added "members" for an event that help the admins to moderate. members must be invited via email.

2025-11-09 22:24:40 +01:00
parent 082b78cd43
commit 7ec3db9c59
23 changed files with 836 additions and 101 deletions
--- a/app/Http/Controllers/Api/Tenant/TenantAdminTokenController.php
+++ b/app/Http/Controllers/Api/Tenant/TenantAdminTokenController.php
@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Api\Tenant;

 use App\Http\Controllers\Controller;
 use App\Http\Requests\Auth\TenantAdminTokenRequest;
+use App\Models\EventMember;
 use App\Models\Tenant;
 use App\Models\User;
 use Illuminate\Http\JsonResponse;
@@ -33,11 +34,7 @@ class TenantAdminTokenController extends Controller
            ]);
        }

-        if (! in_array($user->role, ['tenant_admin', 'super_admin'], true)) {
-            throw ValidationException::withMessages([
-                'login' => [trans('auth.not_authorized')],
-            ]);
-        }
+        $this->ensureUserCanAccessPanel($user);

        if ($user->email_verified_at === null) {
            throw ValidationException::withMessages([
@@ -162,12 +159,7 @@ class TenantAdminTokenController extends Controller
            return response()->noContent();
        }

-        if (! in_array($user->role, ['tenant_admin', 'super_admin'], true)) {
-            return response()->json([
-                'error' => 'forbidden',
-                'message' => trans('auth.not_authorized'),
-            ], 403);
-        }
+        $this->ensureUserCanAccessPanel($user);

        if ($user->email_verified_at === null) {
            return response()->json([
@@ -197,12 +189,16 @@ class TenantAdminTokenController extends Controller
     */
    private function resolveTokenAbilities(User $user): array
    {
-        $abilities = ['tenant-admin'];
+        $abilities = ['tenant-member'];

        if ($user->tenant_id) {
            $abilities[] = 'tenant:'.$user->tenant_id;
        }

+        if (in_array($user->role, ['tenant_admin', 'admin', 'super_admin'], true)) {
+            $abilities[] = 'tenant-admin';
+        }
+
        if ($user->role === 'super_admin') {
            $abilities[] = 'super-admin';
        }
@@ -222,4 +218,35 @@ class TenantAdminTokenController extends Controller

        return [$token->plainTextToken, $abilities];
    }
+
+    private function ensureUserCanAccessPanel(User $user): void
+    {
+        if (in_array($user->role, ['tenant_admin', 'admin', 'super_admin'], true)) {
+            return;
+        }
+
+        if ($user->role === 'member' && $this->userHasCollaboratorMembership($user)) {
+            return;
+        }
+
+        throw ValidationException::withMessages([
+            'login' => [trans('auth.not_authorized')],
+        ]);
+    }
+
+    private function userHasCollaboratorMembership(User $user): bool
+    {
+        if (! $user->tenant_id) {
+            return false;
+        }
+
+        return EventMember::query()
+            ->where('tenant_id', $user->tenant_id)
+            ->where(function ($query) use ($user) {
+                $query->where('user_id', $user->id)
+                    ->orWhere('email', $user->email);
+            })
+            ->whereIn('status', ['active', 'invited'])
+            ->exists();
+    }
 }