bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7932e53daf94ec3486d0638a3863fe7dc5220749
crewli/api/app/Http/Controllers/Api/V1/PersonController.php
bert.hausmans 7932e53daf security: A01-13 — nest all event routes under organisation prefix 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00

150 lines
5.3 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
use App\Http\Requests\Api\V1\StorePersonRequest;
use App\Http\Requests\Api\V1\UpdatePersonRequest;
use App\Http\Resources\Api\V1\PersonCollection;
use App\Http\Resources\Api\V1\PersonResource;
use App\Mail\RegistrationApprovedMail;
use App\Mail\RegistrationRejectedMail;
use App\Models\Event;
use App\Models\Organisation;
use App\Models\Person;
use App\Services\PersonIdentityService;
use App\Services\TagSyncService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Gate;
use Illuminate\Support\Facades\Mail;
final class PersonController extends Controller
{
use VerifiesOrganisationEvent;
public function __construct(
private readonly PersonIdentityService $identityService,
private readonly TagSyncService $tagSyncService,
) {}
public function index(Request $request, Organisation $organisation, Event $event): PersonCollection
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('viewAny', [Person::class, $event]);
$query = $event->persons()->with(['crowdType', 'pendingIdentityMatch.matchedUser']);
if ($request->filled('crowd_type_id')) {
$query->where('crowd_type_id', $request->input('crowd_type_id'));
}
if ($request->filled('status')) {
$query->where('status', $request->input('status'));
}
if ($request->filled('tag')) {
$organisation = $event->organisation;
$query->whereHas('user', function ($q) use ($request, $organisation) {
$q->whereHas('organisationTags', function ($q2) use ($request, $organisation) {
$q2->where('organisation_id', $organisation->id)
->where('person_tag_id', $request->input('tag'));
});
});
}
if ($request->filled('tags')) {
$organisation = $event->organisation;
$tagIds = explode(',', $request->input('tags'));
foreach ($tagIds as $tagId) {
$query->whereHas('user', function ($q) use ($tagId, $organisation) {
$q->whereHas('organisationTags', function ($q2) use ($tagId, $organisation) {
$q2->where('organisation_id', $organisation->id)
->where('person_tag_id', $tagId);
});
});
}
}
return new PersonCollection($query->get());
}
public function show(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('view', [$person, $event]);
$person->load(['crowdType', 'company', 'user']);
return $this->success(new PersonResource($person));
}
public function store(StorePersonRequest $request, Organisation $organisation, Event $event): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('create', [Person::class, $event]);
$person = $event->persons()->create($request->validated());
$this->identityService->detectMatchForPerson($person);
return $this->created(new PersonResource($person->fresh()->load('crowdType')));
}
public function update(UpdatePersonRequest $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('update', [$person, $event]);
$person->update($request->validated());
$person->load(['crowdType', 'company']);
return $this->success(new PersonResource($person->fresh()->load(['crowdType', 'company'])));
}
public function destroy(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('delete', [$person, $event]);
$person->delete();
return response()->json(null, 204);
}
public function approve(Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('approve', [$person, $event]);
$person->update(['status' => 'approved']);
$this->tagSyncService->syncFromRegistration($person);
if ($person->email) {
Mail::to($person->email)->queue(new RegistrationApprovedMail($person, $event));
}
return $this->success(new PersonResource($person->fresh()->load('crowdType')));
}
public function reject(Request $request, Organisation $organisation, Event $event, Person $person): JsonResponse
{
$this->verifyEventBelongsToOrganisation($organisation, $event);
Gate::authorize('approve', [$person, $event]);
$person->update(['status' => 'rejected']);
$reason = $request->input('reason');
if ($person->email) {
Mail::to($person->email)->queue(new RegistrationRejectedMail($person, $event, $reason));
}
return $this->success(new PersonResource($person->fresh()->load('crowdType')));
}
}
Reference in New Issue View Git Blame Copy Permalink