security: A01-13 — nest all event routes under organisation prefix

Move all authenticated organiser-facing event sub-resource routes from /events/{event}/... to /organisations/{organisation}/events/{event}/... to enforce multi-tenancy at the routing layer. Changes: - Routes: restructured api.php to nest all event sub-resources under the existing organisation prefix group - Controllers: added Organisation parameter and VerifiesOrganisationEvent trait to all 12 affected controllers (sections, time-slots, shifts, persons, crowd-lists, locations, shift-assignments, registration-fields, availabilities, field-values, section-preferences, stats) - Tests: updated all 20 feature test files with new route paths - Frontend: updated 8 API composables and 20 Vue components/pages - API.md: updated documentation to reflect new route structure Portal routes, public routes (volunteer-register), and invitation routes remain unchanged as they operate without organisation context. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
--- a/api/app/Http/Controllers/Api/V1/CrowdListController.php
+++ b/api/app/Http/Controllers/Api/V1/CrowdListController.php
@@ -5,12 +5,14 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api\V1;

 use App\Http\Controllers\Controller;
+use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
 use App\Http\Requests\Api\V1\AddPersonToCrowdListRequest;
 use App\Http\Requests\Api\V1\StoreCrowdListRequest;
 use App\Http\Requests\Api\V1\UpdateCrowdListRequest;
 use App\Http\Resources\Api\V1\CrowdListResource;
 use App\Models\CrowdList;
 use App\Models\Event;
+use App\Models\Organisation;
 use App\Models\Person;
 use App\Services\CrowdListService;
 use App\Http\Resources\Api\V1\PersonResource;
@@ -20,12 +22,15 @@ use Illuminate\Support\Facades\Gate;

 final class CrowdListController extends Controller
 {
+    use VerifiesOrganisationEvent;
+
    public function __construct(
        private readonly CrowdListService $crowdListService,
    ) {}

-    public function index(Event $event): AnonymousResourceCollection
+    public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('viewAny', [CrowdList::class, $event]);

        $crowdLists = $event->crowdLists()
@@ -36,8 +41,9 @@ final class CrowdListController extends Controller
        return CrowdListResource::collection($crowdLists);
    }

-    public function store(StoreCrowdListRequest $request, Event $event): JsonResponse
+    public function store(StoreCrowdListRequest $request, Organisation $organisation, Event $event): JsonResponse
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('create', [CrowdList::class, $event]);

        $crowdList = $this->crowdListService->create($event, $request->validated(), $request->user());
@@ -45,8 +51,9 @@ final class CrowdListController extends Controller
        return $this->created(new CrowdListResource($crowdList->loadCount('persons')));
    }

-    public function update(UpdateCrowdListRequest $request, Event $event, CrowdList $crowdList): JsonResponse
+    public function update(UpdateCrowdListRequest $request, Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('update', [$crowdList, $event]);

        $crowdList = $this->crowdListService->update($crowdList, $request->validated(), $request->user());
@@ -54,8 +61,9 @@ final class CrowdListController extends Controller
        return $this->success(new CrowdListResource($crowdList->loadCount('persons')));
    }

-    public function destroy(Event $event, CrowdList $crowdList): JsonResponse
+    public function destroy(Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('delete', [$crowdList, $event]);

        $this->crowdListService->delete($crowdList, request()->user());
@@ -63,8 +71,9 @@ final class CrowdListController extends Controller
        return response()->json(null, 204);
    }

-    public function persons(Event $event, CrowdList $crowdList): AnonymousResourceCollection
+    public function persons(Organisation $organisation, Event $event, CrowdList $crowdList): AnonymousResourceCollection
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('viewPersons', [$crowdList, $event]);

        $persons = $crowdList->persons()
@@ -74,8 +83,9 @@ final class CrowdListController extends Controller
        return PersonResource::collection($persons);
    }

-    public function addPerson(AddPersonToCrowdListRequest $request, Event $event, CrowdList $crowdList): JsonResponse
+    public function addPerson(AddPersonToCrowdListRequest $request, Organisation $organisation, Event $event, CrowdList $crowdList): JsonResponse
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('managePerson', [$crowdList, $event]);

        $festivalEventId = $event->parent_event_id ?? $event->id;
@@ -86,8 +96,9 @@ final class CrowdListController extends Controller
        return $this->success(new CrowdListResource($crowdList->fresh()->loadCount('persons')));
    }

-    public function removePerson(Event $event, CrowdList $crowdList, Person $person): JsonResponse
+    public function removePerson(Organisation $organisation, Event $event, CrowdList $crowdList, Person $person): JsonResponse
    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
        Gate::authorize('managePerson', [$crowdList, $event]);

        $this->crowdListService->removePerson($crowdList, $person, request()->user());