bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: A01-13 — nest all event routes under organisation prefix

Browse Source 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
api/tests/Feature/Event/EventStatsTest.php
View File

@@ -115,7 +115,7 @@ class EventStatsTest extends TestCase
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/events/{$this->event->id}/stats");
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/stats");
$response->assertOk();
$data = $response->json('data');
@@ -159,7 +159,7 @@ class EventStatsTest extends TestCase
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/events/{$this->event->id}/stats");
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/stats");
$response->assertOk();
$data = $response->json('data');
@@ -171,7 +171,7 @@ class EventStatsTest extends TestCase
public function test_unauthenticated_cannot_access_stats(): void
{
$response = $this->getJson("/api/v1/events/{$this->event->id}/stats");
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/stats");
$response->assertUnauthorized();
}
@@ -180,7 +180,7 @@ class EventStatsTest extends TestCase
{
Sanctum::actingAs($this->outsider);
$response = $this->getJson("/api/v1/events/{$this->event->id}/stats");
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/stats");
$response->assertForbidden();
}
@@ -189,7 +189,7 @@ class EventStatsTest extends TestCase
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/events/{$this->event->id}/stats");
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/stats");
$response->assertOk();
$data = $response->json('data');