bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Browse Source 
Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-07 17:35:34 +02:00
parent 611c311854
commit 0d24506c89
36 changed files with 454 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
api/tests/Feature/Event/EventTest.php
View File

@@ -18,6 +18,7 @@ class EventTest extends TestCase
private User $admin;
private User $orgAdmin;
private User $orgMember;
private User $outsider;
private Organisation $organisation;
@@ -34,6 +35,9 @@ class EventTest extends TestCase
$this->orgAdmin = User::factory()->create();
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->orgMember = User::factory()->create();
$this->organisation->users()->attach($this->orgMember, ['role' => 'org_member']);
$this->outsider = User::factory()->create();
}
@@ -51,6 +55,18 @@ class EventTest extends TestCase
$this->assertCount(3, $response->json('data'));
}
public function test_org_member_can_list_events(): void
{
Event::factory()->count(2)->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
$response->assertOk();
$this->assertCount(2, $response->json('data'));
}
public function test_outsider_cannot_list_events(): void
{
Sanctum::actingAs($this->outsider);
@@ -114,6 +130,20 @@ class EventTest extends TestCase
]);
}
public function test_org_member_cannot_create_event(): void
{
Sanctum::actingAs($this->orgMember);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Member Event',
'slug' => 'member-event',
'start_date' => '2026-07-01',
'end_date' => '2026-07-03',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_create_event(): void
{
Sanctum::actingAs($this->outsider);
@@ -140,6 +170,21 @@ class EventTest extends TestCase
$response->assertUnauthorized();
}
public function test_store_with_end_date_before_start_date_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => 'Bad Dates',
'slug' => 'bad-dates',
'start_date' => '2026-07-05',
'end_date' => '2026-07-01',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors(['end_date']);
}
// --- UPDATE ---
public function test_org_admin_can_update_event(): void
@@ -156,6 +201,36 @@ class EventTest extends TestCase
->assertJson(['data' => ['name' => 'Updated Festival']]);
}
public function test_event_manager_can_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$eventManager = User::factory()->create();
$this->organisation->users()->attach($eventManager, ['role' => 'org_member']);
$event->users()->attach($eventManager, ['role' => 'event_manager']);
Sanctum::actingAs($eventManager);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Manager Updated',
]);
$response->assertOk()
->assertJson(['data' => ['name' => 'Manager Updated']]);
}
public function test_org_member_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
Sanctum::actingAs($this->orgMember);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Hacked',
]);
$response->assertForbidden();
}
public function test_outsider_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
@@ -171,7 +246,7 @@ class EventTest extends TestCase
// --- CROSS-ORG ---
public function test_event_from_other_org_returns_404(): void
public function test_show_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
@@ -180,6 +255,33 @@ class EventTest extends TestCase
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
$response->assertNotFound();
$response->assertForbidden();
}
public function test_update_event_from_other_org_is_blocked(): void
{
$otherOrg = Organisation::factory()->create();
$event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
Sanctum::actingAs($this->admin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Cross-org hack',
]);
$response->assertForbidden();
}
// --- UNAUTHENTICATED ---
public function test_unauthenticated_user_cannot_update_event(): void
{
$event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
'name' => 'Anon Update',
]);
$response->assertUnauthorized();
}
}