feat: consolidate frontend API layer, add query-client, and harden backend Fase 1
Frontend: - Consolidate duplicate API layers into single src/lib/axios.ts per app - Remove src/lib/api-client.ts and src/utils/api.ts (admin) - Add src/lib/query-client.ts with TanStack Query config per app - Update all imports and auto-import config Backend: - Fix organisations.billing_status default to 'trial' - Fix user_invitations.invited_by_user_id to nullOnDelete - Add MeResource with separated app_roles and pivot-based org roles - Add cross-org check to EventPolicy view() and update() - Restrict EventPolicy create/update to org_admin/event_manager (not org_member) - Attach creator as org_admin on organisation store - Add query scopes to Event and UserInvitation models - Improve factories with Dutch test data - Expand test suite from 29 to 41 tests (90 assertions) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -29,9 +29,7 @@ final class EventController extends Controller
|
||||
|
||||
public function show(Organisation $organisation, Event $event): JsonResponse
|
||||
{
|
||||
Gate::authorize('view', $event);
|
||||
|
||||
abort_unless($event->organisation_id === $organisation->id, 404);
|
||||
Gate::authorize('view', [$event, $organisation]);
|
||||
|
||||
return $this->success(new EventResource($event->load('organisation')));
|
||||
}
|
||||
@@ -47,9 +45,7 @@ final class EventController extends Controller
|
||||
|
||||
public function update(UpdateEventRequest $request, Organisation $organisation, Event $event): JsonResponse
|
||||
{
|
||||
Gate::authorize('update', $event);
|
||||
|
||||
abort_unless($event->organisation_id === $organisation->id, 404);
|
||||
Gate::authorize('update', [$event, $organisation]);
|
||||
|
||||
$event->update($request->validated());
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ declare(strict_types=1);
|
||||
namespace App\Http\Controllers\Api\V1;
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Resources\Api\V1\UserResource;
|
||||
use App\Http\Resources\Api\V1\MeResource;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
@@ -13,8 +13,8 @@ final class MeController extends Controller
|
||||
{
|
||||
public function __invoke(Request $request): JsonResponse
|
||||
{
|
||||
$user = $request->user()->load(['organisations', 'events']);
|
||||
$user = $request->user()->load(['organisations', 'roles', 'permissions']);
|
||||
|
||||
return $this->success(new UserResource($user));
|
||||
return $this->success(new MeResource($user));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -41,6 +41,8 @@ final class OrganisationController extends Controller
|
||||
|
||||
$organisation = Organisation::create($request->validated());
|
||||
|
||||
$organisation->users()->attach(auth()->id(), ['role' => 'org_admin']);
|
||||
|
||||
return $this->created(new OrganisationResource($organisation));
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ final class StoreOrganisationRequest extends FormRequest
|
||||
return [
|
||||
'name' => ['required', 'string', 'max:255'],
|
||||
'slug' => ['required', 'string', 'max:255', 'unique:organisations,slug', 'regex:/^[a-z0-9-]+$/'],
|
||||
'billing_status' => ['sometimes', 'string', 'in:active,trial,suspended'],
|
||||
'billing_status' => ['sometimes', 'string', 'in:trial,active,suspended,cancelled'],
|
||||
'settings' => ['sometimes', 'array'],
|
||||
];
|
||||
}
|
||||
|
||||
34
api/app/Http/Resources/Api/V1/MeResource.php
Normal file
34
api/app/Http/Resources/Api/V1/MeResource.php
Normal file
@@ -0,0 +1,34 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Http\Resources\Api\V1;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Http\Resources\Json\JsonResource;
|
||||
|
||||
final class MeResource extends JsonResource
|
||||
{
|
||||
public function toArray(Request $request): array
|
||||
{
|
||||
return [
|
||||
'id' => $this->id,
|
||||
'name' => $this->name,
|
||||
'email' => $this->email,
|
||||
'timezone' => $this->timezone,
|
||||
'locale' => $this->locale,
|
||||
'avatar' => $this->avatar,
|
||||
'email_verified_at' => $this->email_verified_at?->toIso8601String(),
|
||||
'organisations' => $this->whenLoaded('organisations', fn () =>
|
||||
$this->organisations->map(fn ($org) => [
|
||||
'id' => $org->id,
|
||||
'name' => $org->name,
|
||||
'slug' => $org->slug,
|
||||
'role' => $org->pivot->role,
|
||||
])
|
||||
),
|
||||
'app_roles' => $this->getRoleNames()->values()->all(),
|
||||
'permissions' => $this->getAllPermissions()->pluck('name')->values()->all(),
|
||||
];
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user