bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: A01-13 — nest all event routes under organisation prefix

Browse Source 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
api/app/Http/Controllers/Api/V1/CrowdListController.php
View File

@@ -5,12 +5,14 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\AddPersonToCrowdListRequest;
use App\Http\Requests\Api\V1\StoreCrowdListRequest;
use App\Http\Requests\Api\V1\UpdateCrowdListRequest;
use App\Http\Resources\Api\V1\CrowdListResource;
use App\Models\CrowdList;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Services\CrowdListService;
use App\Http\Resources\Api\V1\PersonResource;
@@ -20,12 +22,15 @@ use Illuminate\Support\Facades\Gate;
final class CrowdListController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly CrowdListService $crowdListService,
) {}
public function index(Event $event): AnonymousResourceCollection
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [CrowdList::class, $event]);
$crowdLists = $event->crowdLists()
@@ -36,8 +41,9 @@ final class CrowdListController extends Controller
return CrowdListResource::collection($crowdLists);
}
public function store(StoreCrowdListRequest $request, Event $event): JsonResponse
public function store(StoreCrowdListRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [CrowdList::class, $event]);
$crowdList = $this->crowdListService->create($event, $request->validated(), $request->user());
@@ -45,8 +51,9 @@ final class CrowdListController extends Controller
return $this->created(new CrowdListResource($crowdList->loadCount('persons')));
}
public function update(UpdateCrowdListRequest $request, Event $event, CrowdList $crowdList): JsonResponse
public function update(UpdateCrowdListRequest $request, Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$crowdList, $event]);
$crowdList = $this->crowdListService->update($crowdList, $request->validated(), $request->user());
@@ -54,8 +61,9 @@ final class CrowdListController extends Controller
return $this->success(new CrowdListResource($crowdList->loadCount('persons')));
}
public function destroy(Event $event, CrowdList $crowdList): JsonResponse
public function destroy(Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$crowdList, $event]);
$this->crowdListService->delete($crowdList, request()->user());
@@ -63,8 +71,9 @@ final class CrowdListController extends Controller
return response()->json(null, 204);
}
public function persons(Event $event, CrowdList $crowdList): AnonymousResourceCollection
public function persons(Organisation $organisation, Event $event, CrowdList $crowdList): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewPersons', [$crowdList, $event]);
$persons = $crowdList->persons()
@@ -74,8 +83,9 @@ final class CrowdListController extends Controller
return PersonResource::collection($persons);
}
public function addPerson(AddPersonToCrowdListRequest $request, Event $event, CrowdList $crowdList): JsonResponse
public function addPerson(AddPersonToCrowdListRequest $request, Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('managePerson', [$crowdList, $event]);
$festivalEventId = $event->parent_event_id ?? $event->id;
@@ -86,8 +96,9 @@ final class CrowdListController extends Controller
return $this->success(new CrowdListResource($crowdList->fresh()->loadCount('persons')));
}
public function removePerson(Event $event, CrowdList $crowdList, Person $person): JsonResponse
public function removePerson(Organisation $organisation, Event $event, CrowdList $crowdList, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('managePerson', [$crowdList, $event]);
$this->crowdListService->removePerson($crowdList, $person, request()->user());

7
api/app/Http/Controllers/Api/V1/EventController.php
View File

@@ -146,9 +146,12 @@ final class EventController extends Controller
return response()->json(['url' => $event->fresh()->{$field}]);
}
public function stats(Event $event): JsonResponse
public function stats(Organisation $organisation, Event $event): JsonResponse
{
Gate::authorize('view', $event);
if ($event->organisation_id !== $organisation->id) {
abort(404);
}
Gate::authorize('view', [$event, $organisation]);
$personCounts = $event->persons()
->selectRaw("

27
api/app/Http/Controllers/Api/V1/FestivalSectionController.php
View File

@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\ReorderFestivalSectionsRequest;
use App\Http\Requests\Api\V1\StoreFestivalSectionRequest;
use App\Http\Requests\Api\V1\UpdateFestivalSectionRequest;
@@ -12,14 +13,18 @@ use App\Http\Requests\Api\V1\UpdateRegistrationSettingsRequest;
use App\Http\Resources\Api\V1\FestivalSectionResource;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
use Illuminate\Support\Facades\Gate;
final class FestivalSectionController extends Controller
{
public function index(Event $event): AnonymousResourceCollection
use VerifiesOrganisationEvent;
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [FestivalSection::class, $event]);
$sections = $event->festivalSections()->ordered()->get();
@@ -38,8 +43,9 @@ final class FestivalSectionController extends Controller
return FestivalSectionResource::collection($sections);
}
public function store(StoreFestivalSectionRequest $request, Event $event): JsonResponse
public function store(StoreFestivalSectionRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [FestivalSection::class, $event]);
$data = $request->validated();
@@ -77,8 +83,9 @@ final class FestivalSectionController extends Controller
return $response;
}
public function update(UpdateFestivalSectionRequest $request, Event $event, FestivalSection $section): JsonResponse
public function update(UpdateFestivalSectionRequest $request, Organisation $organisation, Event $event, FestivalSection $section): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$section, $event]);
$section->update($request->validated());
@@ -86,8 +93,9 @@ final class FestivalSectionController extends Controller
return $this->success(new FestivalSectionResource($section->fresh()));
}
public function destroy(Event $event, FestivalSection $section): JsonResponse
public function destroy(Organisation $organisation, Event $event, FestivalSection $section): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$section, $event]);
$section->delete();
@@ -95,8 +103,9 @@ final class FestivalSectionController extends Controller
return response()->json(null, 204);
}
public function registrationSettings(Event $event): JsonResponse
public function registrationSettings(Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [FestivalSection::class, $event]);
$sections = $this->getFestivalSections($event);
@@ -118,8 +127,9 @@ final class FestivalSectionController extends Controller
return response()->json(['data' => $grouped]);
}
public function updateRegistrationSettings(UpdateRegistrationSettingsRequest $request, Event $event): JsonResponse
public function updateRegistrationSettings(UpdateRegistrationSettingsRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [FestivalSection::class, $event]);
$validated = $request->validated();
@@ -148,7 +158,7 @@ final class FestivalSectionController extends Controller
->log('section.registration_settings_updated');
// Return updated settings
return $this->registrationSettings($event);
return $this->registrationSettings($organisation, $event);
}
/**
@@ -171,8 +181,9 @@ final class FestivalSectionController extends Controller
return FestivalSection::whereIn('event_id', $eventIds)->ordered()->get();
}
public function reorder(ReorderFestivalSectionsRequest $request, Event $event): JsonResponse
public function reorder(ReorderFestivalSectionsRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('reorder', [FestivalSection::class, $event]);
foreach ($request->validated('sections') as $index => $id) {

16
api/app/Http/Controllers/Api/V1/LocationController.php
View File

@@ -5,19 +5,24 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\StoreLocationRequest;
use App\Http\Requests\Api\V1\UpdateLocationRequest;
use App\Http\Resources\Api\V1\LocationResource;
use App\Models\Event;
use App\Models\Location;
use App\Models\Organisation;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
use Illuminate\Support\Facades\Gate;
final class LocationController extends Controller
{
public function index(Event $event): AnonymousResourceCollection
use VerifiesOrganisationEvent;
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [Location::class, $event]);
$locations = $event->locations()->orderBy('name')->get();
@@ -25,8 +30,9 @@ final class LocationController extends Controller
return LocationResource::collection($locations);
}
public function store(StoreLocationRequest $request, Event $event): JsonResponse
public function store(StoreLocationRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [Location::class, $event]);
$location = $event->locations()->create($request->validated());
@@ -34,8 +40,9 @@ final class LocationController extends Controller
return $this->created(new LocationResource($location));
}
public function update(UpdateLocationRequest $request, Event $event, Location $location): JsonResponse
public function update(UpdateLocationRequest $request, Organisation $organisation, Event $event, Location $location): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$location, $event]);
$location->update($request->validated());
@@ -43,8 +50,9 @@ final class LocationController extends Controller
return $this->success(new LocationResource($location->fresh()));
}
public function destroy(Event $event, Location $location): JsonResponse
public function destroy(Organisation $organisation, Event $event, Location $location): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$location, $event]);
$location->delete();

25
api/app/Http/Controllers/Api/V1/PersonController.php
View File

@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\StorePersonRequest;
use App\Http\Requests\Api\V1\UpdatePersonRequest;
use App\Http\Resources\Api\V1\PersonCollection;
@@ -12,6 +13,7 @@ use App\Http\Resources\Api\V1\PersonResource;
use App\Mail\RegistrationApprovedMail;
use App\Mail\RegistrationRejectedMail;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Services\PersonIdentityService;
use App\Services\TagSyncService;
@@ -22,13 +24,16 @@ use Illuminate\Support\Facades\Mail;
final class PersonController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly PersonIdentityService $identityService,
private readonly TagSyncService $tagSyncService,
) {}
public function index(Request $request, Event $event): PersonCollection
public function index(Request $request, Organisation $organisation, Event $event): PersonCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [Person::class, $event]);
$query = $event->persons()->with(['crowdType', 'pendingIdentityMatch.matchedUser']);
@@ -67,8 +72,9 @@ final class PersonController extends Controller
return new PersonCollection($query->get());
}
public function show(Event $event, Person $person): JsonResponse
public function show(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('view', [$person, $event]);
$person->load(['crowdType', 'company', 'user']);
@@ -76,8 +82,9 @@ final class PersonController extends Controller
return $this->success(new PersonResource($person));
}
public function store(StorePersonRequest $request, Event $event): JsonResponse
public function store(StorePersonRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [Person::class, $event]);
$person = $event->persons()->create($request->validated());
@@ -87,8 +94,9 @@ final class PersonController extends Controller
return $this->created(new PersonResource($person->fresh()->load('crowdType')));
}
public function update(UpdatePersonRequest $request, Event $event, Person $person): JsonResponse
public function update(UpdatePersonRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$person, $event]);
$person->update($request->validated());
@@ -97,8 +105,9 @@ final class PersonController extends Controller
return $this->success(new PersonResource($person->fresh()->load(['crowdType', 'company'])));
}
public function destroy(Event $event, Person $person): JsonResponse
public function destroy(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$person, $event]);
$person->delete();
@@ -106,8 +115,9 @@ final class PersonController extends Controller
return response()->json(null, 204);
}
public function approve(Event $event, Person $person): JsonResponse
public function approve(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('approve', [$person, $event]);
$person->update(['status' => 'approved']);
@@ -121,8 +131,9 @@ final class PersonController extends Controller
return $this->success(new PersonResource($person->fresh()->load('crowdType')));
}
public function reject(Request $request, Event $event, Person $person): JsonResponse
public function reject(Request $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('approve', [$person, $event]);
$person->update(['status' => 'rejected']);

10
api/app/Http/Controllers/Api/V1/PersonFieldValueController.php
View File

@@ -5,9 +5,11 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\UpsertPersonFieldValuesRequest;
use App\Http\Resources\Api\V1\PersonFieldValueResource;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Services\RegistrationFormFieldService;
use Illuminate\Http\JsonResponse;
@@ -16,12 +18,15 @@ use Illuminate\Support\Facades\Gate;
final class PersonFieldValueController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly RegistrationFormFieldService $service,
) {}
public function index(Event $event, Person $person): AnonymousResourceCollection
public function index(Organisation $organisation, Event $event, Person $person): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('view', [$person, $event]);
$values = $this->service->getPersonValues($person);
@@ -29,8 +34,9 @@ final class PersonFieldValueController extends Controller
return PersonFieldValueResource::collection($values);
}
public function upsert(UpsertPersonFieldValuesRequest $request, Event $event, Person $person): JsonResponse
public function upsert(UpsertPersonFieldValuesRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$person, $event]);
$this->service->upsertPersonValues($person, $request->validated()['values']);

10
api/app/Http/Controllers/Api/V1/PersonSectionPreferenceController.php
View File

@@ -5,9 +5,11 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\ReplacePersonSectionPreferencesRequest;
use App\Http\Resources\Api\V1\PersonSectionPreferenceResource;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Services\PersonSectionPreferenceService;
use Illuminate\Http\JsonResponse;
@@ -16,12 +18,15 @@ use Illuminate\Support\Facades\Gate;
final class PersonSectionPreferenceController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly PersonSectionPreferenceService $service,
) {}
public function index(Event $event, Person $person): AnonymousResourceCollection
public function index(Organisation $organisation, Event $event, Person $person): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('view', [$person, $event]);
$preferences = $this->service->getPreferences($person);
@@ -29,8 +34,9 @@ final class PersonSectionPreferenceController extends Controller
return PersonSectionPreferenceResource::collection($preferences);
}
public function replace(ReplacePersonSectionPreferencesRequest $request, Event $event, Person $person): JsonResponse
public function replace(ReplacePersonSectionPreferencesRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$person, $event]);
$this->service->replacePreferences($person, $request->validated()['preferences']);

23
api/app/Http/Controllers/Api/V1/RegistrationFormFieldController.php
View File

@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\ImportFromEventRequest;
use App\Http\Requests\Api\V1\ReorderRegistrationFormFieldsRequest;
use App\Http\Requests\Api\V1\StoreRegistrationFormFieldRequest;
@@ -23,13 +24,16 @@ use Illuminate\Support\Facades\Gate;
final class RegistrationFormFieldController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly RegistrationFormFieldService $service,
private readonly RegistrationFieldTemplateService $templateService,
) {}
public function index(Event $event): AnonymousResourceCollection
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [RegistrationFormField::class, $event]);
$fields = $this->service->listForEvent($event);
@@ -37,8 +41,9 @@ final class RegistrationFormFieldController extends Controller
return RegistrationFormFieldResource::collection($fields);
}
public function store(StoreRegistrationFormFieldRequest $request, Event $event): JsonResponse
public function store(StoreRegistrationFormFieldRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [RegistrationFormField::class, $event]);
$field = $this->service->createField($event, $request->validated());
@@ -48,9 +53,11 @@ final class RegistrationFormFieldController extends Controller
public function update(
UpdateRegistrationFormFieldRequest $request,
Organisation $organisation,
Event $event,
RegistrationFormField $registrationField,
): JsonResponse {
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$registrationField, $event]);
$field = $this->service->updateField($registrationField, $request->validated());
@@ -58,8 +65,9 @@ final class RegistrationFormFieldController extends Controller
return $this->success(new RegistrationFormFieldResource($field));
}
public function destroy(Event $event, RegistrationFormField $registrationField): JsonResponse
public function destroy(Organisation $organisation, Event $event, RegistrationFormField $registrationField): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$registrationField, $event]);
$this->service->deleteField($registrationField);
@@ -67,8 +75,9 @@ final class RegistrationFormFieldController extends Controller
return response()->json(null, 204);
}
public function reorder(ReorderRegistrationFormFieldsRequest $request, Event $event): JsonResponse
public function reorder(ReorderRegistrationFormFieldsRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('reorder', [RegistrationFormField::class, $event]);
$this->service->reorderFields($event, $request->validated()['ids']);
@@ -76,8 +85,9 @@ final class RegistrationFormFieldController extends Controller
return response()->json(null, 204);
}
public function fromTemplate(Request $request, Event $event): JsonResponse
public function fromTemplate(Request $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [RegistrationFormField::class, $event]);
$request->validate([
@@ -95,8 +105,9 @@ final class RegistrationFormFieldController extends Controller
return $this->created(new RegistrationFormFieldResource($field));
}
public function importFromEvent(ImportFromEventRequest $request, Event $event): JsonResponse
public function importFromEvent(ImportFromEventRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [RegistrationFormField::class, $event]);
$sourceEvent = Event::findOrFail($request->validated()['source_event_id']);

22
api/app/Http/Controllers/Api/V1/ShiftAssignmentController.php
View File

@@ -7,10 +7,12 @@ namespace App\Http\Controllers\Api\V1;
use App\Enums\PersonStatus;
use App\Enums\ShiftAssignmentStatus;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\BulkApproveShiftAssignmentRequest;
use App\Http\Requests\Api\V1\RejectShiftAssignmentRequest;
use App\Http\Resources\Api\V1\ShiftAssignmentResource;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\Shift;
use App\Models\ShiftAssignment;
@@ -24,12 +26,15 @@ use Illuminate\Support\Facades\Gate;
final class ShiftAssignmentController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly ShiftAssignmentService $service,
) {}
public function index(Request $request, Event $event): AnonymousResourceCollection
public function index(Request $request, Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [ShiftAssignment::class, $event]);
$query = ShiftAssignment::query()
@@ -60,8 +65,9 @@ final class ShiftAssignmentController extends Controller
return ShiftAssignmentResource::collection($assignments);
}
public function approve(Event $event, ShiftAssignment $shiftAssignment): JsonResponse
public function approve(Organisation $organisation, Event $event, ShiftAssignment $shiftAssignment): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('approve', [$shiftAssignment, $event]);
$shiftAssignment = $this->service->approve($shiftAssignment, request()->user());
@@ -69,8 +75,9 @@ final class ShiftAssignmentController extends Controller
return $this->success(new ShiftAssignmentResource($shiftAssignment->load(['person', 'shift.festivalSection', 'shift.timeSlot'])));
}
public function reject(RejectShiftAssignmentRequest $request, Event $event, ShiftAssignment $shiftAssignment): JsonResponse
public function reject(RejectShiftAssignmentRequest $request, Organisation $organisation, Event $event, ShiftAssignment $shiftAssignment): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('reject', [$shiftAssignment, $event]);
$shiftAssignment = $this->service->reject(
@@ -82,8 +89,9 @@ final class ShiftAssignmentController extends Controller
return $this->success(new ShiftAssignmentResource($shiftAssignment->load(['person', 'shift.festivalSection', 'shift.timeSlot'])));
}
public function cancel(Event $event, ShiftAssignment $shiftAssignment): JsonResponse
public function cancel(Organisation $organisation, Event $event, ShiftAssignment $shiftAssignment): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('cancel', [$shiftAssignment, $event]);
$shiftAssignment = $this->service->cancel($shiftAssignment, request()->user());
@@ -91,8 +99,9 @@ final class ShiftAssignmentController extends Controller
return $this->success(new ShiftAssignmentResource($shiftAssignment->load(['person', 'shift.festivalSection', 'shift.timeSlot'])));
}
public function bulkApprove(BulkApproveShiftAssignmentRequest $request, Event $event): JsonResponse
public function bulkApprove(BulkApproveShiftAssignmentRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('bulkApprove', [ShiftAssignment::class, $event]);
$assignments = ShiftAssignment::whereIn('id', $request->validated('assignment_ids'))
@@ -105,8 +114,9 @@ final class ShiftAssignmentController extends Controller
return $this->success($results);
}
public function assignablePersons(Event $event, Shift $shift): JsonResponse
public function assignablePersons(Organisation $organisation, Event $event, Shift $shift): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [ShiftAssignment::class, $event]);
$shift->load(['festivalSection', 'timeSlot']);

22
api/app/Http/Controllers/Api/V1/ShiftController.php
View File

@@ -6,6 +6,7 @@ namespace App\Http\Controllers\Api\V1;
use App\Enums\ShiftAssignmentStatus;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\AssignShiftRequest;
use App\Http\Requests\Api\V1\StoreShiftRequest;
use App\Http\Requests\Api\V1\UpdateShiftRequest;
@@ -13,6 +14,7 @@ use App\Http\Resources\Api\V1\ShiftAssignmentResource;
use App\Http\Resources\Api\V1\ShiftResource;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\Shift;
use App\Services\ShiftAssignmentService;
@@ -22,12 +24,15 @@ use Illuminate\Support\Facades\Gate;
final class ShiftController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly ShiftAssignmentService $shiftAssignmentService,
) {}
public function index(Event $event, FestivalSection $section): AnonymousResourceCollection
public function index(Organisation $organisation, Event $event, FestivalSection $section): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [Shift::class, $event]);
$shifts = $section->shifts()
@@ -38,8 +43,9 @@ final class ShiftController extends Controller
return ShiftResource::collection($shifts);
}
public function store(StoreShiftRequest $request, Event $event, FestivalSection $section): JsonResponse
public function store(StoreShiftRequest $request, Organisation $organisation, Event $event, FestivalSection $section): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [Shift::class, $event]);
$shift = $section->shifts()->create($request->validated());
@@ -48,8 +54,9 @@ final class ShiftController extends Controller
return $this->created(new ShiftResource($shift));
}
public function update(UpdateShiftRequest $request, Event $event, FestivalSection $section, Shift $shift): JsonResponse
public function update(UpdateShiftRequest $request, Organisation $organisation, Event $event, FestivalSection $section, Shift $shift): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$shift, $event, $section]);
$shift->update($request->validated());
@@ -58,8 +65,9 @@ final class ShiftController extends Controller
return $this->success(new ShiftResource($shift->fresh()->load(['timeSlot', 'location'])));
}
public function destroy(Event $event, FestivalSection $section, Shift $shift): JsonResponse
public function destroy(Organisation $organisation, Event $event, FestivalSection $section, Shift $shift): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$shift, $event, $section]);
$shift->delete();
@@ -67,8 +75,9 @@ final class ShiftController extends Controller
return response()->json(null, 204);
}
public function assign(AssignShiftRequest $request, Event $event, FestivalSection $section, Shift $shift): JsonResponse
public function assign(AssignShiftRequest $request, Organisation $organisation, Event $event, FestivalSection $section, Shift $shift): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('assign', [$shift, $event, $section]);
$festivalEventId = $event->parent_event_id ?? $event->id;
@@ -78,8 +87,9 @@ final class ShiftController extends Controller
return $this->created(new ShiftAssignmentResource($assignment));
}
public function claim(AssignShiftRequest $request, Event $event, FestivalSection $section, Shift $shift): JsonResponse
public function claim(AssignShiftRequest $request, Organisation $organisation, Event $event, FestivalSection $section, Shift $shift): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('claim', [$shift, $event, $section]);
$festivalEventId = $event->parent_event_id ?? $event->id;

16
api/app/Http/Controllers/Api/V1/TimeSlotController.php
View File

@@ -5,10 +5,12 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\StoreTimeSlotRequest;
use App\Http\Requests\Api\V1\UpdateTimeSlotRequest;
use App\Http\Resources\Api\V1\TimeSlotResource;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\TimeSlot;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
@@ -16,8 +18,11 @@ use Illuminate\Support\Facades\Gate;
final class TimeSlotController extends Controller
{
public function index(Event $event): AnonymousResourceCollection
use VerifiesOrganisationEvent;
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [TimeSlot::class, $event]);
$timeSlots = $event->timeSlots()
@@ -54,8 +59,9 @@ final class TimeSlotController extends Controller
return TimeSlotResource::collection($timeSlots);
}
public function store(StoreTimeSlotRequest $request, Event $event): JsonResponse
public function store(StoreTimeSlotRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [TimeSlot::class, $event]);
$timeSlot = $event->timeSlots()->create($request->validated());
@@ -63,8 +69,9 @@ final class TimeSlotController extends Controller
return $this->created(new TimeSlotResource($timeSlot));
}
public function update(UpdateTimeSlotRequest $request, Event $event, TimeSlot $timeSlot): JsonResponse
public function update(UpdateTimeSlotRequest $request, Organisation $organisation, Event $event, TimeSlot $timeSlot): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$timeSlot, $event]);
$timeSlot->update($request->validated());
@@ -72,8 +79,9 @@ final class TimeSlotController extends Controller
return $this->success(new TimeSlotResource($timeSlot->fresh()));
}
public function destroy(Event $event, TimeSlot $timeSlot): JsonResponse
public function destroy(Organisation $organisation, Event $event, TimeSlot $timeSlot): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$timeSlot, $event]);
$timeSlot->delete();

20
api/app/Http/Controllers/Api/V1/Traits/VerifiesOrganisationEvent.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1\Traits;
use App\Models\Event;
use App\Models\Organisation;
trait VerifiesOrganisationEvent
{
private function verifyEventBelongsToOrganisation(
Organisation $organisation,
Event $event,
): void {
if ($event->organisation_id !== $organisation->id) {
abort(404);
}
}
}

10
api/app/Http/Controllers/Api/V1/VolunteerAvailabilityController.php
View File

@@ -5,8 +5,10 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\SyncVolunteerAvailabilityRequest;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\TimeSlot;
use App\Models\VolunteerAvailability;
@@ -16,8 +18,11 @@ use Illuminate\Validation\ValidationException;
final class VolunteerAvailabilityController extends Controller
{
public function index(Event $event, Person $person): JsonResponse
use VerifiesOrganisationEvent;
public function index(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('view', [$person, $event]);
$availabilities = VolunteerAvailability::where('person_id', $person->id)
@@ -43,8 +48,9 @@ final class VolunteerAvailabilityController extends Controller
/**
* @throws ValidationException
*/
public function sync(SyncVolunteerAvailabilityRequest $request, Event $event, Person $person): JsonResponse
public function sync(SyncVolunteerAvailabilityRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$person, $event]);
$availabilities = $request->validated('availabilities');