feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend: - Consolidate duplicate API layers into single src/lib/axios.ts per app - Remove src/lib/api-client.ts and src/utils/api.ts (admin) - Add src/lib/query-client.ts with TanStack Query config per app - Update all imports and auto-import config Backend: - Fix organisations.billing_status default to 'trial' - Fix user_invitations.invited_by_user_id to nullOnDelete - Add MeResource with separated app_roles and pivot-based org roles - Add cross-org check to EventPolicy view() and update() - Restrict EventPolicy create/update to org_admin/event_manager (not org_member) - Attach creator as org_admin on organisation store - Add query scopes to Event and UserInvitation models - Improve factories with Dutch test data - Expand test suite from 29 to 41 tests (90 assertions) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
--- a/api/app/Policies/EventPolicy.php
+++ b/api/app/Policies/EventPolicy.php
@@ -16,8 +16,12 @@ final class EventPolicy
            || $organisation->users()->where('user_id', $user->id)->exists();
    }

-    public function view(User $user, Event $event): bool
+    public function view(User $user, Event $event, ?Organisation $organisation = null): bool
    {
+        if ($organisation && $event->organisation_id !== $organisation->id) {
+            return false;
+        }
+
        return $user->hasRole('super_admin')
            || $event->organisation->users()->where('user_id', $user->id)->exists();
    }
@@ -30,19 +34,34 @@ final class EventPolicy

        return $organisation->users()
            ->where('user_id', $user->id)
-            ->wherePivotIn('role', ['org_admin', 'org_member'])
+            ->wherePivot('role', 'org_admin')
            ->exists();
    }

-    public function update(User $user, Event $event): bool
+    public function update(User $user, Event $event, ?Organisation $organisation = null): bool
    {
+        if ($organisation && $event->organisation_id !== $organisation->id) {
+            return false;
+        }
+
        if ($user->hasRole('super_admin')) {
            return true;
        }

-        return $event->organisation->users()
+        // org_admin at organisation level
+        $isOrgAdmin = $event->organisation->users()
            ->where('user_id', $user->id)
-            ->wherePivotIn('role', ['org_admin', 'org_member'])
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+
+        if ($isOrgAdmin) {
+            return true;
+        }
+
+        // event_manager at event level
+        return $event->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'event_manager')
            ->exists();
    }
 }