder $builder, Model $model): void
    {
-        $builder->where($model->getTable() . '.organisation_id', $this->organisationId);
+        $id = $this->organisationId
+            ?? request()->route('organisation')?->id
+            ?? (is_string(request()->route('organisation')) ? request()->route('organisation') : null);
+
+        if ($id) {
+            $builder->where($model->getTable() . '.organisation_id', $id);
+        }
    }
 }
--- a/api/app/Models/User.php
+++ b/api/app/Models/User.php
@@ -7,6 +7,7 @@ namespace App\Models;
 use Illuminate\Database\Eloquent\Concerns\HasUlids;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
@@ -57,4 +58,9 @@ final class User extends Authenticatable
            ->withPivot('role')
            ->withTimestamps();
    }
+
+    public function invitations(): HasMany
+    {
+        return $this->hasMany(UserInvitation::class, 'invited_by_user_id');
+    }
 }
--- a/api/app/Models/UserInvitation.php
+++ b/api/app/Models/UserInvitation.php
@@ -4,6 +4,7 @@ declare(strict_types=1);

 namespace App\Models;

+use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Concerns\HasUlids;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -46,4 +47,15 @@ final class UserInvitation extends Model
    {
        return $this->belongsTo(Event::class);
    }
+
+    public function scopePending(Builder $query): Builder
+    {
+        return $query->where('status', 'pending');
+    }
+
+    public function scopeExpired(Builder $query): Builder
+    {
+        return $query->where('status', 'expired')
+            ->orWhere(fn (Builder $q) => $q->where('status', 'pending')->where('expires_at', '<', now()));
+    }
 }
--- a/api/app/Policies/EventPolicy.php
+++ b/api/app/Policies/EventPolicy.php
@@ -16,8 +16,12 @@ final class EventPolicy
            || $organisation->users()->where('user_id', $user->id)->exists();
    }

-    public function view(User $user, Event $event): bool
+    public function view(User $user, Event $event, ?Organisation $organisation = null): bool
    {
+        if ($organisation && $event->organisation_id !== $organisation->id) {
+            return false;
+        }
+
        return $user->hasRole('super_admin')
            || $event->organisation->users()->where('user_id', $user->id)->exists();
    }
@@ -30,19 +34,34 @@ final class EventPolicy

        return $organisation->users()
            ->where('user_id', $user->id)
-            ->wherePivotIn('role', ['org_admin', 'org_member'])
+            ->wherePivot('role', 'org_admin')
            ->exists();
    }

-    public function update(User $user, Event $event): bool
+    public function update(User $user, Event $event, ?Organisation $organisation = null): bool
    {
+        if ($organisation && $event->organisation_id !== $organisation->id) {
+            return false;
+        }
+
        if ($user->hasRole('super_admin')) {
            return true;
        }

-        return $event->organisation->users()
+        // org_admin at organisation level
+        $isOrgAdmin = $event->organisation->users()
            ->where('user_id', $user->id)
-            ->wherePivotIn('role', ['org_admin', 'org_member'])
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+
+        if ($isOrgAdmin) {
+            return true;
+        }
+
+        // event_manager at event level
+        return $event->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'event_manager')
            ->exists();
    }
 }