crewli

bert.hausmans/crewli

Fork 0

Commit Graph

Author	SHA1	Message	Date
bert.hausmans	2064b9901e	feat(form-builder): form_field_conditional_logic_{groups,conditions} tables + OrganisationScope cap raise to 5 WS-5c commit 1 of 4 — relational infrastructure for the conditional- logic tree that replaces form_fields.conditional_logic JSON (ARCH- FORM-BUILDER §8; addendum Q3 WS-5c). Tables: groups (nesting via parent_group_id) + conditions (leaves, value JSON nullable for empty/not_empty). Simple FK to form_fields — addendum Q3 explicitly excludes form_field_library from conditional_ logic scope, so no polymorphic morph here. OrganisationScope cap raised 3 → 5 hops. The conditions chain is 4 hops (condition → group → field → schema → organisation_id column) and the new cap gives headroom for future deeper trees without denormalising form_field_id onto conditions. Cascade observer (FormFieldChildTablesCascadeObserver) extended to physically delete the new groups table on FormField delete (hard or soft). Conditions cascade automatically via the group_id FK on the groups table. Factories: FormFieldConditionalLogicGroupFactory, FormFieldConditional LogicConditionFactory, and FormFieldFactory::withConditionalLogic($tree) for concise test fixtures. Tests: 16 new under tests/Feature/FormBuilder/ConditionalLogic/ (relation, scope, cascade, enum catalogue). 3 new scope-cap tests in ScopeLeakageTest verify 4/5-hop chains pass and 6-hop throws. Hardcoded rollback step counts in WS-5a/b migration tests bumped for the 2 new WS-5c migrations. Baseline 1104 → 1122 green (2988 → 3032 assertions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 23:43:34 +02:00
bert.hausmans	b688ec26f0	feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04 Refactors OrganisationScope to support a declarative, recursive FK-chain resolver and registers the scope on 14 models that previously relied on caller-discipline for tenant isolation. Scope resolver (app/Models/Scopes/OrganisationScope.php): Models now declare their strategy via: public static function tenantScopeStrategy(): array { return ['column' => 'organisation_id']; // terminal // OR return ['via' => FormSchema::class, 'fk' => 'form_schema_id']; } The apply() path walks the chain recursively, building whereIn subqueries against parent models until it hits a column-based strategy. Max 3 hops; deeper chains raise App\Exceptions\TenantScopeResolutionException. The walker accepts BOTH the new tenantScopeStrategy() and the legacy $organisationScopeColumn property at every hop — so PersonIdentityMatch can chain via Person, which still uses the legacy event_id bridge, without requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the new convention in this work package. That migration is a separate backlog ticket — explicitly scope-controlled per the addendum. Fourteen newly-scoped models: Form-builder child models (D-03): FormSchemaSection via FormSchema (1 hop) FormField via FormSchema (1 hop) FormSubmission column organisation_id (Commit 2) FormValue via FormSubmission (1 hop) FormValueOption via FormValue -> FormSubmission (2 hops) FormSubmissionSectionStatus via FormSubmission (1 hop) FormSubmissionDelegation via FormSubmission (1 hop) FormSchemaWebhook via FormSchema (1 hop) FormWebhookDelivery via FormSubmission (1 hop) Event-data models (D-04 event-data subset): ShiftAssignment via Shift (legacy festival_section_id) ShiftWaitlist via Shift VolunteerAvailability via TimeSlot (legacy event_id) PersonSectionPreference via FestivalSection (legacy event_id) PersonIdentityMatch via Person (legacy event_id) Note — task directive specified VolunteerAvailability "via: Event, fk: event_id", but the table has no event_id column (only person_id + time_slot_id). Rerouted via TimeSlot, which carries the legacy event_id bridge; same end result, correct FK. Security-relevant callers made explicit: PublicFormSchemaResource::toArray() now eagerly loads fields + sections with withoutGlobalScope(OrganisationScope::class). Prior to this commit the public form endpoint silently relied on those relations being unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still pass — behaviour unchanged, intent now explicit. Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was flaky (factory randomly picked EVENT_REGISTRATION which requires bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest covers the binding-enforcement path. Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope filters by route org, withoutGlobalScope() still exposes cross-org rows. The test's original purpose ("pin current behaviour so a future refactor is intentional") is now satisfied by Commit 3 being that intentional refactor. Docs: SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented; the 14 newly-scoped models enumerated; link to addendum Q2. ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain" with the hop-count table for all 14 chains and the withoutGlobalScope pattern for cross-org callers. Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with fully-populated record chains down to each of the 14 leaf models; asserts scoped queries never cross, withoutGlobalScope still does. Plus: three- hop chain (FormValueOption) explicitly exercised, legacy-column bridge verified, over-deep chain raises TenantScopeResolutionException. 16 tests / 31 new assertions. Full suite: 1000 passed (2706 assertions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 17:08:33 +02:00

Author

SHA1

Message

Date

bert.hausmans

2064b9901e

feat(form-builder): form_field_conditional_logic_{groups,conditions} tables + OrganisationScope cap raise to 5

WS-5c commit 1 of 4 — relational infrastructure for the conditional-
logic tree that replaces form_fields.conditional_logic JSON (ARCH-
FORM-BUILDER §8; addendum Q3 WS-5c).

Tables: groups (nesting via parent_group_id) + conditions (leaves,
value JSON nullable for empty/not_empty). Simple FK to form_fields —
addendum Q3 explicitly excludes form_field_library from conditional_
logic scope, so no polymorphic morph here.

OrganisationScope cap raised 3 → 5 hops. The conditions chain is
4 hops (condition → group → field → schema → organisation_id column)
and the new cap gives headroom for future deeper trees without
denormalising form_field_id onto conditions.

Cascade observer (FormFieldChildTablesCascadeObserver) extended to
physically delete the new groups table on FormField delete (hard or
soft). Conditions cascade automatically via the group_id FK on the
groups table.

Factories: FormFieldConditionalLogicGroupFactory, FormFieldConditional
LogicConditionFactory, and FormFieldFactory::withConditionalLogic($tree)
for concise test fixtures.

Tests: 16 new under tests/Feature/FormBuilder/ConditionalLogic/
(relation, scope, cascade, enum catalogue). 3 new scope-cap tests in
ScopeLeakageTest verify 4/5-hop chains pass and 6-hop throws. Hardcoded
rollback step counts in WS-5a/b migration tests bumped for the 2 new
WS-5c migrations. Baseline 1104 → 1122 green (2988 → 3032 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 23:43:34 +02:00

bert.hausmans

b688ec26f0

feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04

Refactors OrganisationScope to support a declarative, recursive FK-chain
resolver and registers the scope on 14 models that previously relied on
caller-discipline for tenant isolation.

Scope resolver (app/Models/Scopes/OrganisationScope.php):
Models now declare their strategy via:

    public static function tenantScopeStrategy(): array
    {
        return ['column' => 'organisation_id'];           // terminal
        // OR
        return ['via' => FormSchema::class, 'fk' => 'form_schema_id'];
    }

The apply() path walks the chain recursively, building whereIn subqueries
against parent models until it hits a column-based strategy. Max 3 hops;
deeper chains raise App\Exceptions\TenantScopeResolutionException. The
walker accepts BOTH the new tenantScopeStrategy() and the legacy
$organisationScopeColumn property at every hop — so PersonIdentityMatch
can chain via Person, which still uses the legacy event_id bridge, without
requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the
new convention in this work package. That migration is a separate
backlog ticket — explicitly scope-controlled per the addendum.

Fourteen newly-scoped models:

  Form-builder child models (D-03):
    FormSchemaSection             via FormSchema                    (1 hop)
    FormField                     via FormSchema                    (1 hop)
    FormSubmission                column organisation_id (Commit 2)
    FormValue                     via FormSubmission                (1 hop)
    FormValueOption               via FormValue -> FormSubmission   (2 hops)
    FormSubmissionSectionStatus   via FormSubmission                (1 hop)
    FormSubmissionDelegation      via FormSubmission                (1 hop)
    FormSchemaWebhook             via FormSchema                    (1 hop)
    FormWebhookDelivery           via FormSubmission                (1 hop)

  Event-data models (D-04 event-data subset):
    ShiftAssignment               via Shift (legacy festival_section_id)
    ShiftWaitlist                 via Shift
    VolunteerAvailability         via TimeSlot (legacy event_id)
    PersonSectionPreference       via FestivalSection (legacy event_id)
    PersonIdentityMatch           via Person (legacy event_id)

Note — task directive specified VolunteerAvailability "via: Event, fk: event_id",
but the table has no event_id column (only person_id + time_slot_id).
Rerouted via TimeSlot, which carries the legacy event_id bridge; same
end result, correct FK.

Security-relevant callers made explicit:
  PublicFormSchemaResource::toArray() now eagerly loads fields + sections
  with withoutGlobalScope(OrganisationScope::class). Prior to this commit
  the public form endpoint silently relied on those relations being
  unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still
  pass — behaviour unchanged, intent now explicit.

Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was
flaky (factory randomly picked EVENT_REGISTRATION which requires
bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest
covers the binding-enforcement path.

Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped
renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope
filters by route org, withoutGlobalScope() still exposes cross-org rows.
The test's original purpose ("pin current behaviour so a future refactor
is intentional") is now satisfied by Commit 3 being that intentional
refactor.

Docs:
  SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented;
    the 14 newly-scoped models enumerated; link to addendum Q2.
  ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain"
    with the hop-count table for all 14 chains and the withoutGlobalScope
    pattern for cross-org callers.

Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with
fully-populated record chains down to each of the 14 leaf models; asserts
scoped queries never cross, withoutGlobalScope still does. Plus: three-
hop chain (FormValueOption) explicitly exercised, legacy-column bridge
verified, over-deep chain raises TenantScopeResolutionException. 16 tests /
31 new assertions. Full suite: 1000 passed (2706 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 17:08:33 +02:00

2 Commits