✨ **Add authenticated API endpoints for managing Meetups, Cities, Venues, and Lecturers**

- ➕ Introduced `store`, `update`, `mine`, and `mineShow` endpoints for `Meetups`, `Cities`, `Venues`, and `Lecturers` with validation and authorization.
- 🔒 Added `Policies` for `Meetups`, `Cities`, `Venues`, and `Lecturers` leveraging `ChecksCreatorOwnership` for ownership checks.
- 🌐 Created `Resources` for structured API responses: `MeetupResource`, `CityResource`, `VenueResource`, and `LecturerResource`.
- ✅ Added dedicated `Request` classes for input validation: `Store` and `Update` variants for all models.
- 🛠️ Updated controllers to support new functionalities with localized error messages and proper HTTP responses.

tests/Feature/Api/CityWriteApiTest.php

@@ -0,0 +1,93 @@
+<?php
+
+use App\Models\City;
+use App\Models\Country;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects a guest', function () {
+    $response = $this->postJson('/api/cities', [
+        'name' => 'Ansbach',
+        'country_id' => Country::factory()->create()->id,
+    ]);
+
+    $response->assertUnauthorized();
+});
+
+it('lets an authenticated user create', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $response = $this->postJson('/api/cities', [
+        'name' => 'Ansbach',
+        'country_id' => Country::factory()->create()->id,
+        'longitude' => 10.5806,
+        'latitude' => 49.3034,
+    ]);
+
+    $response->assertCreated();
+
+    $this->assertDatabaseHas('cities', [
+        'name' => 'Ansbach',
+        'created_by' => $user->id,
+    ]);
+});
+
+it('fails validation', function () {
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->postJson('/api/cities', []);
+
+    $response->assertUnprocessable()
+        ->assertJsonValidationErrors(['name', 'country_id']);
+});
+
+it('lets the owner update', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $model = City::factory()->create(['created_by' => $user->id]);
+
+    $response = $this->patchJson("/api/cities/{$model->id}", [
+        'name' => 'Nürnberg',
+    ]);
+
+    $response->assertSuccessful()
+        ->assertJsonPath('data.name', 'Nürnberg');
+});
+
+it('forbids updating someone elses', function () {
+    $owner = User::factory()->create();
+    $model = City::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->patchJson("/api/cities/{$model->id}", [
+        'name' => 'Nürnberg',
+    ]);
+
+    $response->assertForbidden();
+});
+
+it('returns only own in mine index', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    City::factory()->create(['created_by' => $user->id]);
+    City::factory()->create(['created_by' => $user->id]);
+    City::factory()->create(['created_by' => User::factory()->create()->id]);
+
+    $response = $this->getJson('/api/my-cities');
+
+    $response->assertSuccessful();
+
+    expect($response->json('data'))->toHaveCount(2);
+});
+
+it('forbids viewing someone elses in mine show', function () {
+    $owner = User::factory()->create();
+    $model = City::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->getJson("/api/my-cities/{$model->id}");
+
+    $response->assertForbidden();
+});

tests/Feature/Api/LecturerWriteApiTest.php

@@ -0,0 +1,82 @@
+<?php
+
+use App\Models\Lecturer;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects a guest', function () {
+    $this->postJson('/api/lecturers', [
+        'name' => 'Saifedean Ammous',
+    ])->assertUnauthorized();
+});
+
+it('lets an authenticated user create', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $this->postJson('/api/lecturers', [
+        'name' => 'Saifedean Ammous',
+    ])
+        ->assertCreated()
+        ->assertJsonPath('data.name', 'Saifedean Ammous');
+
+    $this->assertDatabaseHas('lecturers', [
+        'name' => 'Saifedean Ammous',
+        'created_by' => $user->id,
+    ]);
+});
+
+it('fails validation', function () {
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->postJson('/api/lecturers', [])
+        ->assertUnprocessable()
+        ->assertJsonValidationErrors(['name']);
+});
+
+it('lets the owner update', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $lecturer = Lecturer::factory()->create(['created_by' => $user->id]);
+
+    $this->patchJson('/api/lecturers/'.$lecturer->id, [
+        'name' => 'Knut Svanholm',
+    ])
+        ->assertSuccessful()
+        ->assertJsonPath('data.name', 'Knut Svanholm');
+});
+
+it('forbids updating someone elses', function () {
+    $owner = User::factory()->create();
+    $lecturer = Lecturer::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->patchJson('/api/lecturers/'.$lecturer->id, [
+        'name' => 'Knut Svanholm',
+    ])->assertForbidden();
+});
+
+it('returns only own in mine index', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $other = User::factory()->create();
+
+    Lecturer::factory()->count(2)->create(['created_by' => $user->id]);
+    Lecturer::factory()->create(['created_by' => $other->id]);
+
+    $response = $this->getJson('/api/my-lecturers');
+
+    $response->assertSuccessful();
+    expect($response->json('data'))->toHaveCount(2);
+    collect($response->json('data'))->each(
+        fn ($lecturer) => expect($lecturer['created_by'])->toBe($user->id)
+    );
+});
+
+it('forbids viewing someone elses in mine show', function () {
+    $owner = User::factory()->create();
+    $lecturer = Lecturer::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->getJson('/api/my-lecturers/'.$lecturer->id)
+        ->assertForbidden();
+});

tests/Feature/Api/MeetupEventWriteApiTest.php

@@ -0,0 +1,88 @@
+<?php
+
+use App\Models\Meetup;
+use App\Models\MeetupEvent;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects a guest', function () {
+    $response = $this->postJson('/api/meetup-events', []);
+
+    $response->assertUnauthorized();
+});
+
+it('lets an authenticated user create', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $response = $this->postJson('/api/meetup-events', [
+        'meetup_id' => Meetup::factory()->create()->id,
+        'start' => '2026-08-01 18:00:00',
+        'location' => 'Marktplatz',
+    ]);
+
+    $response->assertCreated();
+
+    $this->assertDatabaseHas('meetup_events', [
+        'location' => 'Marktplatz',
+        'created_by' => $user->id,
+    ]);
+});
+
+it('fails validation', function () {
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->postJson('/api/meetup-events', []);
+
+    $response->assertUnprocessable()
+        ->assertJsonValidationErrors(['meetup_id', 'start']);
+});
+
+it('lets the owner update', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $model = MeetupEvent::factory()->create(['created_by' => $user->id]);
+
+    $response = $this->patchJson("/api/meetup-events/{$model->id}", [
+        'location' => 'Rathaus',
+    ]);
+
+    $response->assertSuccessful()
+        ->assertJsonPath('data.location', 'Rathaus');
+});
+
+it('forbids updating someone elses', function () {
+    $owner = User::factory()->create();
+    $model = MeetupEvent::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->patchJson("/api/meetup-events/{$model->id}", [
+        'location' => 'Rathaus',
+    ]);
+
+    $response->assertForbidden();
+});
+
+it('returns only own in mine index', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    MeetupEvent::factory()->count(2)->create(['created_by' => $user->id]);
+    MeetupEvent::factory()->create(['created_by' => User::factory()->create()->id]);
+
+    $response = $this->getJson('/api/my-meetup-events');
+
+    $response->assertSuccessful();
+
+    expect($response->json('data'))->toHaveCount(2);
+});
+
+it('forbids viewing someone elses in mine show', function () {
+    $owner = User::factory()->create();
+    $model = MeetupEvent::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $response = $this->getJson("/api/my-meetup-events/{$model->id}");
+
+    $response->assertForbidden();
+});

tests/Feature/Api/MeetupWriteApiTest.php

@@ -0,0 +1,84 @@
+<?php
+
+use App\Models\City;
+use App\Models\Meetup;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects a guest', function () {
+    $this->postJson('/api/meetup', [
+        'name' => 'Einundzwanzig Ansbach',
+        'city_id' => City::factory()->create()->id,
+    ])->assertUnauthorized();
+});
+
+it('lets an authenticated user create', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $this->postJson('/api/meetup', [
+        'name' => 'Einundzwanzig Ansbach',
+        'city_id' => City::factory()->create()->id,
+    ])
+        ->assertCreated()
+        ->assertJsonPath('data.name', 'Einundzwanzig Ansbach');
+
+    $this->assertDatabaseHas('meetups', [
+        'name' => 'Einundzwanzig Ansbach',
+        'created_by' => $user->id,
+    ]);
+});
+
+it('fails validation', function () {
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->postJson('/api/meetup', [])
+        ->assertUnprocessable()
+        ->assertJsonValidationErrors(['name', 'city_id']);
+});
+
+it('lets the owner update', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $meetup = Meetup::factory()->create(['created_by' => $user->id]);
+
+    $this->patchJson('/api/meetup/'.$meetup->id, [
+        'name' => 'Plan B Lugano',
+    ])
+        ->assertSuccessful()
+        ->assertJsonPath('data.name', 'Plan B Lugano');
+});
+
+it('forbids updating someone elses', function () {
+    $owner = User::factory()->create();
+    $meetup = Meetup::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->patchJson('/api/meetup/'.$meetup->id, [
+        'name' => 'Plan B Lugano',
+    ])->assertForbidden();
+});
+
+it('returns only own in mine index', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $other = User::factory()->create();
+
+    Meetup::factory()->count(2)->create(['created_by' => $user->id]);
+    Meetup::factory()->create(['created_by' => $other->id]);
+
+    $response = $this->getJson('/api/my-meetups');
+
+    $response->assertSuccessful();
+    expect($response->json('data'))->toHaveCount(2);
+    collect($response->json('data'))->each(
+        fn ($meetup) => expect($meetup['created_by'])->toBe($user->id)
+    );
+});
+
+it('forbids viewing someone elses in mine show', function () {
+    $owner = User::factory()->create();
+    $meetup = Meetup::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->getJson('/api/my-meetups/'.$meetup->id)->assertForbidden();
+});

tests/Feature/Api/VenueWriteApiTest.php

@@ -0,0 +1,83 @@
+<?php
+
+use App\Models\City;
+use App\Models\User;
+use App\Models\Venue;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects a guest', function () {
+    $this->postJson('/api/venues', [
+        'name' => 'Bitcoin Hub',
+        'city_id' => City::factory()->create()->id,
+    ])->assertUnauthorized();
+});
+
+it('lets an authenticated user create', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+
+    $this->postJson('/api/venues', [
+        'name' => 'Bitcoin Hub',
+        'city_id' => City::factory()->create()->id,
+        'street' => 'Satoshi Street 21',
+    ])->assertCreated();
+
+    $this->assertDatabaseHas('venues', [
+        'name' => 'Bitcoin Hub',
+        'created_by' => $user->id,
+    ]);
+});
+
+it('fails validation', function () {
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->postJson('/api/venues', [])
+        ->assertUnprocessable()
+        ->assertJsonValidationErrors(['name', 'city_id']);
+});
+
+it('lets the owner update', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $model = Venue::factory()->create(['created_by' => $user->id]);
+
+    $this->patchJson('/api/venues/'.$model->id, [
+        'name' => 'Orange Hub',
+    ])
+        ->assertSuccessful()
+        ->assertJsonPath('data.name', 'Orange Hub');
+});
+
+it('forbids updating someone elses', function () {
+    $owner = User::factory()->create();
+    $model = Venue::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->patchJson('/api/venues/'.$model->id, [
+        'name' => 'Orange Hub',
+    ])->assertForbidden();
+});
+
+it('returns only own in mine index', function () {
+    Sanctum::actingAs($user = User::factory()->create());
+    $other = User::factory()->create();
+
+    Venue::factory()->count(2)->create(['created_by' => $user->id]);
+    Venue::factory()->create(['created_by' => $other->id]);
+
+    $response = $this->getJson('/api/my-venues');
+
+    $response->assertSuccessful();
+    expect($response->json('data'))->toHaveCount(2);
+    collect($response->json('data'))->each(
+        fn ($venue) => expect($venue['created_by'])->toBe($user->id)
+    );
+});
+
+it('forbids viewing someone elses in mine show', function () {
+    $owner = User::factory()->create();
+    $model = Venue::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs(User::factory()->create());
+
+    $this->getJson('/api/my-venues/'.$model->id)->assertForbidden();
+});