fix(form-builder): explicit OrganisationScope bypass on every public-form query
Five models that the public form endpoints touch carry a global
OrganisationScope: FormSchema, Event, TimeSlot, FestivalSection,
PersonTag. The initial S2c implementation relied on the scope no-opping
because /public/forms/* has no `{organisation}` route parameter and
OrganisationScope::resolveOrganisationId returns null in that case.
That's accidentally-correct. Any middleware that sets an implicit org
context later (route model binding for platform admin, impersonation,
default-org fallback on an authed Sanctum session) would start
filtering public schema resolution by the wrong org.
- PublicFormTokenResolver: both FormSchema::query() calls now pass
withoutGlobalScope(OrganisationScope::class). public_token is
globally unique so this is safe.
- PublicFormController::timeSlots() / sections() / festivalEventIds():
Event, TimeSlot, FestivalSection queries all explicit now, including
the eager-loaded event relation on time-slots.
- PublicFormController::ownerEvent(): narrowed from
Event::withoutGlobalScopes() to withoutGlobalScope(OrganisationScope)
so future scopes (soft-delete, archived) aren't accidentally
stripped.
- PublicFormSchemaResource::availableTagsByCategory: same narrowing on
the PersonTag query.
PublicFormCrossOrgScopeTest pins the expectation — 4 cases hit every
public endpoint under a stashed foreign-org route parameter and assert
the owner-org data still surfaces. Verified the tests fail when the
fix is reverted (all 4 return `SCHEMA_NOT_FOUND` with the bypass
absent).
Full suite 893 → 897 green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,6 +7,7 @@ namespace App\Services\FormBuilder;
|
||||
use App\Exceptions\FormBuilder\SchemaNotFoundException;
|
||||
use App\Exceptions\FormBuilder\TokenExpiredException;
|
||||
use App\Models\FormBuilder\FormSchema;
|
||||
use App\Models\Scopes\OrganisationScope;
|
||||
|
||||
/**
|
||||
* Token-to-schema resolution for every /public/forms/* endpoint.
|
||||
@@ -15,6 +16,13 @@ use App\Models\FormBuilder\FormSchema;
|
||||
*
|
||||
* Throws the standardised public-form exceptions directly so callers
|
||||
* don't need to branch on grace state themselves.
|
||||
*
|
||||
* Org scope is explicitly bypassed here: public_token is globally unique
|
||||
* across the platform, and the public routes have no `{organisation}`
|
||||
* route parameter to drive OrganisationScope. Relying on the scope to
|
||||
* no-op silently works today but is accidentally-correct — any future
|
||||
* middleware that sets an org context (impersonation, platform admin
|
||||
* visibility toggle, etc.) would start filtering public resolutions.
|
||||
*/
|
||||
final class PublicFormTokenResolver
|
||||
{
|
||||
@@ -23,6 +31,7 @@ final class PublicFormTokenResolver
|
||||
public function resolve(string $token): FormSchema
|
||||
{
|
||||
$current = FormSchema::query()
|
||||
->withoutGlobalScope(OrganisationScope::class)
|
||||
->where('public_token', $token)
|
||||
->first();
|
||||
if ($current !== null) {
|
||||
@@ -30,6 +39,7 @@ final class PublicFormTokenResolver
|
||||
}
|
||||
|
||||
$previous = FormSchema::query()
|
||||
->withoutGlobalScope(OrganisationScope::class)
|
||||
->where('public_token_previous', $token)
|
||||
->first();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user