Enforce tenant member permissions

app/Http/Controllers/Api/Tenant/EventController.php

@@ -19,6 +19,7 @@ use App\Models\Tenant;
 use App\Models\User;
 use App\Services\EventJoinTokenService;
 use App\Support\ApiError;
+use App\Support\TenantMemberPermissions;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
@@ -83,6 +84,8 @@ class EventController extends Controller
 
     public function store(EventStoreRequest $request): JsonResponse
     {
+        TenantMemberPermissions::ensureTenantPermission($request, 'events:manage');
+
         $tenant = $request->attributes->get('tenant');
         if (! $tenant instanceof Tenant) {
             $tenantId = $request->attributes->get('tenant_id');
@@ -383,6 +386,8 @@ class EventController extends Controller
             );
         }
 
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'events:manage');
+
         $validated = $request->validated();
 
         if (isset($validated['event_date'])) {
@@ -586,6 +591,8 @@ class EventController extends Controller
             );
         }
 
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'events:manage');
+
         $event->delete();
 
         return response()->json([