Harden tenant admin auth and photo moderation

2026-01-30 14:53:51 +01:00
parent d45cb6a087
commit 916b204688
7 changed files with 220 additions and 11 deletions
--- a/routes/api.php
+++ b/routes/api.php
@@ -322,12 +322,24 @@ Route::prefix('v1')->name('api.v1.')->group(function () {
            Route::prefix('photos')->group(function () {
                Route::get('/', [PhotoController::class, 'index'])->name('tenant.events.photos.index');
                Route::post('/', [PhotoController::class, 'store'])->name('tenant.events.photos.store');
-                Route::get('{photo}', [PhotoController::class, 'show'])->name('tenant.events.photos.show');
-                Route::patch('{photo}', [PhotoController::class, 'update'])->name('tenant.events.photos.update');
-                Route::delete('{photo}', [PhotoController::class, 'destroy'])->name('tenant.events.photos.destroy');
-                Route::post('{photo}/feature', [PhotoController::class, 'feature'])->name('tenant.events.photos.feature');
-                Route::post('{photo}/unfeature', [PhotoController::class, 'unfeature'])->name('tenant.events.photos.unfeature');
-                Route::post('{photo}/visibility', [PhotoController::class, 'visibility'])->name('tenant.events.photos.visibility');
+                Route::get('{photo}', [PhotoController::class, 'show'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.show');
+                Route::patch('{photo}', [PhotoController::class, 'update'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.update');
+                Route::delete('{photo}', [PhotoController::class, 'destroy'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.destroy');
+                Route::post('{photo}/feature', [PhotoController::class, 'feature'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.feature');
+                Route::post('{photo}/unfeature', [PhotoController::class, 'unfeature'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.unfeature');
+                Route::post('{photo}/visibility', [PhotoController::class, 'visibility'])
+                    ->whereNumber('photo')
+                    ->name('tenant.events.photos.visibility');
                Route::post('bulk-approve', [PhotoController::class, 'bulkApprove'])->name('tenant.events.photos.bulk-approve');
                Route::post('bulk-reject', [PhotoController::class, 'bulkReject'])->name('tenant.events.photos.bulk-reject');
                Route::get('moderation', [PhotoController::class, 'forModeration'])->name('tenant.events.photos.for-moderation');