security: A01-13 — nest all event routes under organisation prefix
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.
Changes:
- Routes: restructured api.php to nest all event sub-resources under
the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
trait to all 12 affected controllers (sections, time-slots, shifts,
persons, crowd-lists, locations, shift-assignments, registration-fields,
availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure
Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -24,6 +24,7 @@ interface PaginatedResponse<T> {
|
||||
}
|
||||
|
||||
export function usePersonList(
|
||||
orgId: Ref<string>,
|
||||
eventId: Ref<string>,
|
||||
filters?: Ref<{ crowd_type_id?: string; status?: string }>,
|
||||
) {
|
||||
@@ -37,37 +38,37 @@ export function usePersonList(
|
||||
params.status = filters.value.status
|
||||
|
||||
const { data } = await apiClient.get<PaginatedResponse<Person>>(
|
||||
`/events/${eventId.value}/persons`,
|
||||
`/organisations/${orgId.value}/events/${eventId.value}/persons`,
|
||||
{ params },
|
||||
)
|
||||
|
||||
return data
|
||||
},
|
||||
enabled: () => !!eventId.value,
|
||||
enabled: () => !!orgId.value && !!eventId.value,
|
||||
})
|
||||
}
|
||||
|
||||
export function usePersonDetail(eventId: Ref<string>, id: Ref<string>) {
|
||||
export function usePersonDetail(orgId: Ref<string>, eventId: Ref<string>, id: Ref<string>) {
|
||||
return useQuery({
|
||||
queryKey: ['persons', eventId, 'detail', id],
|
||||
queryFn: async () => {
|
||||
const { data } = await apiClient.get<ApiResponse<Person>>(
|
||||
`/events/${eventId.value}/persons/${id.value}`,
|
||||
`/organisations/${orgId.value}/events/${eventId.value}/persons/${id.value}`,
|
||||
)
|
||||
|
||||
return data.data
|
||||
},
|
||||
enabled: () => !!eventId.value && !!id.value,
|
||||
enabled: () => !!orgId.value && !!eventId.value && !!id.value,
|
||||
})
|
||||
}
|
||||
|
||||
export function useCreatePerson(eventId: Ref<string>) {
|
||||
export function useCreatePerson(orgId: Ref<string>, eventId: Ref<string>) {
|
||||
const queryClient = useQueryClient()
|
||||
|
||||
return useMutation({
|
||||
mutationFn: async (payload: CreatePersonPayload) => {
|
||||
const { data } = await apiClient.post<ApiResponse<Person>>(
|
||||
`/events/${eventId.value}/persons`,
|
||||
`/organisations/${orgId.value}/events/${eventId.value}/persons`,
|
||||
payload,
|
||||
)
|
||||
|
||||
@@ -79,13 +80,13 @@ export function useCreatePerson(eventId: Ref<string>) {
|
||||
})
|
||||
}
|
||||
|
||||
export function useUpdatePerson(eventId: Ref<string>) {
|
||||
export function useUpdatePerson(orgId: Ref<string>, eventId: Ref<string>) {
|
||||
const queryClient = useQueryClient()
|
||||
|
||||
return useMutation({
|
||||
mutationFn: async ({ id, ...payload }: UpdatePersonPayload & { id: string }) => {
|
||||
const { data } = await apiClient.put<ApiResponse<Person>>(
|
||||
`/events/${eventId.value}/persons/${id}`,
|
||||
`/organisations/${orgId.value}/events/${eventId.value}/persons/${id}`,
|
||||
payload,
|
||||
)
|
||||
|
||||
@@ -98,13 +99,13 @@ export function useUpdatePerson(eventId: Ref<string>) {
|
||||
})
|
||||
}
|
||||
|
||||
export function useApprovePerson(eventId: Ref<string>) {
|
||||
export function useApprovePerson(orgId: Ref<string>, eventId: Ref<string>) {
|
||||
const queryClient = useQueryClient()
|
||||
|
||||
return useMutation({
|
||||
mutationFn: async (id: string) => {
|
||||
const { data } = await apiClient.post<ApiResponse<Person>>(
|
||||
`/events/${eventId.value}/persons/${id}/approve`,
|
||||
`/organisations/${orgId.value}/events/${eventId.value}/persons/${id}/approve`,
|
||||
)
|
||||
|
||||
return data.data
|
||||
@@ -115,12 +116,12 @@ export function useApprovePerson(eventId: Ref<string>) {
|
||||
})
|
||||
}
|
||||
|
||||
export function useDeletePerson(eventId: Ref<string>) {
|
||||
export function useDeletePerson(orgId: Ref<string>, eventId: Ref<string>) {
|
||||
const queryClient = useQueryClient()
|
||||
|
||||
return useMutation({
|
||||
mutationFn: async (id: string) => {
|
||||
await apiClient.delete(`/events/${eventId.value}/persons/${id}`)
|
||||
await apiClient.delete(`/organisations/${orgId.value}/events/${eventId.value}/persons/${id}`)
|
||||
},
|
||||
onSuccess: () => {
|
||||
queryClient.invalidateQueries({ queryKey: ['persons', eventId.value] })
|
||||
|
||||
Reference in New Issue
Block a user