security: A01-13 — nest all event routes under organisation prefix

Move all authenticated organiser-facing event sub-resource routes from /events/{event}/... to /organisations/{organisation}/events/{event}/... to enforce multi-tenancy at the routing layer. Changes: - Routes: restructured api.php to nest all event sub-resources under the existing organisation prefix group - Controllers: added Organisation parameter and VerifiesOrganisationEvent trait to all 12 affected controllers (sections, time-slots, shifts, persons, crowd-lists, locations, shift-assignments, registration-fields, availabilities, field-values, section-preferences, stats) - Tests: updated all 20 feature test files with new route paths - Frontend: updated 8 API composables and 20 Vue components/pages - API.md: updated documentation to reflect new route structure Portal routes, public routes (volunteer-register), and invitation routes remain unchanged as they operate without organisation context. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
--- a/api/tests/Feature/Person/PersonTest.php
+++ b/api/tests/Feature/Person/PersonTest.php
@@ -55,7 +55,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->getJson("/api/v1/events/{$this->event->id}/persons");
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons");

        $response->assertOk();
        $this->assertCount(3, $response->json('data'));
@@ -78,7 +78,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->getJson("/api/v1/events/{$this->event->id}/persons?crowd_type_id={$this->crowdType->id}");
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons?crowd_type_id={$this->crowdType->id}");

        $response->assertOk();
        $this->assertCount(2, $response->json('data'));
@@ -93,7 +93,7 @@ class PersonTest extends TestCase
        // Outsider tries to access event from other org
        Sanctum::actingAs($this->outsider);

-        $response = $this->getJson("/api/v1/events/{$this->event->id}/persons");
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons");

        $response->assertForbidden();
    }
@@ -107,7 +107,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->getJson("/api/v1/events/{$this->event->id}/persons/{$person->id}");
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons/{$person->id}");

        $response->assertOk()
            ->assertJsonPath('data.crowd_type.system_type', 'VOLUNTEER');
@@ -117,7 +117,7 @@ class PersonTest extends TestCase
    {
        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
+        $response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
            'crowd_type_id' => $this->crowdType->id,
            'first_name' => 'Jan',
            'last_name' => 'de Vries',
@@ -146,7 +146,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->putJson("/api/v1/events/{$this->event->id}/persons/{$person->id}", [
+        $response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons/{$person->id}", [
            'status' => 'approved',
        ]);

@@ -164,7 +164,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/approve");
+        $response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons/{$person->id}/approve");

        $response->assertOk()
            ->assertJsonPath('data.status', 'approved');
@@ -184,7 +184,7 @@ class PersonTest extends TestCase

        Sanctum::actingAs($this->orgAdmin);

-        $response = $this->deleteJson("/api/v1/events/{$this->event->id}/persons/{$person->id}");
+        $response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons/{$person->id}");

        $response->assertNoContent();
        $this->assertSoftDeleted('persons', ['id' => $person->id]);
@@ -192,7 +192,7 @@ class PersonTest extends TestCase

    public function test_unauthenticated_returns_401(): void
    {
-        $response = $this->getJson("/api/v1/events/{$this->event->id}/persons");
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons");

        $response->assertUnauthorized();
    }