bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: A01-13 — nest all event routes under organisation prefix

Browse Source 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
api/app/Http/Controllers/Api/V1/FestivalSectionController.php
View File

@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\ReorderFestivalSectionsRequest;
use App\Http\Requests\Api\V1\StoreFestivalSectionRequest;
use App\Http\Requests\Api\V1\UpdateFestivalSectionRequest;
@@ -12,14 +13,18 @@ use App\Http\Requests\Api\V1\UpdateRegistrationSettingsRequest;
use App\Http\Resources\Api\V1\FestivalSectionResource;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
use Illuminate\Support\Facades\Gate;
final class FestivalSectionController extends Controller
{
public function index(Event $event): AnonymousResourceCollection
use VerifiesOrganisationEvent;
public function index(Organisation $organisation, Event $event): AnonymousResourceCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [FestivalSection::class, $event]);
$sections = $event->festivalSections()->ordered()->get();
@@ -38,8 +43,9 @@ final class FestivalSectionController extends Controller
return FestivalSectionResource::collection($sections);
}
public function store(StoreFestivalSectionRequest $request, Event $event): JsonResponse
public function store(StoreFestivalSectionRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [FestivalSection::class, $event]);
$data = $request->validated();
@@ -77,8 +83,9 @@ final class FestivalSectionController extends Controller
return $response;
}
public function update(UpdateFestivalSectionRequest $request, Event $event, FestivalSection $section): JsonResponse
public function update(UpdateFestivalSectionRequest $request, Organisation $organisation, Event $event, FestivalSection $section): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$section, $event]);
$section->update($request->validated());
@@ -86,8 +93,9 @@ final class FestivalSectionController extends Controller
return $this->success(new FestivalSectionResource($section->fresh()));
}
public function destroy(Event $event, FestivalSection $section): JsonResponse
public function destroy(Organisation $organisation, Event $event, FestivalSection $section): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$section, $event]);
$section->delete();
@@ -95,8 +103,9 @@ final class FestivalSectionController extends Controller
return response()->json(null, 204);
}
public function registrationSettings(Event $event): JsonResponse
public function registrationSettings(Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [FestivalSection::class, $event]);
$sections = $this->getFestivalSections($event);
@@ -118,8 +127,9 @@ final class FestivalSectionController extends Controller
return response()->json(['data' => $grouped]);
}
public function updateRegistrationSettings(UpdateRegistrationSettingsRequest $request, Event $event): JsonResponse
public function updateRegistrationSettings(UpdateRegistrationSettingsRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [FestivalSection::class, $event]);
$validated = $request->validated();
@@ -148,7 +158,7 @@ final class FestivalSectionController extends Controller
->log('section.registration_settings_updated');
// Return updated settings
return $this->registrationSettings($event);
return $this->registrationSettings($organisation, $event);
}
/**
@@ -171,8 +181,9 @@ final class FestivalSectionController extends Controller
return FestivalSection::whereIn('event_id', $eventIds)->ordered()->get();
}
public function reorder(ReorderFestivalSectionsRequest $request, Event $event): JsonResponse
public function reorder(ReorderFestivalSectionsRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('reorder', [FestivalSection::class, $event]);
foreach ($request->validated('sections') as $index => $id) {