feat: platform admin backend — controllers, services, routes, tests

Add cross-organisation admin API endpoints behind role:super_admin middleware:
- AdminOrganisationController: CRUD with search, filter, billing_status management
- AdminUserController: user management with role assignment across orgs
- AdminStatsController: platform-wide aggregate statistics
- AdminActivityLogController: filterable activity log viewer
- AdminImpersonationController + ImpersonationService: user impersonation with
  token-based session management and activity logging
- BillingStatus enum, form requests, API resources, 23 feature tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Api/V1/Admin/AdminImpersonationTest.php

@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1\Admin;
+
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Spatie\Activitylog\Models\Activity;
+use Tests\TestCase;
+
+class AdminImpersonationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $superAdmin;
+    private User $targetUser;
+    private User $otherSuperAdmin;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->targetUser = User::factory()->create();
+
+        $this->otherSuperAdmin = User::factory()->create();
+        $this->otherSuperAdmin->assignRole('super_admin');
+    }
+
+    // ─── Start ───────────────────────────────────────────────
+
+    public function test_start_creates_token_for_target_user(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+
+        $response->assertOk();
+        $response->assertJsonStructure([
+            'data' => ['token', 'user' => ['id', 'email'], 'admin_id'],
+        ]);
+        $response->assertJsonPath('data.user.id', $this->targetUser->id);
+        $response->assertJsonPath('data.admin_id', $this->superAdmin->id);
+
+        $this->assertDatabaseHas('personal_access_tokens', [
+            'tokenable_id' => $this->targetUser->id,
+            'name' => 'impersonation-by-' . $this->superAdmin->id,
+        ]);
+    }
+
+    public function test_start_denied_for_non_super_admin(): void
+    {
+        Sanctum::actingAs($this->targetUser);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+
+        $response->assertForbidden();
+    }
+
+    public function test_start_denied_when_target_is_super_admin(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->otherSuperAdmin->id}");
+
+        $response->assertForbidden();
+    }
+
+    // ─── Stop ────────────────────────────────────────────────
+
+    public function test_stop_deletes_impersonation_token(): void
+    {
+        // Start impersonation
+        Sanctum::actingAs($this->superAdmin);
+        $startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+        $token = $startResponse->json('data.token');
+
+        // Reset auth state so the Bearer token takes effect
+        $this->app['auth']->forgetGuards();
+
+        $response = $this->withHeader('Authorization', "Bearer {$token}")
+            ->postJson('/api/v1/admin/stop-impersonation');
+
+        $response->assertOk();
+        $response->assertJsonPath('data.user.id', $this->superAdmin->id);
+
+        $this->assertDatabaseMissing('personal_access_tokens', [
+            'tokenable_id' => $this->targetUser->id,
+            'name' => 'impersonation-by-' . $this->superAdmin->id,
+        ]);
+    }
+
+    // ─── Activity Log ────────────────────────────────────────
+
+    public function test_activity_log_records_start_and_stop(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+        $startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+        $token = $startResponse->json('data.token');
+
+        $this->assertDatabaseHas('activity_log', [
+            'event' => 'admin.impersonation.started',
+            'causer_id' => $this->superAdmin->id,
+            'subject_id' => $this->targetUser->id,
+        ]);
+
+        // Reset auth state so the Bearer token takes effect
+        $this->app['auth']->forgetGuards();
+
+        $this->withHeader('Authorization', "Bearer {$token}")
+            ->postJson('/api/v1/admin/stop-impersonation');
+
+        $this->assertDatabaseHas('activity_log', [
+            'event' => 'admin.impersonation.stopped',
+            'subject_id' => $this->targetUser->id,
+        ]);
+    }
+}

api/tests/Feature/Api/V1/Admin/AdminOrganisationControllerTest.php

@@ -0,0 +1,149 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1\Admin;
+
+use App\Models\Event;
+use App\Models\Organisation;
+use App\Models\Person;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class AdminOrganisationControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $superAdmin;
+    private User $orgAdmin;
+    private Organisation $organisation;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->orgAdmin = User::factory()->create();
+
+        $this->organisation = Organisation::factory()->create(['billing_status' => 'active']);
+        $this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
+    }
+
+    // ─── Index ───────────────────────────────────────────────
+
+    public function test_index_returns_all_organisations_for_super_admin(): void
+    {
+        Organisation::factory()->count(3)->create();
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/organisations');
+
+        $response->assertOk();
+        $response->assertJsonStructure([
+            'data' => [['id', 'name', 'slug', 'billing_status', 'events_count', 'users_count']],
+        ]);
+        // 1 from setUp + 3 created = 4
+        $this->assertCount(4, $response->json('data'));
+    }
+
+    public function test_index_denied_for_org_admin(): void
+    {
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->getJson('/api/v1/admin/organisations');
+
+        $response->assertForbidden();
+    }
+
+    public function test_index_denied_for_unauthenticated(): void
+    {
+        $response = $this->getJson('/api/v1/admin/organisations');
+
+        $response->assertUnauthorized();
+    }
+
+    public function test_search_by_name(): void
+    {
+        Organisation::factory()->create(['name' => 'Festival Corp']);
+        Organisation::factory()->create(['name' => 'Music Events BV']);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/organisations?search=Festival');
+
+        $response->assertOk();
+        $this->assertCount(1, $response->json('data'));
+        $response->assertJsonPath('data.0.name', 'Festival Corp');
+    }
+
+    public function test_filter_by_billing_status(): void
+    {
+        Organisation::factory()->create(['billing_status' => 'trial']);
+        Organisation::factory()->create(['billing_status' => 'suspended']);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/organisations?billing_status=trial');
+
+        $response->assertOk();
+        foreach ($response->json('data') as $org) {
+            $this->assertEquals('trial', $org['billing_status']);
+        }
+    }
+
+    // ─── Show ────────────────────────────────────────────────
+
+    public function test_show_returns_organisation_with_counts(): void
+    {
+        $event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson("/api/v1/admin/organisations/{$this->organisation->id}");
+
+        $response->assertOk();
+        $response->assertJsonPath('data.id', $this->organisation->id);
+        $response->assertJsonPath('data.events_count', 1);
+        $response->assertJsonPath('data.users_count', 1);
+        $response->assertJsonStructure([
+            'data' => ['id', 'name', 'slug', 'billing_status', 'billing_status_label', 'events_count', 'users_count', 'total_persons'],
+        ]);
+    }
+
+    // ─── Update ──────────────────────────────────────────────
+
+    public function test_update_changes_billing_status(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->putJson("/api/v1/admin/organisations/{$this->organisation->id}", [
+            'billing_status' => 'suspended',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonPath('data.billing_status', 'suspended');
+        $this->assertDatabaseHas('organisations', [
+            'id' => $this->organisation->id,
+            'billing_status' => 'suspended',
+        ]);
+    }
+
+    // ─── Destroy ─────────────────────────────────────────────
+
+    public function test_destroy_soft_deletes(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->deleteJson("/api/v1/admin/organisations/{$this->organisation->id}");
+
+        $response->assertNoContent();
+        $this->assertSoftDeleted('organisations', ['id' => $this->organisation->id]);
+    }
+}

api/tests/Feature/Api/V1/Admin/AdminStatsControllerTest.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1\Admin;
+
+use App\Models\Event;
+use App\Models\Organisation;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class AdminStatsControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $superAdmin;
+    private User $regularUser;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->regularUser = User::factory()->create();
+    }
+
+    public function test_returns_aggregate_counts(): void
+    {
+        $org = Organisation::factory()->create(['billing_status' => 'active']);
+        Event::factory()->count(2)->create([
+            'organisation_id' => $org->id,
+            'status' => 'draft',
+        ]);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/stats');
+
+        $response->assertOk();
+        $response->assertJsonStructure([
+            'data' => [
+                'organisations' => ['total', 'by_billing_status'],
+                'events' => ['total', 'by_status'],
+                'users' => ['total', 'verified'],
+                'persons' => ['total'],
+            ],
+        ]);
+        $this->assertGreaterThanOrEqual(1, $response->json('data.organisations.total'));
+        $this->assertGreaterThanOrEqual(2, $response->json('data.events.total'));
+    }
+
+    public function test_denied_for_non_super_admin(): void
+    {
+        Sanctum::actingAs($this->regularUser);
+
+        $response = $this->getJson('/api/v1/admin/stats');
+
+        $response->assertForbidden();
+    }
+}

api/tests/Feature/Api/V1/Admin/AdminUserControllerTest.php

@@ -0,0 +1,151 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1\Admin;
+
+use App\Models\Organisation;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class AdminUserControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $superAdmin;
+    private User $regularUser;
+    private Organisation $organisation;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->organisation = Organisation::factory()->create();
+
+        $this->regularUser = User::factory()->create();
+        $this->organisation->users()->attach($this->regularUser, ['role' => 'org_admin']);
+    }
+
+    // ─── Index ───────────────────────────────────────────────
+
+    public function test_index_returns_all_users_with_organisations(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/users');
+
+        $response->assertOk();
+        $response->assertJsonStructure([
+            'data' => [['id', 'first_name', 'last_name', 'full_name', 'email', 'is_super_admin', 'organisations']],
+        ]);
+        // superAdmin + regularUser = 2
+        $this->assertCount(2, $response->json('data'));
+    }
+
+    public function test_index_denied_for_non_super_admin(): void
+    {
+        Sanctum::actingAs($this->regularUser);
+
+        $response = $this->getJson('/api/v1/admin/users');
+
+        $response->assertForbidden();
+    }
+
+    public function test_search_by_email(): void
+    {
+        $user = User::factory()->create(['email' => 'searchable@crewli.test']);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson('/api/v1/admin/users?search=searchable@crewli');
+
+        $response->assertOk();
+        $this->assertCount(1, $response->json('data'));
+        $response->assertJsonPath('data.0.email', 'searchable@crewli.test');
+    }
+
+    public function test_filter_by_organisation_id(): void
+    {
+        $otherOrg = Organisation::factory()->create();
+        $otherUser = User::factory()->create();
+        $otherOrg->users()->attach($otherUser, ['role' => 'org_member']);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson("/api/v1/admin/users?organisation_id={$this->organisation->id}");
+
+        $response->assertOk();
+        $this->assertCount(1, $response->json('data'));
+        $response->assertJsonPath('data.0.id', $this->regularUser->id);
+    }
+
+    // ─── Show ────────────────────────────────────────────────
+
+    public function test_show_returns_user_with_org_memberships(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->getJson("/api/v1/admin/users/{$this->regularUser->id}");
+
+        $response->assertOk();
+        $response->assertJsonPath('data.id', $this->regularUser->id);
+        $response->assertJsonPath('data.organisations.0.id', $this->organisation->id);
+        $response->assertJsonPath('data.organisations.0.role', 'org_admin');
+    }
+
+    // ─── Update ──────────────────────────────────────────────
+
+    public function test_update_changes_name_and_email(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->putJson("/api/v1/admin/users/{$this->regularUser->id}", [
+            'first_name' => 'Updated',
+            'last_name' => 'Name',
+            'email' => 'updated@crewli.test',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonPath('data.first_name', 'Updated');
+        $response->assertJsonPath('data.email', 'updated@crewli.test');
+    }
+
+    public function test_update_can_assign_super_admin_role(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->putJson("/api/v1/admin/users/{$this->regularUser->id}", [
+            'roles' => ['super_admin'],
+        ]);
+
+        $response->assertOk();
+        $this->assertTrue($this->regularUser->fresh()->hasRole('super_admin'));
+    }
+
+    // ─── Destroy ─────────────────────────────────────────────
+
+    public function test_destroy_soft_deletes_and_revokes_tokens(): void
+    {
+        $this->regularUser->createToken('test-token');
+        $this->assertDatabaseHas('personal_access_tokens', [
+            'tokenable_id' => $this->regularUser->id,
+        ]);
+
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->deleteJson("/api/v1/admin/users/{$this->regularUser->id}");
+
+        $response->assertNoContent();
+        $this->assertSoftDeleted('users', ['id' => $this->regularUser->id]);
+        $this->assertDatabaseMissing('personal_access_tokens', [
+            'tokenable_id' => $this->regularUser->id,
+        ]);
+    }
+}