Enforce tenant member permissions

2026-01-16 13:33:36 +01:00
parent df60be826d
commit 7aa0a4c847
22 changed files with 592 additions and 112 deletions
--- a/app/Http/Controllers/Api/Tenant/EventMemberController.php
+++ b/app/Http/Controllers/Api/Tenant/EventMemberController.php
@@ -9,6 +9,7 @@ use App\Models\Event;
 use App\Models\EventMember;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Support\TenantMemberPermissions;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -22,6 +23,7 @@ class EventMemberController extends Controller
    public function index(Request $request, Event $event): JsonResponse
    {
        $this->assertEventTenant($request, $event);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'members:manage');

        /** @var LengthAwarePaginator $members */
        $members = $event->members()
@@ -34,6 +36,7 @@ class EventMemberController extends Controller
    public function store(EventMemberInviteRequest $request, Event $event): JsonResponse
    {
        $this->assertEventTenant($request, $event);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'members:manage');

        $data = $request->validated();
        $tenant = $this->resolveTenantFromRequest($request);
@@ -92,6 +95,7 @@ class EventMemberController extends Controller
    public function destroy(Request $request, Event $event, EventMember $member): JsonResponse
    {
        $this->assertEventTenant($request, $event);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'members:manage');

        if ((int) $member->event_id !== (int) $event->id) {
            throw ValidationException::withMessages([