Enforce tenant member permissions
This commit is contained in:
Codex Agent
@@ -7,6 +7,7 @@ use App\Http\Resources\Tenant\EventJoinTokenResource;
|
||||
use App\Models\Event;
|
||||
use App\Models\EventJoinToken;
|
||||
use App\Services\EventJoinTokenService;
|
||||
use App\Support\TenantMemberPermissions;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
|
||||
@@ -19,7 +20,7 @@ class EventJoinTokenController extends Controller
|
||||
|
||||
public function index(Request $request, Event $event): AnonymousResourceCollection
|
||||
{
|
||||
$this->authorizeEvent($request, $event);
|
||||
$this->authorizeEvent($request, $event, 'join-tokens:manage');
|
||||
|
||||
$tokens = $event->joinTokens()
|
||||
->orderByDesc('created_at')
|
||||
@@ -30,7 +31,7 @@ class EventJoinTokenController extends Controller
|
||||
|
||||
public function store(Request $request, Event $event): JsonResponse
|
||||
{
|
||||
$this->authorizeEvent($request, $event);
|
||||
$this->authorizeEvent($request, $event, 'join-tokens:manage');
|
||||
|
||||
$validated = $this->validatePayload($request);
|
||||
|
||||
@@ -45,7 +46,7 @@ class EventJoinTokenController extends Controller
|
||||
|
||||
public function update(Request $request, Event $event, EventJoinToken $joinToken): EventJoinTokenResource
|
||||
{
|
||||
$this->authorizeEvent($request, $event);
|
||||
$this->authorizeEvent($request, $event, 'join-tokens:manage');
|
||||
|
||||
if ($joinToken->event_id !== $event->id) {
|
||||
abort(404);
|
||||
@@ -89,7 +90,7 @@ class EventJoinTokenController extends Controller
|
||||
|
||||
public function destroy(Request $request, Event $event, EventJoinToken $joinToken): EventJoinTokenResource
|
||||
{
|
||||
$this->authorizeEvent($request, $event);
|
||||
$this->authorizeEvent($request, $event, 'join-tokens:manage');
|
||||
|
||||
if ($joinToken->event_id !== $event->id) {
|
||||
abort(404);
|
||||
@@ -101,13 +102,17 @@ class EventJoinTokenController extends Controller
|
||||
return new EventJoinTokenResource($token);
|
||||
}
|
||||
|
||||
private function authorizeEvent(Request $request, Event $event): void
|
||||
private function authorizeEvent(Request $request, Event $event, ?string $permission = null): void
|
||||
{
|
||||
$tenantId = $request->attributes->get('tenant_id');
|
||||
|
||||
if ($event->tenant_id !== $tenantId) {
|
||||
abort(404, 'Event not found');
|
||||
}
|
||||
|
||||
if ($permission) {
|
||||
TenantMemberPermissions::ensureEventPermission($request, $event, $permission);
|
||||
}
|
||||
}
|
||||
|
||||
private function validatePayload(Request $request, bool $partial = false): array
|
||||
|
||||
Reference in New Issue
Block a user