security: A01-13 — nest all event routes under organisation prefix
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.
Changes:
- Routes: restructured api.php to nest all event sub-resources under
the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
trait to all 12 affected controllers (sections, time-slots, shifts,
persons, crowd-lists, locations, shift-assignments, registration-fields,
availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure
Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -50,7 +50,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/time-slots");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
|
||||
|
||||
$response->assertOk();
|
||||
$this->assertCount(3, $response->json('data'));
|
||||
@@ -98,7 +98,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/time-slots");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
|
||||
|
||||
$response->assertOk();
|
||||
|
||||
@@ -113,7 +113,7 @@ class TimeSlotTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/time-slots", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
|
||||
'name' => 'Vrijdag Avond',
|
||||
'person_type' => 'VOLUNTEER',
|
||||
'date' => '2026-07-10',
|
||||
@@ -138,7 +138,7 @@ class TimeSlotTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/time-slots", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
|
||||
'name' => 'Test',
|
||||
'person_type' => 'INVALID',
|
||||
'date' => '2026-07-10',
|
||||
@@ -154,7 +154,7 @@ class TimeSlotTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->postJson("/api/v1/events/{$this->event->id}/time-slots", [
|
||||
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
|
||||
'name' => 'Test',
|
||||
'person_type' => 'VOLUNTEER',
|
||||
'date' => 'not-a-date',
|
||||
@@ -175,7 +175,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->putJson("/api/v1/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
|
||||
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
|
||||
'name' => 'Vrijdag Avond Updated',
|
||||
]);
|
||||
|
||||
@@ -189,7 +189,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->putJson("/api/v1/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
|
||||
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
|
||||
'name' => 'Hacked',
|
||||
]);
|
||||
|
||||
@@ -202,7 +202,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->deleteJson("/api/v1/events/{$this->event->id}/time-slots/{$timeSlot->id}");
|
||||
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
@@ -213,7 +213,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
Sanctum::actingAs($this->orgAdmin);
|
||||
|
||||
$response = $this->deleteJson("/api/v1/events/{$this->event->id}/time-slots/{$timeSlot->id}");
|
||||
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}");
|
||||
|
||||
$response->assertNoContent();
|
||||
$this->assertDatabaseMissing('time_slots', ['id' => $timeSlot->id]);
|
||||
@@ -221,7 +221,7 @@ class TimeSlotTest extends TestCase
|
||||
|
||||
public function test_unauthenticated_returns_401(): void
|
||||
{
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/time-slots");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
|
||||
|
||||
$response->assertUnauthorized();
|
||||
}
|
||||
@@ -230,7 +230,7 @@ class TimeSlotTest extends TestCase
|
||||
{
|
||||
Sanctum::actingAs($this->outsider);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->event->id}/time-slots");
|
||||
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user