bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Browse Source 
Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
api/tests/Feature/Auth/MeTest.php
View File

@@ -6,6 +6,7 @@ namespace Tests\Feature\Auth;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
@@ -14,6 +15,12 @@ class MeTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
}
public function test_authenticated_user_can_get_profile(): void
{
$user = User::factory()->create();
@@ -29,13 +36,27 @@ class MeTest extends TestCase
'success',
'data' => [
'id', 'name', 'email', 'timezone', 'locale',
'organisations',
'organisations', 'app_roles', 'permissions',
],
]);
$this->assertCount(1, $response->json('data.organisations'));
}
public function test_me_returns_app_roles_and_permissions(): void
{
$user = User::factory()->create();
$user->assignRole('super_admin');
Sanctum::actingAs($user);
$response = $this->getJson('/api/v1/auth/me');
$response->assertOk();
$this->assertContains('super_admin', $response->json('data.app_roles'));
$this->assertIsArray($response->json('data.permissions'));
}
public function test_unauthenticated_user_cannot_get_profile(): void
{
$response = $this->getJson('/api/v1/auth/me');

106
api/tests/Feature/Event/EventTest.php
View File

@@ -18,6 +18,7 @@ class EventTest extends TestCase
private User $admin;
private User $orgAdmin;
private User $orgMember;
private User $outsider;
private Organisation $organisation;
@@ -34,6 +35,9 @@ class EventTest extends TestCase
$this->orgAdmin = User::factory()->create();
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->orgMember = User::factory()->create();
$this->organisation->users()->attach($this->orgMember, ['role' => 'org_member']);
$this->outsider = User::factory()->create();
}
@@ -51,6 +55,18 @@ class EventTest extends TestCase
$this->assertCount(3, $response->json('data'));
}
public function test_org_member_can_list_events(): void
{
Event::factory()->count(2)->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
$response->assertOk();
$this->assertCount(2, $response->json('data'));
}
public function test_outsider_cannot_list_events(): void
{
Sanctum::actingAs($this->outsider);
@@ -114,6 +130,20 @@ class EventTest extends TestCase
]);
}
public function test_org_member_cannot_create_event(): void
{
Sanctum::actingAs($this->orgMember);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Member Event',
'slug' => 'member-event',
'start_date' => '2026-07-01',
'end_date' => '2026-07-03',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_create_event(): void
{
Sanctum::actingAs($this->outsider);
@@ -140,6 +170,21 @@ class EventTest extends TestCase
$response->assertUnauthorized();
}
public function test_store_with_end_date_before_start_date_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Bad Dates',
'slug' => 'bad-dates',
'start_date' => '2026-07-05',
'end_date' => '2026-07-01',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors(['end_date']);
}
// --- UPDATE ---
public function test_org_admin_can_update_event(): void
@@ -156,6 +201,36 @@ class EventTest extends TestCase
->assertJson(['data' => ['name' => 'Updated Festival']]);
}
public function test_event_manager_can_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$eventManager = User::factory()->create();
$this->organisation->users()->attach($eventManager, ['role' => 'org_member']);
$event->users()->attach($eventManager, ['role' => 'event_manager']);
Sanctum::actingAs($eventManager);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Manager Updated',
]);
$response->assertOk()
->assertJson(['data' => ['name' => 'Manager Updated']]);
}
public function test_org_member_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Hacked',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
@@ -171,7 +246,7 @@ class EventTest extends TestCase
// --- CROSS-ORG ---
public function test_event_from_other_org_returns_404(): void
public function test_show_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
@@ -180,6 +255,33 @@ class EventTest extends TestCase
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
$response->assertNotFound();
$response->assertForbidden();
}
public function test_update_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
Sanctum::actingAs($this->admin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Cross-org hack',
]);
$response->assertForbidden();
}
// --- UNAUTHENTICATED ---
public function test_unauthenticated_user_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Anon Update',
]);
$response->assertUnauthorized();
}
}

68
api/tests/Feature/Organisation/OrganisationTest.php
View File

@@ -41,7 +41,7 @@ class OrganisationTest extends TestCase
{
$user = User::factory()->create();
$ownOrg = Organisation::factory()->create();
$otherOrg = Organisation::factory()->create();
Organisation::factory()->create(); // other org
$ownOrg->users()->attach($user, ['role' => 'org_member']);
@@ -109,6 +109,28 @@ class OrganisationTest extends TestCase
$this->assertDatabaseHas('organisations', ['slug' => 'test-org']);
}
public function test_store_attaches_creator_as_org_admin(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', [
'name' => 'New Org',
'slug' => 'new-org',
]);
$response->assertCreated();
$org = Organisation::where('slug', 'new-org')->first();
$this->assertDatabaseHas('organisation_user', [
'user_id' => $admin->id,
'organisation_id' => $org->id,
'role' => 'org_admin',
]);
}
public function test_non_admin_cannot_create_organisation(): void
{
$user = User::factory()->create();
@@ -123,6 +145,36 @@ class OrganisationTest extends TestCase
$response->assertForbidden();
}
public function test_store_with_invalid_data_returns_422(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', []);
$response->assertUnprocessable()
->assertJsonValidationErrors(['name', 'slug']);
}
public function test_store_with_duplicate_slug_returns_422(): void
{
$admin = User::factory()->create();
$admin->assignRole('super_admin');
Organisation::factory()->create(['slug' => 'taken-slug']);
Sanctum::actingAs($admin);
$response = $this->postJson('/api/v1/organisations', [
'name' => 'New Org',
'slug' => 'taken-slug',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors(['slug']);
}
// --- UPDATE ---
public function test_org_admin_can_update_organisation(): void
@@ -155,4 +207,18 @@ class OrganisationTest extends TestCase
$response->assertForbidden();
}
public function test_non_member_cannot_update_organisation(): void
{
$user = User::factory()->create();
$org = Organisation::factory()->create();
Sanctum::actingAs($user);
$response = $this->putJson("/api/v1/organisations/{$org->id}", [
'name' => 'Hacked Name',
]);
$response->assertForbidden();
}
}