bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7bc0f1a0c731d3d16be35e80cb711d50660bc834
crewli/api/app/Models/ShiftAssignment.php
bert.hausmans 1028498705 security: round 1 — quick wins (rate limiting, headers, mass assignment, logging) 
- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 01:34:51 +02:00

101 lines
2.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Models;
use App\Enums\CancellationSource;
use App\Enums\ShiftAssignmentStatus;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Concerns\HasUlids;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Illuminate\Database\Eloquent\SoftDeletes;
final class ShiftAssignment extends Model
{
use HasFactory;
use HasUlids;
use SoftDeletes;
protected $fillable = [
'shift_id',
'person_id',
'time_slot_id',
'status',
'rejection_reason',
'hours_expected',
'hours_completed',
];
protected function casts(): array
{
return [
'status' => ShiftAssignmentStatus::class,
'cancellation_source' => CancellationSource::class,
'auto_approved' => 'boolean',
'assigned_at' => 'datetime',
'approved_at' => 'datetime',
'cancelled_at' => 'datetime',
'checked_in_at' => 'datetime',
'checked_out_at' => 'datetime',
'hours_expected' => 'decimal:2',
'hours_completed' => 'decimal:2',
];
}
public function shift(): BelongsTo
{
return $this->belongsTo(Shift::class);
}
public function person(): BelongsTo
{
return $this->belongsTo(Person::class);
}
public function timeSlot(): BelongsTo
{
return $this->belongsTo(TimeSlot::class);
}
public function assignedByUser(): BelongsTo
{
return $this->belongsTo(User::class, 'assigned_by');
}
public function approvedByUser(): BelongsTo
{
return $this->belongsTo(User::class, 'approved_by');
}
public function cancelledByUser(): BelongsTo
{
return $this->belongsTo(User::class, 'cancelled_by');
}
public function scopeActive(Builder $query): Builder
{
return $query->whereIn('status', [
ShiftAssignmentStatus::PENDING_APPROVAL,
ShiftAssignmentStatus::APPROVED,
]);
}
public function scopeForStatus(Builder $query, ShiftAssignmentStatus $status): Builder
{
return $query->where('status', $status);
}
public function isCancellable(): bool
{
return $this->status->canTransitionTo(ShiftAssignmentStatus::CANCELLED);
}
public function isApprovable(): bool
{
return $this->status->canTransitionTo(ShiftAssignmentStatus::APPROVED);
}
}
Reference in New Issue View Git Blame Copy Permalink