bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04

Browse Source 
Refactors OrganisationScope to support a declarative, recursive FK-chain
resolver and registers the scope on 14 models that previously relied on
caller-discipline for tenant isolation.

Scope resolver (app/Models/Scopes/OrganisationScope.php):
Models now declare their strategy via:

    public static function tenantScopeStrategy(): array
    {
        return ['column' => 'organisation_id'];           // terminal
        // OR
        return ['via' => FormSchema::class, 'fk' => 'form_schema_id'];
    }

The apply() path walks the chain recursively, building whereIn subqueries
against parent models until it hits a column-based strategy. Max 3 hops;
deeper chains raise App\Exceptions\TenantScopeResolutionException. The
walker accepts BOTH the new tenantScopeStrategy() and the legacy
$organisationScopeColumn property at every hop — so PersonIdentityMatch
can chain via Person, which still uses the legacy event_id bridge, without
requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the
new convention in this work package. That migration is a separate
backlog ticket — explicitly scope-controlled per the addendum.

Fourteen newly-scoped models:

  Form-builder child models (D-03):
    FormSchemaSection             via FormSchema                    (1 hop)
    FormField                     via FormSchema                    (1 hop)
    FormSubmission                column organisation_id (Commit 2)
    FormValue                     via FormSubmission                (1 hop)
    FormValueOption               via FormValue -> FormSubmission   (2 hops)
    FormSubmissionSectionStatus   via FormSubmission                (1 hop)
    FormSubmissionDelegation      via FormSubmission                (1 hop)
    FormSchemaWebhook             via FormSchema                    (1 hop)
    FormWebhookDelivery           via FormSubmission                (1 hop)

  Event-data models (D-04 event-data subset):
    ShiftAssignment               via Shift (legacy festival_section_id)
    ShiftWaitlist                 via Shift
    VolunteerAvailability         via TimeSlot (legacy event_id)
    PersonSectionPreference       via FestivalSection (legacy event_id)
    PersonIdentityMatch           via Person (legacy event_id)

Note — task directive specified VolunteerAvailability "via: Event, fk: event_id",
but the table has no event_id column (only person_id + time_slot_id).
Rerouted via TimeSlot, which carries the legacy event_id bridge; same
end result, correct FK.

Security-relevant callers made explicit:
  PublicFormSchemaResource::toArray() now eagerly loads fields + sections
  with withoutGlobalScope(OrganisationScope::class). Prior to this commit
  the public form endpoint silently relied on those relations being
  unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still
  pass — behaviour unchanged, intent now explicit.

Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was
flaky (factory randomly picked EVENT_REGISTRATION which requires
bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest
covers the binding-enforcement path.

Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped
renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope
filters by route org, withoutGlobalScope() still exposes cross-org rows.
The test's original purpose ("pin current behaviour so a future refactor
is intentional") is now satisfied by Commit 3 being that intentional
refactor.

Docs:
  SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented;
    the 14 newly-scoped models enumerated; link to addendum Q2.
  ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain"
    with the hop-count table for all 14 chains and the withoutGlobalScope
    pattern for cross-org callers.

Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with
fully-populated record chains down to each of the 14 leaf models; asserts
scoped queries never cross, withoutGlobalScope still does. Plus: three-
hop chain (FormValueOption) explicitly exercised, legacy-column bridge
verified, over-deep chain raises TenantScopeResolutionException. 16 tests /
31 new assertions. Full suite: 1000 passed (2706 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-24 17:08:33 +02:00
parent ae8e2fdb4e
commit b688ec26f0
22 changed files with 942 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
api/tests/Feature/FormBuilder/MultiTenancyTest.php
View File

@@ -19,10 +19,10 @@ use Tests\TestCase;
* Verifies OrganisationScope discipline:
* - FormSchema, FormTemplate, FormFieldLibrary apply OrganisationScope and
* are filtered when an organisation route parameter is in scope.
* - FormSchemaWebhook intentionally does NOT apply OrganisationScope (its
* scope is enforced via the parent FormSchema). The docblock on the
* model warns callers; this test pins the current behaviour so a future
* refactor that adds the scope is an intentional decision.
* - FormSchemaWebhook now applies OrganisationScope via the FK-chain
* strategy (addendum Q2 / WS-4 Commit 3). Direct queries are tenant-
* safe by default; withoutGlobalScope() is required for admin-wide
* queries.
*/
final class MultiTenancyTest extends TestCase
{
@@ -74,7 +74,7 @@ final class MultiTenancyTest extends TestCase
$this->assertSame(1, FormFieldLibrary::query()->count());
}
public function test_form_schema_webhook_is_not_globally_scoped(): void
public function test_form_schema_webhook_is_scoped_via_fk_chain(): void
{
$schemaA = FormSchema::factory()->create(['organisation_id' => $this->orgA->id]);
$schemaB = FormSchema::factory()->create(['organisation_id' => $this->orgB->id]);
@@ -82,13 +82,18 @@ final class MultiTenancyTest extends TestCase
FormSchemaWebhook::factory()->count(3)->create(['form_schema_id' => $schemaB->id]);
$this->withRouteParameter('organisation', $this->orgA);
// Direct queries leak across orgs — exact reason the docblock warns
// never to query FormSchemaWebhook::query() without an eager constraint.
$this->assertSame(5, FormSchemaWebhook::query()->count());
// Addendum Q2 / WS-4 Commit 3: FK-chain scope now filters direct
// queries by the route's organisation via form_schemas.
$this->assertSame(2, FormSchemaWebhook::query()->count());
// Going through the schema relation respects OrganisationScope on the parent.
$this->assertCount(2, $schemaA->fresh()->webhooks);
$this->assertCount(3, $schemaB->fresh()->webhooks);
$this->withRouteParameter('organisation', $this->orgB);
$this->assertSame(3, FormSchemaWebhook::query()->count());
// Admin-wide lookups still work via withoutGlobalScope().
$this->assertSame(
5,
FormSchemaWebhook::withoutGlobalScope(OrganisationScope::class)->count()
);
}
private function actingAsOrgUser(Organisation $org): void