bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Browse Source 
Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
api/app/Models/Scopes/OrganisationScope.php
View File

@@ -9,19 +9,32 @@ use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Scope;
/**
* Explicit organisation filter for queries ({@see Builder::withGlobalScope()}).
* Event data is currently scoped via the {@see Organisation} relationship and policies;
* when you add child models (persons, shifts, ), consider a global scope driven by
* the authenticated users active organisation (see `.cursor/rules/102_multi_tenancy.mdc`).
* Global scope that filters event-related models by organisation_id.
*
* Resolves the organisation from (in order):
* 1. An explicitly provided organisation ID (constructor)
* 2. The route parameter 'organisation'
*
* IMPORTANT: This scope is route-dependent it only works when the
* 'organisation' parameter is present in the URL (e.g. /organisations/{organisation}/events).
* Routes without an organisation segment (e.g. GET /events/{event}) will NOT be scoped,
* silently bypassing multi-tenancy. All new routes that touch organisation-owned
* data MUST be nested under /organisations/{organisation}/... to guarantee scoping.
*/
final class OrganisationScope implements Scope
{
public function __construct(
private readonly string $organisationId,
private readonly ?string $organisationId = null,
) {}
public function apply(Builder $builder, Model $model): void
{
$builder->where($model->getTable() . '.organisation_id', $this->organisationId);
$id = $this->organisationId
?? request()->route('organisation')?->id
?? (is_string(request()->route('organisation')) ? request()->route('organisation') : null);
if ($id) {
$builder->where($model->getTable() . '.organisation_id', $id);
}
}
}