bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: A01-13 — nest all event routes under organisation prefix

Browse Source 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
api/tests/Feature/Security/InputValidationSecurityTest.php
View File

@@ -53,7 +53,7 @@ final class InputValidationSecurityTest extends TestCase
$xssPayload = '<script>alert("xss")</script>';
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => $xssPayload,
'last_name' => 'Normal',
@@ -95,7 +95,7 @@ final class InputValidationSecurityTest extends TestCase
$xssPayload = '<svg onload=alert(1)>';
$response = $this->postJson("/api/v1/events/{$this->event->id}/sections", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'name' => $xssPayload,
]);
@@ -109,7 +109,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => str_repeat('A', 256),
'last_name' => 'Normal',
@@ -139,7 +139,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -173,7 +173,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Test',
'last_name' => 'User',
@@ -210,7 +210,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $otherCrowdType->id,
'first_name' => 'FK',
'last_name' => 'Test',
@@ -228,7 +228,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => 'Company',
'last_name' => 'Test',
@@ -250,7 +250,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson(
"/api/v1/events/{$this->event->id}/sections/{$section->id}/shifts",
"/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}/shifts",
[
'time_slot_id' => $timeSlot->id,
'location_id' => $otherLocation->id,
@@ -303,7 +303,7 @@ final class InputValidationSecurityTest extends TestCase
Sanctum::actingAs($this->admin);
$response = $this->postJson(
"/api/v1/events/{$this->event->id}/sections/{$section->id}/shifts/{$shift->id}/assign",
"/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}/shifts/{$shift->id}/assign",
['person_id' => $otherPerson->id]
);
@@ -317,7 +317,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => 'not-a-valid-ulid',
'first_name' => 'Test',
'last_name' => 'User',
@@ -332,7 +332,7 @@ final class InputValidationSecurityTest extends TestCase
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => '01JZZZZZZZZZZZZZZZZZZZZZZ',
'first_name' => 'Test',
'last_name' => 'User',
@@ -351,7 +351,7 @@ final class InputValidationSecurityTest extends TestCase
$sqlPayload = "'; DROP TABLE users; --";
$response = $this->postJson("/api/v1/events/{$this->event->id}/persons", [
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => $sqlPayload,
'last_name' => 'Normal',