security: A01-13 — nest all event routes under organisation prefix

Move all authenticated organiser-facing event sub-resource routes from /events/{event}/... to /organisations/{organisation}/events/{event}/... to enforce multi-tenancy at the routing layer. Changes: - Routes: restructured api.php to nest all event sub-resources under the existing organisation prefix group - Controllers: added Organisation parameter and VerifiesOrganisationEvent trait to all 12 affected controllers (sections, time-slots, shifts, persons, crowd-lists, locations, shift-assignments, registration-fields, availabilities, field-values, section-preferences, stats) - Tests: updated all 20 feature test files with new route paths - Frontend: updated 8 API composables and 20 Vue components/pages - API.md: updated documentation to reflect new route structure Portal routes, public routes (volunteer-register), and invitation routes remain unchanged as they operate without organisation context. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00
parent 51e5dd6fcb
commit 7932e53daf
64 changed files with 726 additions and 568 deletions
--- a/api/tests/Feature/Security/MultiTenancyIsolationTest.php
+++ b/api/tests/Feature/Security/MultiTenancyIsolationTest.php
@@ -89,7 +89,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminA);

-        $response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
+        $response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons", [
            'crowd_type_id' => $this->crowdTypeB->id,
            'first_name' => 'Test',
            'last_name' => 'User',
@@ -117,7 +117,7 @@ final class MultiTenancyIsolationTest extends TestCase
        ]);

        $response = $this->postJson(
-            "/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
+            "/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
            ['person_id' => $personB->id]
        );

@@ -142,7 +142,7 @@ final class MultiTenancyIsolationTest extends TestCase
        ]);

        $response = $this->postJson(
-            "/api/v1/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
+            "/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
            ['person_id' => $personB->id]
        );

@@ -173,7 +173,7 @@ final class MultiTenancyIsolationTest extends TestCase
        ]);

        $response = $this->postJson(
-            "/api/v1/events/{$this->eventA->id}/shift-assignments/bulk-approve",
+            "/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/shift-assignments/bulk-approve",
            ['assignment_ids' => [$assignmentB->id]]
        );

@@ -207,7 +207,7 @@ final class MultiTenancyIsolationTest extends TestCase

        $companyB = Company::factory()->create(['organisation_id' => $this->orgB->id]);

-        $response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
+        $response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons", [
            'crowd_type_id' => $this->crowdTypeA->id,
            'first_name' => 'Test',
            'last_name' => 'User',
@@ -225,7 +225,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminA);

-        $response = $this->postJson("/api/v1/events/{$this->eventA->id}/crowd-lists", [
+        $response = $this->postJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/crowd-lists", [
            'crowd_type_id' => $this->crowdTypeB->id,
            'name' => 'Test List',
            'type' => 'accreditation',
@@ -266,7 +266,7 @@ final class MultiTenancyIsolationTest extends TestCase

        Sanctum::actingAs($this->adminA);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/persons");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons");

        $response->assertOk();
        $personIds = collect($response->json('data'))->pluck('id');
@@ -280,7 +280,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/locations");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/locations");

        // Event-scoped routes: policy returns 403 (user not in org) — access is blocked
        $response->assertForbidden();
@@ -292,7 +292,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections");

        $response->assertForbidden();
    }
@@ -305,7 +305,7 @@ final class MultiTenancyIsolationTest extends TestCase

        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");

        $response->assertForbidden();
    }
@@ -316,7 +316,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/time-slots");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/time-slots");

        $response->assertForbidden();
    }
@@ -327,7 +327,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/registration-fields");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/registration-fields");

        $response->assertForbidden();
    }
@@ -338,7 +338,7 @@ final class MultiTenancyIsolationTest extends TestCase
    {
        Sanctum::actingAs($this->adminB);

-        $response = $this->getJson("/api/v1/events/{$this->eventA->id}/shift-assignments");
+        $response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/shift-assignments");

        $response->assertForbidden();
    }
@@ -355,7 +355,7 @@ final class MultiTenancyIsolationTest extends TestCase
        ]);

        $response = $this->putJson(
-            "/api/v1/events/{$this->eventA->id}/persons/{$personA->id}",
+            "/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}/persons/{$personA->id}",
            ['first_name' => 'Hacked']
        );