bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: A01-13 — nest all event routes under organisation prefix

Browse Source 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
api/tests/Feature/Security/InputValidationSecurityTest.php
View File

@@ -53,7 +53,7 @@ final class InputValidationSecurityTest extends TestCase
$xssPayload = '<script>alert("xss")</script>';
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => $xssPayload,
'last_name' => 'Normal',
@@ -95,7 +95,7 @@ final class InputValidationSecurityTest extends TestCase
$xssPayload = '<svg onload=alert(1)>';
$response = $this->postJson("/api/v1/events/{$this->event->id}/sections", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'name' => $xssPayload,
]);
@@ -109,7 +109,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => str_repeat('A', 256),
'last_name' => 'Normal',
@@ -139,7 +139,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -173,7 +173,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -210,7 +210,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $otherCrowdType->id,
'first_name' => 'FK',
'last_name' => 'Test',
@@ -228,7 +228,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Company',
'last_name' => 'Test',
@@ -250,7 +250,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson(
"/api/v1/events/{$this->event->id}/sections/{$section->id}/shifts",
"/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}/shifts",
[
'time_slot_id' => $timeSlot->id,
'location_id' => $otherLocation->id,
@@ -303,7 +303,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson(
"/api/v1/events/{$this->event->id}/sections/{$section->id}/shifts/{$shift->id}/assign",
"/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}/shifts/{$shift->id}/assign",
['person_id' => $otherPerson->id]
);
@@ -317,7 +317,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => 'not-a-valid-ulid',
'first_name' => 'Test',
'last_name' => 'User',
@@ -332,7 +332,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => '01JZZZZZZZZZZZZZZZZZZZZZZ',
'first_name' => 'Test',
'last_name' => 'User',
@@ -351,7 +351,7 @@ final class InputValidationSecurityTest extends TestCase
$sqlPayload = "'; DROP TABLE users; --";
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => $sqlPayload,
'last_name' => 'Normal',

28
api/tests/Feature/Security/MultiTenancyIsolationTest.php
View File

@@ -89,7 +89,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminA);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons", [
'crowd_type_id' => $this->crowdTypeB->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -117,7 +117,7 @@ final class MultiTenancyIsolationTest extends TestCase
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
['person_id' => $personB->id]
);
@@ -142,7 +142,7 @@ final class MultiTenancyIsolationTest extends TestCase
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
['person_id' => $personB->id]
);
@@ -173,7 +173,7 @@ final class MultiTenancyIsolationTest extends TestCase
]);
$response = $this->postJson(
"/api/v1/events/{$this->eventA->id}/shift-assignments/bulk-approve",
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/shift-assignments/bulk-approve",
['assignment_ids' => [$assignmentB->id]]
);
@@ -207,7 +207,7 @@ final class MultiTenancyIsolationTest extends TestCase
$companyB = Company::factory()->create(['organisation_id' => $this->orgB->id]);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons", [
'crowd_type_id' => $this->crowdTypeA->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -225,7 +225,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminA);
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/crowd-lists", [
$response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/crowd-lists", [
'crowd_type_id' => $this->crowdTypeB->id,
'name' => 'Test List',
'type' => 'accreditation',
@@ -266,7 +266,7 @@ final class MultiTenancyIsolationTest extends TestCase
Sanctum::actingAs($this->adminA);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/persons");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons");
$response->assertOk();
$personIds = collect($response->json('data'))->pluck('id');
@@ -280,7 +280,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/locations");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/locations");
// Event-scoped routes: policy returns 403 (user not in org) — access is blocked
$response->assertForbidden();
@@ -292,7 +292,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections");
$response->assertForbidden();
}
@@ -305,7 +305,7 @@ final class MultiTenancyIsolationTest extends TestCase
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");
$response->assertForbidden();
}
@@ -316,7 +316,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/time-slots");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/time-slots");
$response->assertForbidden();
}
@@ -327,7 +327,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/registration-fields");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/registration-fields");
$response->assertForbidden();
}
@@ -338,7 +338,7 @@ final class MultiTenancyIsolationTest extends TestCase
{
Sanctum::actingAs($this->adminB);
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/shift-assignments");
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/shift-assignments");
$response->assertForbidden();
}
@@ -355,7 +355,7 @@ final class MultiTenancyIsolationTest extends TestCase
]);
$response = $this->putJson(
"/api/v1/events/{$this->eventA->id}/persons/{$personA->id}",
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons/{$personA->id}",
['first_name' => 'Hacked']
);