Enable guest photo deletion and ownership flags

tests/Feature/Api/Event/EventPhotosLocaleTest.php

@@ -44,6 +44,7 @@ class EventPhotosLocaleTest extends TestCase
             'tenant_id' => $event->tenant_id,
             'task_id' => $task->id,
             'emotion_id' => $emotion->id,
+            'created_by_device_id' => 'device-123',
             'created_at' => now(),
             'status' => 'approved',
         ]);
@@ -57,6 +58,7 @@ class EventPhotosLocaleTest extends TestCase
         $responseEn->assertJsonPath('data.0.emotion.name', 'Joy');
         $responseEn->assertJsonPath('data.0.emotion.icon', '🙂');
         $responseEn->assertJsonPath('data.0.emotion.color', '#FF00AA');
+        $responseEn->assertJsonPath('data.0.is_mine', true);
 
         $etag = $responseEn->headers->get('ETag');
         $this->assertNotEmpty($etag);

tests/Feature/EventGuestPhotoDeleteTest.php

@@ -0,0 +1,87 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\Event;
+use App\Models\Photo;
+use App\Models\PhotoLike;
+use App\Models\PhotoShareLink;
+use App\Services\EventJoinTokenService;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Storage;
+use Tests\TestCase;
+
+class EventGuestPhotoDeleteTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_guest_can_delete_own_photo(): void
+    {
+        $disk = config('filesystems.default', 'local');
+        Storage::fake($disk);
+
+        $event = Event::factory()->create([
+            'status' => 'published',
+        ]);
+
+        $token = app(EventJoinTokenService::class)
+            ->createToken($event, ['label' => 'guest'])
+            ->plain_token;
+
+        $photo = Photo::factory()->for($event)->create([
+            'status' => 'approved',
+            'guest_name' => 'device-123',
+            'created_by_device_id' => 'device-123',
+            'file_path' => "events/{$event->id}/photos/test.jpg",
+            'thumbnail_path' => "events/{$event->id}/photos/thumbs/test_thumb.jpg",
+        ]);
+
+        Storage::disk($disk)->put($photo->file_path, 'file');
+        Storage::disk($disk)->put($photo->thumbnail_path, 'thumb');
+
+        PhotoShareLink::factory()->create([
+            'photo_id' => $photo->id,
+        ]);
+
+        PhotoLike::create([
+            'photo_id' => $photo->id,
+            'guest_name' => 'device-123',
+            'ip_address' => 'device',
+        ]);
+
+        $response = $this->withHeaders(['X-Device-Id' => 'device-123'])
+            ->deleteJson("/api/v1/events/{$token}/photos/{$photo->id}");
+
+        $response->assertOk();
+        $response->assertJsonFragment(['photo_id' => $photo->id]);
+
+        $this->assertDatabaseMissing('photos', ['id' => $photo->id]);
+        $this->assertDatabaseMissing('photo_share_links', ['photo_id' => $photo->id]);
+        $this->assertDatabaseMissing('photo_likes', ['photo_id' => $photo->id]);
+        Storage::disk($disk)->assertMissing($photo->file_path);
+        Storage::disk($disk)->assertMissing($photo->thumbnail_path);
+    }
+
+    public function test_guest_cannot_delete_someone_elses_photo(): void
+    {
+        $event = Event::factory()->create([
+            'status' => 'published',
+        ]);
+
+        $token = app(EventJoinTokenService::class)
+            ->createToken($event, ['label' => 'guest'])
+            ->plain_token;
+
+        $photo = Photo::factory()->for($event)->create([
+            'status' => 'approved',
+            'guest_name' => 'device-123',
+            'created_by_device_id' => 'device-123',
+        ]);
+
+        $this->withHeaders(['X-Device-Id' => 'device-999'])
+            ->deleteJson("/api/v1/events/{$token}/photos/{$photo->id}")
+            ->assertForbidden();
+
+        $this->assertDatabaseHas('photos', ['id' => $photo->id]);
+    }
+}