security: A01-13 — nest all event routes under organisation prefix
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.
Changes:
- Routes: restructured api.php to nest all event sub-resources under
the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
trait to all 12 affected controllers (sections, time-slots, shifts,
persons, crowd-lists, locations, shift-assignments, registration-fields,
availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure
Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -52,7 +52,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/locations");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations");
|
||||
|
||||
$response->assertOk();
|
||||
$this->assertCount(3, $response->json('data'));
|
||||
@@ -62,7 +62,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'name' => 'Hoofdpodium',
|
||||
'address' => 'Museumplein 1, 1071 DJ Amsterdam',
|
||||
'lat' => 52.3580,
|
||||
@@ -85,7 +85,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'name' => 'Backstage Area',
|
||||
]);
|
||||
|
||||
@@ -105,7 +105,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->putJson("/api/v1/events/{$this->event->id}/locations/{$location->id}", [
|
||||
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations/{$location->id}", [
|
||||
'name' => 'Bar Zuid',
|
||||
'address' => 'Coolsingel 42, 3011 AD Rotterdam',
|
||||
'lat' => 51.9225,
|
||||
@@ -130,7 +130,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->deleteJson("/api/v1/events/{$this->event->id}/locations/{$location->id}");
|
||||
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations/{$location->id}");
|
||||
|
||||
$response->assertNoContent();
|
||||
$this->assertDatabaseMissing('locations', ['id' => $location->id]);
|
||||
@@ -142,7 +142,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/locations");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
@@ -151,7 +151,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'name' => 'Hack Attempt',
|
||||
]);
|
||||
|
||||
@@ -166,7 +166,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->putJson("/api/v1/events/{$this->event->id}/locations/{$location->id}", [
|
||||
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations/{$location->id}", [
|
||||
'name' => 'Hack Attempt',
|
||||
]);
|
||||
|
||||
@@ -181,14 +181,14 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->deleteJson("/api/v1/events/{$this->event->id}/locations/{$location->id}");
|
||||
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations/{$location->id}");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
public function test_unauthenticated_cannot_access_locations(): void
|
||||
{
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/locations");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations");
|
||||
|
||||
$response->assertUnauthorized();
|
||||
}
|
||||
@@ -199,7 +199,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'address' => 'Museumplein 1, Amsterdam',
|
||||
]);
|
||||
|
||||
@@ -211,7 +211,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'name' => str_repeat('a', 256),
|
||||
]);
|
||||
|
||||
@@ -223,7 +223,7 @@ class LocationTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/locations", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations", [
|
||||
'name' => 'Ongeldige Locatie',
|
||||
'lat' => 91.0,
|
||||
'lng' => 181.0,
|
||||
@@ -244,7 +244,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/locations");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations");
|
||||
|
||||
$response->assertOk();
|
||||
$this->assertCount(2, $response->json('data'));
|
||||
@@ -258,7 +258,7 @@ class LocationTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/locations");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/locations");
|
||||
|
||||
$response->assertOk();
|
||||
$names = collect($response->json('data'))->pluck('name')->all();
|
||||
|
||||
Reference in New Issue
Block a user