Add event-admin password reset flow

2026-01-06 11:02:09 +01:00
parent 51e8beb46c
commit 54b3fa0d87
17 changed files with 1080 additions and 81 deletions
--- a/app/Http/Controllers/Api/TenantAuth/TenantAdminPasswordResetController.php
+++ b/app/Http/Controllers/Api/TenantAuth/TenantAdminPasswordResetController.php
@@ -0,0 +1,109 @@
+<?php
+
+namespace App\Http\Controllers\Api\TenantAuth;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Auth\TenantAdminForgotPasswordRequest;
+use App\Http\Requests\Auth\TenantAdminResetPasswordRequest;
+use App\Models\EventMember;
+use App\Models\User;
+use Illuminate\Auth\Events\PasswordReset;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+use Illuminate\Support\Str;
+use Illuminate\Validation\ValidationException;
+
+class TenantAdminPasswordResetController extends Controller
+{
+    public function requestLink(TenantAdminForgotPasswordRequest $request): JsonResponse
+    {
+        $email = $request->string('email')->trim()->value();
+
+        $user = User::query()->where('email', $email)->first();
+
+        if (! $user || ! $this->canAccessEventAdmin($user)) {
+            return $this->genericSuccessResponse();
+        }
+
+        Password::sendResetLink([
+            'email' => $email,
+        ]);
+
+        return $this->genericSuccessResponse();
+    }
+
+    public function reset(TenantAdminResetPasswordRequest $request): JsonResponse
+    {
+        $status = Password::reset(
+            $request->only('email', 'password', 'password_confirmation', 'token'),
+            function (User $user) use ($request) {
+                $this->ensureUserCanReset($user);
+
+                $user->forceFill([
+                    'password' => Hash::make($request->string('password')->value()),
+                    'remember_token' => Str::random(60),
+                ])->save();
+
+                event(new PasswordReset($user));
+            }
+        );
+
+        if ($status === Password::PasswordReset) {
+            return response()->json([
+                'status' => __($status),
+            ]);
+        }
+
+        throw ValidationException::withMessages([
+            'email' => [__($status)],
+        ]);
+    }
+
+    private function genericSuccessResponse(): JsonResponse
+    {
+        return response()->json([
+            'status' => __('passwords.sent'),
+        ]);
+    }
+
+    private function ensureUserCanReset(User $user): void
+    {
+        if ($this->canAccessEventAdmin($user)) {
+            return;
+        }
+
+        throw ValidationException::withMessages([
+            'email' => [trans('auth.not_authorized')],
+        ]);
+    }
+
+    private function canAccessEventAdmin(User $user): bool
+    {
+        if (in_array($user->role, ['tenant_admin', 'admin', 'super_admin'], true)) {
+            return true;
+        }
+
+        if ($user->role === 'member' && $this->userHasCollaboratorMembership($user)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    private function userHasCollaboratorMembership(User $user): bool
+    {
+        if (! $user->tenant_id) {
+            return false;
+        }
+
+        return EventMember::query()
+            ->where('tenant_id', $user->tenant_id)
+            ->where(function ($query) use ($user) {
+                $query->where('user_id', $user->id)
+                    ->orWhere('email', $user->email);
+            })
+            ->whereIn('status', ['active', 'invited'])
+            ->exists();
+    }
+}