security: A01-13 — nest all event routes under organisation prefix
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.
Changes:
- Routes: restructured api.php to nest all event sub-resources under
the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
trait to all 12 affected controllers (sections, time-slots, shifts,
persons, crowd-lists, locations, shift-assignments, registration-fields,
availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure
Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@ declare(strict_types=1);
|
||||
namespace App\Http\Controllers\Api\V1;
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
|
||||
use App\Http\Requests\Api\V1\StorePersonRequest;
|
||||
use App\Http\Requests\Api\V1\UpdatePersonRequest;
|
||||
use App\Http\Resources\Api\V1\PersonCollection;
|
||||
@@ -12,6 +13,7 @@ use App\Http\Resources\Api\V1\PersonResource;
|
||||
use App\Mail\RegistrationApprovedMail;
|
||||
use App\Mail\RegistrationRejectedMail;
|
||||
use App\Models\Event;
|
||||
use App\Models\Organisation;
|
||||
use App\Models\Person;
|
||||
use App\Services\PersonIdentityService;
|
||||
use App\Services\TagSyncService;
|
||||
@@ -22,13 +24,16 @@ use Illuminate\Support\Facades\Mail;
|
||||
|
||||
final class PersonController extends Controller
|
||||
{
|
||||
use VerifiesOrganisationEvent;
|
||||
|
||||
public function __construct(
|
||||
private readonly PersonIdentityService $identityService,
|
||||
private readonly TagSyncService $tagSyncService,
|
||||
) {}
|
||||
|
||||
public function index(Request $request, Event $event): PersonCollection
|
||||
public function index(Request $request, Organisation $organisation, Event $event): PersonCollection
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('viewAny', [Person::class, $event]);
|
||||
|
||||
$query = $event->persons()->with(['crowdType', 'pendingIdentityMatch.matchedUser']);
|
||||
@@ -67,8 +72,9 @@ final class PersonController extends Controller
|
||||
return new PersonCollection($query->get());
|
||||
}
|
||||
|
||||
public function show(Event $event, Person $person): JsonResponse
|
||||
public function show(Organisation $organisation, Event $event, Person $person): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('view', [$person, $event]);
|
||||
|
||||
$person->load(['crowdType', 'company', 'user']);
|
||||
@@ -76,8 +82,9 @@ final class PersonController extends Controller
|
||||
return $this->success(new PersonResource($person));
|
||||
}
|
||||
|
||||
public function store(StorePersonRequest $request, Event $event): JsonResponse
|
||||
public function store(StorePersonRequest $request, Organisation $organisation, Event $event): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('create', [Person::class, $event]);
|
||||
|
||||
$person = $event->persons()->create($request->validated());
|
||||
@@ -87,8 +94,9 @@ final class PersonController extends Controller
|
||||
return $this->created(new PersonResource($person->fresh()->load('crowdType')));
|
||||
}
|
||||
|
||||
public function update(UpdatePersonRequest $request, Event $event, Person $person): JsonResponse
|
||||
public function update(UpdatePersonRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('update', [$person, $event]);
|
||||
|
||||
$person->update($request->validated());
|
||||
@@ -97,8 +105,9 @@ final class PersonController extends Controller
|
||||
return $this->success(new PersonResource($person->fresh()->load(['crowdType', 'company'])));
|
||||
}
|
||||
|
||||
public function destroy(Event $event, Person $person): JsonResponse
|
||||
public function destroy(Organisation $organisation, Event $event, Person $person): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('delete', [$person, $event]);
|
||||
|
||||
$person->delete();
|
||||
@@ -106,8 +115,9 @@ final class PersonController extends Controller
|
||||
return response()->json(null, 204);
|
||||
}
|
||||
|
||||
public function approve(Event $event, Person $person): JsonResponse
|
||||
public function approve(Organisation $organisation, Event $event, Person $person): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('approve', [$person, $event]);
|
||||
|
||||
$person->update(['status' => 'approved']);
|
||||
@@ -121,8 +131,9 @@ final class PersonController extends Controller
|
||||
return $this->success(new PersonResource($person->fresh()->load('crowdType')));
|
||||
}
|
||||
|
||||
public function reject(Request $request, Event $event, Person $person): JsonResponse
|
||||
public function reject(Request $request, Organisation $organisation, Event $event, Person $person): JsonResponse
|
||||
{
|
||||
$this->verifyEventBelongsToOrganisation($organisation, $event);
|
||||
Gate::authorize('approve', [$person, $event]);
|
||||
|
||||
$person->update(['status' => 'rejected']);
|
||||
|
||||
Reference in New Issue
Block a user