diff --git a/app/Console/Commands/Database/PromoteExistingLeaders.php b/app/Console/Commands/Database/PromoteExistingLeaders.php new file mode 100644 index 0000000..a0c3793 --- /dev/null +++ b/app/Console/Commands/Database/PromoteExistingLeaders.php @@ -0,0 +1,65 @@ +option('dry-run'); + + $memberRows = DB::table('meetup_user')->where('is_leader', false)->count(); + + $missingCreators = Meetup::query() + ->whereNotNull('created_by') + ->whereDoesntHave('users', function ($query): void { + $query->whereColumn('users.id', 'meetups.created_by'); + }) + ->count(); + + if ($dryRun) { + $this->info("Dry-Run: {$memberRows} Mitglieder würden zu Leadern befördert."); + $this->info("Dry-Run: {$missingCreators} fehlende Ersteller-Mitgliedschaften würden ergänzt (als Leader)."); + + return Command::SUCCESS; + } + + DB::table('meetup_user')->where('is_leader', false)->update(['is_leader' => true]); + + $ensured = 0; + Meetup::query() + ->whereNotNull('created_by') + ->chunkById(200, function ($meetups) use (&$ensured): void { + foreach ($meetups as $meetup) { + $meetup->users()->syncWithoutDetaching([ + $meetup->created_by => ['is_leader' => true], + ]); + $ensured++; + } + }); + + $this->info("{$memberRows} Mitglieder zu Leadern befördert."); + $this->info("Ersteller-Leaderschaft für {$ensured} Meetups sichergestellt."); + + return Command::SUCCESS; + } +} diff --git a/app/Http/Controllers/Api/MeetupLeaderController.php b/app/Http/Controllers/Api/MeetupLeaderController.php new file mode 100644 index 0000000..88f44ee --- /dev/null +++ b/app/Http/Controllers/Api/MeetupLeaderController.php @@ -0,0 +1,98 @@ +json(['data' => $this->leaders($meetup)]); + } + + /** + * Leader einsetzen + * + * Setzt den Nutzer mit dem angegebenen npub als Leader ein. Existiert noch + * kein Account für den npub, wird er angelegt (greift, sobald die Person sich + * erstmals einloggt). Idempotent: ein bereits gesetzter Leader bleibt Leader. + */ + #[Response(status: 403, description: 'Nur ein Leader darf weitere Leader einsetzen.')] + #[Response(status: 422, description: 'Ungültiger npub.')] + public function store(StoreMeetupLeaderRequest $request, Meetup $meetup): JsonResponse + { + $user = NostrLogin::findOrCreateUser($request->string('npub')->toString()); + + $meetup->users()->syncWithoutDetaching([ + $user->getKey() => ['is_leader' => true], + ]); + + return response()->json(['data' => $this->leaders($meetup)], HttpResponse::HTTP_CREATED); + } + + /** + * Leader entziehen + * + * Entzieht dem Nutzer die Leader-Rolle für dieses Meetup (Demote: bleibt + * Mitglied in „Meine Meetups", darf aber nicht mehr bearbeiten). Der + * Ersteller des Meetups kann nie entzogen werden. + */ + #[Response(status: 403, description: 'Nur ein Leader darf entziehen; der Ersteller ist geschützt.')] + public function destroy(Meetup $meetup, User $user): JsonResponse + { + Gate::authorize('manageLeaders', $meetup); + + abort_if($user->getKey() === $meetup->created_by, HttpResponse::HTTP_FORBIDDEN, __('Der Ersteller des Meetups kann nicht entzogen werden.')); + + $meetup->users()->updateExistingPivot($user->getKey(), ['is_leader' => false]); + + return response()->json(['data' => $this->leaders($meetup)]); + } + + /** + * Leader-Liste als flaches Array (Ersteller zuerst). + * + * @return array> + */ + private function leaders(Meetup $meetup): array + { + return $meetup->users() + ->wherePivot('is_leader', true) + ->get() + ->map(fn (User $user): array => [ + 'id' => $user->getKey(), + 'name' => $user->name, + 'nostr' => $user->nostr, + 'avatar' => $user->profile_photo_url, + 'is_creator' => $user->getKey() === $meetup->created_by, + ]) + ->sortByDesc('is_creator') + ->values() + ->all(); + } +} diff --git a/app/Http/Controllers/Api/UserController.php b/app/Http/Controllers/Api/UserController.php index 200e13b..21cd45f 100644 --- a/app/Http/Controllers/Api/UserController.php +++ b/app/Http/Controllers/Api/UserController.php @@ -51,7 +51,9 @@ class UserController extends Controller 'email' => $user->email, 'nostr' => $user->nostr, 'is_lecturer' => (bool) $user->is_lecturer, - 'is_leader' => (bool) $user->is_leader, + // Leader-Rolle ist pro Meetup (meetup_user.is_leader); global = ist + // der Nutzer Leader IRGENDEINES Meetups. Treibt das Rollen-Badge. + 'is_leader' => $user->meetups()->wherePivot('is_leader', true)->exists(), 'avatar' => $user->profile_photo_url, ]; } diff --git a/app/Http/Requests/Api/StoreMeetupEventRequest.php b/app/Http/Requests/Api/StoreMeetupEventRequest.php index 8faa6f7..3b50a08 100644 --- a/app/Http/Requests/Api/StoreMeetupEventRequest.php +++ b/app/Http/Requests/Api/StoreMeetupEventRequest.php @@ -3,15 +3,23 @@ namespace App\Http\Requests\Api; use App\Enums\RecurrenceType; -use App\Models\MeetupEvent; +use App\Models\Meetup; use Illuminate\Foundation\Http\FormRequest; use Illuminate\Validation\Rule; class StoreMeetupEventRequest extends FormRequest { + /** + * Termine darf nur anlegen, wer das zugehörige Meetup bearbeiten darf + * (Ersteller/Leader/Super-Admin) — dieselbe Berechtigung wie die + * Stammdaten. Existenz/Pflicht von meetup_id prüft rules() (422); ist ein + * gültiges Meetup angegeben, muss der Nutzer dafür berechtigt sein. + */ public function authorize(): bool { - return $this->user()->can('create', MeetupEvent::class); + $meetup = Meetup::find($this->input('meetup_id')); + + return $meetup === null || $this->user()->can('update', $meetup); } /** diff --git a/app/Http/Requests/Api/StoreMeetupLeaderRequest.php b/app/Http/Requests/Api/StoreMeetupLeaderRequest.php new file mode 100644 index 0000000..ab4342b --- /dev/null +++ b/app/Http/Requests/Api/StoreMeetupLeaderRequest.php @@ -0,0 +1,41 @@ +user()->can('manageLeaders', $this->route('meetup')); + } + + /** + * @return array> + */ + public function rules(): array + { + return [ + 'npub' => [ + 'required', + 'string', + 'starts_with:npub1', + function (string $attribute, mixed $value, Closure $fail): void { + try { + (new NostrKey)->convertToHex((string) $value); + } catch (\Throwable) { + $fail(__('Das ist kein gültiger npub.')); + } + }, + ], + ]; + } +} diff --git a/app/Http/Requests/Api/UpdateMeetupEventRequest.php b/app/Http/Requests/Api/UpdateMeetupEventRequest.php index 7133fa0..46cd76f 100644 --- a/app/Http/Requests/Api/UpdateMeetupEventRequest.php +++ b/app/Http/Requests/Api/UpdateMeetupEventRequest.php @@ -3,14 +3,27 @@ namespace App\Http\Requests\Api; use App\Enums\RecurrenceType; +use App\Models\Meetup; use Illuminate\Foundation\Http\FormRequest; use Illuminate\Validation\Rule; class UpdateMeetupEventRequest extends FormRequest { + /** + * Bearbeiten darf der Ersteller des Termins oder ein Leader des Meetups + * (siehe MeetupEventPolicy::update). Ein Verschieben in ein anderes Meetup + * (geändertes meetup_id) ist nur erlaubt, wenn der Nutzer auch dieses + * Ziel-Meetup führt. + */ public function authorize(): bool { - return $this->user()->can('update', $this->route('meetupEvent')); + if (! $this->user()->can('update', $this->route('meetupEvent'))) { + return false; + } + + $target = $this->filled('meetup_id') ? Meetup::find($this->input('meetup_id')) : null; + + return $target === null || $this->user()->can('update', $target); } /** diff --git a/app/Http/Resources/MeetupResource.php b/app/Http/Resources/MeetupResource.php index a9515f2..130fb58 100644 --- a/app/Http/Resources/MeetupResource.php +++ b/app/Http/Resources/MeetupResource.php @@ -32,6 +32,10 @@ class MeetupResource extends JsonResource 'community' => $this->community, 'visible_on_map' => $this->visible_on_map, 'is_active' => $this->is_active, + // Nur gesetzt, wenn die meetup_user-Pivot geladen ist (z. B. via + // /api/my-meetups). Sagt der App, ob der Token-Inhaber Leader dieses + // Meetups ist (darf bearbeiten + Leader verwalten). + 'is_leader' => $this->whenPivotLoaded('meetup_user', fn (): bool => (bool) $this->pivot->is_leader), 'logo' => $this->getFirstMediaUrl('logo', 'thumb'), 'last_event_at' => $this->last_event_at, 'created_by' => $this->created_by, diff --git a/app/Mcp/Tools/MeetupEvent/CreateMeetupEventTool.php b/app/Mcp/Tools/MeetupEvent/CreateMeetupEventTool.php index 3a4b928..7756188 100644 --- a/app/Mcp/Tools/MeetupEvent/CreateMeetupEventTool.php +++ b/app/Mcp/Tools/MeetupEvent/CreateMeetupEventTool.php @@ -30,7 +30,7 @@ class CreateMeetupEventTool extends Tool if (! $this->present($request->get('meetup_id'))) { $meetup = $this->resolveInScope( - Meetup::query()->associatedWith($user->getAuthIdentifier()), + Meetup::query()->ledBy($user->getAuthIdentifier()), $request, 'Meetups', 'meetup', @@ -43,6 +43,15 @@ class CreateMeetupEventTool extends Tool $request->merge(['meetup_id' => $meetup->id]); } + // Nur Leader/Ersteller des Ziel-Meetups dürfen Termine anlegen (gleiche + // Berechtigung wie die Stammdaten). Greift auch, wenn meetup_id direkt + // übergeben wurde und damit den ledBy-Scope oben umgeht. + $targetMeetup = Meetup::find($request->get('meetup_id')); + + if ($targetMeetup === null || Gate::forUser($user)->denies('update', $targetMeetup)) { + return Response::error('Nur Leader oder der Ersteller dürfen Termine für dieses Meetup anlegen.'); + } + $storeRequest = new StoreMeetupEventRequest; $validated = $request->validate( diff --git a/app/Mcp/Tools/MeetupEvent/UpdateMeetupEventTool.php b/app/Mcp/Tools/MeetupEvent/UpdateMeetupEventTool.php index c0fe717..13793c6 100644 --- a/app/Mcp/Tools/MeetupEvent/UpdateMeetupEventTool.php +++ b/app/Mcp/Tools/MeetupEvent/UpdateMeetupEventTool.php @@ -15,7 +15,7 @@ use Laravel\Mcp\Response; use Laravel\Mcp\Server\Attributes\Description; use Laravel\Mcp\Server\Tool; -#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller oder ein Super-Admin darf ihn ändern.')] +#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller des Termins, ein Leader des zugehörigen Meetups oder ein Super-Admin darf ihn ändern.')] class UpdateMeetupEventTool extends Tool { use ResolvesEntities; @@ -31,10 +31,10 @@ class UpdateMeetupEventTool extends Tool $user = $request->user(); if ($user === null || Gate::forUser($user)->denies('update', $meetupEvent)) { - return Response::error('Nur der Ersteller oder ein Super-Admin darf diesen Meetup-Termin ändern.'); + return Response::error('Nur der Ersteller des Termins, ein Leader des Meetups oder ein Super-Admin darf diesen Meetup-Termin ändern.'); } - if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->where('created_by', $user->getAuthIdentifier()), 'Meetups', false)) { + if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->ledBy($user->getAuthIdentifier()), 'Meetups', false)) { return $error; } diff --git a/app/Models/Meetup.php b/app/Models/Meetup.php index b93e247..78148a2 100644 --- a/app/Models/Meetup.php +++ b/app/Models/Meetup.php @@ -185,6 +185,19 @@ class Meetup extends Model implements HasMedia return $this->users()->whereKey($user->id)->exists(); } + /** + * Ist der Nutzer Leader dieses Meetups (meetup_user.is_leader = true)? + * Nur Leader (und der Ersteller/Super-Admin) dürfen Stammdaten bearbeiten + * und weitere Leader einsetzen/entziehen. + */ + public function isLeader(User $user): bool + { + return $this->users() + ->whereKey($user->id) + ->wherePivot('is_leader', true) + ->exists(); + } + /** * Den Nutzer als Mitglied (nicht Leader) zu „Meine Meetups" hinzufügen. * Idempotent: ein bereits hinzugefügter Nutzer bleibt unverändert. Gibt @@ -233,6 +246,32 @@ class Meetup extends Model implements HasMedia }); } + /** + * Meetups, die der Nutzer als Leader führt (meetup_user.is_leader = true). + * Maßgeblich dafür, wer Stammdaten UND Termine bearbeiten darf. + */ + public function scopeLedBy(Builder $query, int $userId): void + { + $query->whereHas('users', fn (Builder $user) => $user->whereKey($userId)->wherePivot('is_leader', true)); + } + + /** + * Führt der eingeloggte Nutzer dieses Meetup als Leader? Steuert die + * Sichtbarkeit der Bearbeiten-/Termin-Affordances im Portal-Frontend + * (Gegenstück zu {@see belongsToMe()}, aber leader- statt mitgliedschafts- + * basiert). + */ + protected function leadByMe(): Attribute + { + return Attribute::make( + get: fn (): bool => auth()->check() && DB::table('meetup_user') + ->where('meetup_id', $this->id) + ->where('user_id', auth()->id()) + ->where('is_leader', true) + ->exists() + ); + } + public function city(): BelongsTo { return $this->belongsTo(City::class); diff --git a/app/Models/User.php b/app/Models/User.php index cb79c79..160e472 100644 --- a/app/Models/User.php +++ b/app/Models/User.php @@ -105,7 +105,7 @@ class User extends Authenticatable implements CipherSweetEncrypted public function meetups() { - return $this->belongsToMany(Meetup::class); + return $this->belongsToMany(Meetup::class)->withPivot('is_leader'); } public function reputations() diff --git a/app/Policies/MeetupEventPolicy.php b/app/Policies/MeetupEventPolicy.php index 21989a2..6240691 100644 --- a/app/Policies/MeetupEventPolicy.php +++ b/app/Policies/MeetupEventPolicy.php @@ -25,8 +25,23 @@ class MeetupEventPolicy return true; } + /** + * Termin bearbeiten: der Ersteller des Termins ODER ein Leader des + * zugehörigen Meetups (bzw. Super-Admin). Damit dürfen Meetup-Leader die + * Termine ihres Meetups pflegen, auch wenn sie sie nicht selbst angelegt + * haben — analog zur Stammdaten-Bearbeitung (MeetupPolicy::update). + */ public function update(User $user, MeetupEvent $meetupEvent): bool { - return $this->owns($user, $meetupEvent); + return $this->owns($user, $meetupEvent) + || ($meetupEvent->meetup !== null && $meetupEvent->meetup->isLeader($user)); + } + + /** + * Termin löschen: gleiche Regel wie das Bearbeiten. + */ + public function delete(User $user, MeetupEvent $meetupEvent): bool + { + return $this->update($user, $meetupEvent); } } diff --git a/app/Policies/MeetupPolicy.php b/app/Policies/MeetupPolicy.php index 96ef3a9..1343b53 100644 --- a/app/Policies/MeetupPolicy.php +++ b/app/Policies/MeetupPolicy.php @@ -58,20 +58,26 @@ class MeetupPolicy return true; } + /** + * Stammdaten bearbeiten: der Ersteller (bzw. Super-Admin) ODER ein + * delegierter Leader (meetup_user.is_leader = true). Die bloße + * „Meine Meetups"-Mitgliedschaft (is_leader = false) berechtigt NICHT + * mehr zum Bearbeiten — Leader werden über manageLeaders() vergeben. + * Gilt einheitlich für REST-API, MCP und Portal-Frontend. + */ public function update(User $user, Meetup $meetup): bool { - return $this->owns($user, $meetup); + return $this->owns($user, $meetup) || $meetup->isLeader($user); } /** - * Gelockerte Update-Regel ausschließlich für das Portal-Frontend (Livewire): - * Neben dem Ersteller darf auch jedes Mitglied der meetup_user-Pivot - * („Meine Meetups" im Dashboard) die Stammdaten bearbeiten. REST-API und - * MCP nutzen weiterhin die strikte update()-Ability. Übergangslösung, bis - * ein echtes Rollen-/Freigabekonzept existiert. + * Weitere Leader einsetzen/entziehen: nur ein bestehender Leader bzw. der + * Ersteller/Super-Admin. Delegation ist damit selbsttragend — jeder Leader + * kann neue Leader benennen (der Ersteller selbst kann nie entzogen werden, + * das erzwingt der Controller). */ - public function updateViaPortal(User $user, Meetup $meetup): bool + public function manageLeaders(User $user, Meetup $meetup): bool { - return $this->owns($user, $meetup) || $meetup->hasMember($user); + return $this->owns($user, $meetup) || $meetup->isLeader($user); } } diff --git a/resources/views/livewire/dashboard.blade.php b/resources/views/livewire/dashboard.blade.php index 0a5f0ff..cce598f 100644 --- a/resources/views/livewire/dashboard.blade.php +++ b/resources/views/livewire/dashboard.blade.php @@ -179,15 +179,20 @@ class extends Component {
- - {{ __('Neues Event erstellen') }} - - - {{ __('Bearbeiten') }} - + {{-- Termine & Stammdaten nur für Leader dieses Meetups + (meetup_user.is_leader); Mitglieder ohne Leaderschaft + können das Meetup nur aus „Meine“ entfernen. --}} + @if($meetup->pivot->is_leader) + + {{ __('Neues Event erstellen') }} + + + {{ __('Bearbeiten') }} + + @endif diff --git a/resources/views/livewire/meetups/create-edit-events.blade.php b/resources/views/livewire/meetups/create-edit-events.blade.php index 4098d5a..1fd5663 100644 --- a/resources/views/livewire/meetups/create-edit-events.blade.php +++ b/resources/views/livewire/meetups/create-edit-events.blade.php @@ -44,7 +44,11 @@ class extends Component { // Ensure timezone is always set - use fallback if not initialized yet $timezone = $this->userTimezone ?: (auth()->user()->timezone ?? 'Europe/Berlin'); $startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone); - $endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone); + // Enddatum kommt aus einem reinen Datums-Picker: bis zum Ende des + // gewählten Tages (inklusiv). endOfDay() macht das deterministisch — + // createFromFormat('Y-m-d', …) würde sonst die AKTUELLE Uhrzeit + // einsetzen und das letzte Vorkommen je nach Laufzeit ein-/ausschließen. + $endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone)->endOfDay(); return array_map(fn (\Carbon\Carbon $date): array => [ 'date' => $date, @@ -97,8 +101,21 @@ class extends Component { #[Validate('required|url|max:255')] public ?string $link = null; + /** + * Termine darf nur verwalten, wer das zugehörige Meetup bearbeiten darf + * (Ersteller/Leader/Super-Admin) — dieselbe update-Ability wie die + * Stammdaten. Spiegelt meetups.edit::authorizeAccess(). + */ + protected function authorizeManage(): void + { + if (auth()->guest() || auth()->user()->cannot('update', $this->meetup)) { + abort(403); + } + } + public function mount(): void { + $this->authorizeManage(); $this->country = request()->route('country', config('app.domain_country')); $this->userTimezone = auth()->user()->timezone ?? 'Europe/Berlin'; $timezone = $this->userTimezone; @@ -130,6 +147,8 @@ class extends Component { public function save(): void { + $this->authorizeManage(); + $validationRules = [ 'startDate' => 'required|date', 'startTime' => 'required', @@ -191,7 +210,9 @@ class extends Component { private function createEventSeries(string $timezone): void { $startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone); - $endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone); + // Inklusiv bis zum Ende des gewählten Tages, deterministisch (siehe + // getPreviewDatesProperty) — Vorschau und Anlegen erzeugen so dieselbe Liste. + $endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone)->endOfDay(); $eventsCreated = 0; diff --git a/resources/views/livewire/meetups/edit.blade.php b/resources/views/livewire/meetups/edit.blade.php index e417b71..6d24bcf 100644 --- a/resources/views/livewire/meetups/edit.blade.php +++ b/resources/views/livewire/meetups/edit.blade.php @@ -85,15 +85,13 @@ class extends Component { } /** - * Portal-Frontend nutzt die gelockerte updateViaPortal-Ability: Ersteller, - * Super-Admins UND Mitglieder der meetup_user-Pivot („Meine Meetups") dürfen - * die Stammdaten bearbeiten. REST-API und MCP-Tools bleiben auf der strikten - * update()-Ability (nur Ersteller/Super-Admin). Übergangslösung, bis ein - * echtes Rollen-/Freigabekonzept existiert. + * Stammdaten bearbeiten dürfen der Ersteller, Super-Admins UND delegierte + * Leader (meetup_user.is_leader). Einheitliche update-Ability für Portal- + * Frontend, REST-API und MCP-Tools (MeetupPolicy::update). */ protected function authorizeAccess(): void { - if (auth()->guest() || auth()->user()->cannot('updateViaPortal', $this->meetup)) { + if (auth()->guest() || auth()->user()->cannot('update', $this->meetup)) { abort(403); } } diff --git a/resources/views/livewire/meetups/index.blade.php b/resources/views/livewire/meetups/index.blade.php index a974bb3..7ce06e7 100644 --- a/resources/views/livewire/meetups/index.blade.php +++ b/resources/views/livewire/meetups/index.blade.php @@ -185,11 +185,10 @@ class extends Component {
- @if(auth()->check() && $meetup->belongsToMe) + @if(auth()->check() && $meetup->leadByMe)
{{ __('Bearbeiten') }} diff --git a/resources/views/livewire/meetups/landingpage.blade.php b/resources/views/livewire/meetups/landingpage.blade.php index 4f53f79..5216c49 100644 --- a/resources/views/livewire/meetups/landingpage.blade.php +++ b/resources/views/livewire/meetups/landingpage.blade.php @@ -23,7 +23,7 @@ class extends Component { public function deleteEvent(MeetupEvent $event): void { - if ($this->meetup->belongsToMe) { + if ($this->meetup->leadByMe) { $event->delete(); $this->dispatch('event-deleted'); Flux::modals()->close(); @@ -231,7 +231,7 @@ class extends Component {
{{ __('Kommende Veranstaltungen') }} - @if(auth()->user() && auth()->user()->meetups()->find($meetup->id)?->exists) + @if($meetup->leadByMe) {{ __('Neues Event erstellen') }} @@ -281,7 +281,7 @@ class extends Component { > {{ __('Öffnen/RSVP') }} - @if($meetup->belongsToMe) + @if($meetup->leadByMe)
- @if(auth()->user() && auth()->user()->meetups()->find($meetup->id)?->exists) + @if($meetup->leadByMe) {{ __('Neues Event erstellen') }} diff --git a/routes/api.php b/routes/api.php index d872455..90736d4 100644 --- a/routes/api.php +++ b/routes/api.php @@ -8,6 +8,7 @@ use App\Http\Controllers\Api\CourseEventController; use App\Http\Controllers\Api\LecturerController; use App\Http\Controllers\Api\MeetupController; use App\Http\Controllers\Api\MeetupEventController; +use App\Http\Controllers\Api\MeetupLeaderController; use App\Http\Controllers\Api\MeetupMapController; use App\Http\Controllers\Api\NostrPlebController; use App\Http\Controllers\Api\UserController; @@ -82,6 +83,12 @@ Route::middleware('auth:sanctum') Route::delete('my-meetups/{meetup:slug}', [MeetupController::class, 'removeFromMine'])->name('meetup.mine.remove'); Route::get('my-meetups/{meetup}', [MeetupController::class, 'mineShow'])->name('meetup.mine.show'); + // Leader-Delegation: bestehende Leader setzen weitere Leader per npub + // ein bzw. entziehen sie (meetup_user.is_leader). Siehe MeetupPolicy. + Route::get('meetup/{meetup}/leaders', [MeetupLeaderController::class, 'index'])->name('meetup.leaders.index'); + Route::post('meetup/{meetup}/leaders', [MeetupLeaderController::class, 'store'])->name('meetup.leaders.store'); + Route::delete('meetup/{meetup}/leaders/{user}', [MeetupLeaderController::class, 'destroy'])->name('meetup.leaders.destroy'); + Route::post('meetup-events', [MeetupEventController::class, 'store'])->name('meetup-events.store'); Route::patch('meetup-events/{meetupEvent}', [MeetupEventController::class, 'update'])->name('meetup-events.update'); Route::get('my-meetup-events', [MeetupEventController::class, 'mine'])->name('meetup-events.mine'); diff --git a/tests/Feature/Api/MeetupEventSeriesTest.php b/tests/Feature/Api/MeetupEventSeriesTest.php index abbfe0e..f026ffa 100644 --- a/tests/Feature/Api/MeetupEventSeriesTest.php +++ b/tests/Feature/Api/MeetupEventSeriesTest.php @@ -7,7 +7,7 @@ use Laravel\Sanctum\Sanctum; it('creates a weekly series of individual events', function () { Sanctum::actingAs($user = User::factory()->create()); - $meetup = Meetup::factory()->create(); + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ 'meetup_id' => $meetup->id, @@ -32,8 +32,8 @@ it('creates a weekly series of individual events', function () { }); it('creates a monthly series of individual events', function () { - Sanctum::actingAs(User::factory()->create()); - $meetup = Meetup::factory()->create(); + Sanctum::actingAs($user = User::factory()->create()); + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ 'meetup_id' => $meetup->id, @@ -48,8 +48,8 @@ it('creates a monthly series of individual events', function () { }); it('caps the series at 100 occurrences', function () { - Sanctum::actingAs(User::factory()->create()); - $meetup = Meetup::factory()->create(); + Sanctum::actingAs($user = User::factory()->create()); + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ 'meetup_id' => $meetup->id, @@ -63,8 +63,8 @@ it('caps the series at 100 occurrences', function () { }); it('still creates a single event without recurrence fields', function () { - Sanctum::actingAs(User::factory()->create()); - $meetup = Meetup::factory()->create(); + Sanctum::actingAs($user = User::factory()->create()); + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ 'meetup_id' => $meetup->id, @@ -78,8 +78,8 @@ it('still creates a single event without recurrence fields', function () { }); it('creates a single event when recurrence_type is set but no end date', function () { - Sanctum::actingAs(User::factory()->create()); - $meetup = Meetup::factory()->create(); + Sanctum::actingAs($user = User::factory()->create()); + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ 'meetup_id' => $meetup->id, diff --git a/tests/Feature/Api/MeetupEventWriteApiTest.php b/tests/Feature/Api/MeetupEventWriteApiTest.php index e09ea6e..8086776 100644 --- a/tests/Feature/Api/MeetupEventWriteApiTest.php +++ b/tests/Feature/Api/MeetupEventWriteApiTest.php @@ -11,11 +11,13 @@ it('rejects a guest', function () { $response->assertUnauthorized(); }); -it('lets an authenticated user create', function () { +it('lets a leader of the meetup create an event', function () { Sanctum::actingAs($user = User::factory()->create()); + // Ersteller wird per booted-Hook automatisch Leader des Meetups. + $meetup = Meetup::factory()->create(['created_by' => $user->id]); $response = $this->postJson('/api/meetup-events', [ - 'meetup_id' => Meetup::factory()->create()->id, + 'meetup_id' => $meetup->id, 'start' => '2026-08-01 18:00:00', 'location' => 'Marktplatz', ]); @@ -28,6 +30,47 @@ it('lets an authenticated user create', function () { ]); }); +it('lets a delegated leader create an event for the meetup', function () { + $meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]); + $leader = User::factory()->create(); + $meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]); + + Sanctum::actingAs($leader); + $this->postJson('/api/meetup-events', [ + 'meetup_id' => $meetup->id, + 'start' => '2026-08-01 18:00:00', + 'location' => 'Marktplatz', + ])->assertCreated(); +}); + +it('forbids creating an event for a meetup the user does not lead', function () { + $meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]); + $member = User::factory()->create(); + $meetup->addMember($member); // is_leader = false + + Sanctum::actingAs($member); + $this->postJson('/api/meetup-events', [ + 'meetup_id' => $meetup->id, + 'start' => '2026-08-01 18:00:00', + 'location' => 'Marktplatz', + ])->assertForbidden(); +}); + +it('lets a meetup leader edit an event created by someone else', function () { + $meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]); + $leader = User::factory()->create(); + $meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]); + $event = MeetupEvent::factory()->create([ + 'meetup_id' => $meetup->id, + 'created_by' => User::factory()->create()->id, + ]); + + Sanctum::actingAs($leader); + $this->patchJson("/api/meetup-events/{$event->id}", ['location' => 'Rathaus']) + ->assertSuccessful() + ->assertJsonPath('data.location', 'Rathaus'); +}); + it('fails validation', function () { Sanctum::actingAs(User::factory()->create()); diff --git a/tests/Feature/Api/MeetupLeaderApiTest.php b/tests/Feature/Api/MeetupLeaderApiTest.php new file mode 100644 index 0000000..e9c938c --- /dev/null +++ b/tests/Feature/Api/MeetupLeaderApiTest.php @@ -0,0 +1,158 @@ +create(['code' => 'de']); + $this->city = City::factory()->create(['country_id' => $country->id]); + $this->creator = User::factory()->create(); + // Der created-Hook trägt den Ersteller automatisch als Leader ein. + $this->meetup = Meetup::factory()->create([ + 'city_id' => $this->city->id, + 'created_by' => $this->creator->id, + ]); +}); + +/** Deterministischer, gültiger npub aus einem 64-stelligen Hex-Pubkey. */ +function npubFromHex(string $hex): string +{ + return (new NostrKey)->convertPublicKeyToBech32($hex); +} + +it('rejects a guest listing leaders', function () { + $this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertUnauthorized(); +}); + +it('lists the creator as a protected leader', function () { + Sanctum::actingAs($this->creator); + + $this->getJson("/api/meetup/{$this->meetup->id}/leaders") + ->assertSuccessful() + ->assertJsonPath('data.0.id', $this->creator->id) + ->assertJsonPath('data.0.is_creator', true); +}); + +it('forbids a plain member from managing leaders', function () { + $member = User::factory()->create(); + $this->meetup->addMember($member); // is_leader = false + + Sanctum::actingAs($member); + + $this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertForbidden(); + $this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('1', 64, '0'))]) + ->assertForbidden(); +}); + +it('lets a leader appoint a new leader by npub, creating the account', function () { + Sanctum::actingAs($this->creator); + $npub = npubFromHex(str_pad('a', 64, 'a')); + + $this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub]) + ->assertCreated(); + + $newUser = User::where('nostr', $npub)->firstOrFail(); + + $this->assertDatabaseHas('meetup_user', [ + 'meetup_id' => $this->meetup->id, + 'user_id' => $newUser->id, + 'is_leader' => true, + ]); +}); + +it('promotes an existing member instead of duplicating', function () { + $npub = npubFromHex(str_pad('b', 64, 'b')); + $existing = User::factory()->create(['nostr' => $npub]); + $this->meetup->addMember($existing); // is_leader = false + + Sanctum::actingAs($this->creator); + $this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub]) + ->assertCreated(); + + expect($this->meetup->users()->whereKey($existing->id)->count())->toBe(1); + $this->assertDatabaseHas('meetup_user', [ + 'meetup_id' => $this->meetup->id, + 'user_id' => $existing->id, + 'is_leader' => true, + ]); +}); + +it('rejects an invalid npub', function () { + Sanctum::actingAs($this->creator); + + $this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => 'not-an-npub']) + ->assertUnprocessable() + ->assertJsonValidationErrors(['npub']); +}); + +it('lets a delegated leader appoint further leaders', function () { + // Ersteller befördert ein Mitglied zum Leader … + $delegate = User::factory()->create(); + $this->meetup->users()->syncWithoutDetaching([$delegate->id => ['is_leader' => true]]); + + // … der dann selbst weitere Leader einsetzen darf. + Sanctum::actingAs($delegate); + $this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('c', 64, 'c'))]) + ->assertCreated(); +}); + +it('demotes a leader but keeps the membership', function () { + $leader = User::factory()->create(); + $this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]); + + Sanctum::actingAs($this->creator); + $this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$leader->id}") + ->assertSuccessful(); + + $this->assertDatabaseHas('meetup_user', [ + 'meetup_id' => $this->meetup->id, + 'user_id' => $leader->id, + 'is_leader' => false, + ]); +}); + +it('never lets the creator be demoted', function () { + $leader = User::factory()->create(); + $this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]); + + Sanctum::actingAs($leader); + $this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$this->creator->id}") + ->assertForbidden(); + + $this->assertDatabaseHas('meetup_user', [ + 'meetup_id' => $this->meetup->id, + 'user_id' => $this->creator->id, + 'is_leader' => true, + ]); +}); + +it('lets a delegated leader edit the meetup master data', function () { + $leader = User::factory()->create(); + $this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]); + + Sanctum::actingAs($leader); + $this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Renamed by leader']) + ->assertSuccessful() + ->assertJsonPath('data.name', 'Renamed by leader'); +}); + +it('forbids a plain member from editing the meetup master data', function () { + $member = User::factory()->create(); + $this->meetup->addMember($member); // is_leader = false + + Sanctum::actingAs($member); + $this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Hacked']) + ->assertForbidden(); +}); + +it('exposes is_leader on the my-meetups listing', function () { + Sanctum::actingAs($this->creator); + + $this->getJson('/api/my-meetups') + ->assertSuccessful() + ->assertJsonPath('data.0.is_leader', true); +}); diff --git a/tests/Feature/Console/PromoteExistingLeadersTest.php b/tests/Feature/Console/PromoteExistingLeadersTest.php new file mode 100644 index 0000000..86d577e --- /dev/null +++ b/tests/Feature/Console/PromoteExistingLeadersTest.php @@ -0,0 +1,46 @@ +create(['code' => 'de']); + $this->city = City::factory()->create(['country_id' => $country->id]); +}); + +it('promotes all existing members to leaders', function () { + $meetup = Meetup::factory()->create(['city_id' => $this->city->id]); + $member = User::factory()->create(); + $meetup->addMember($member); // is_leader = false + + expect($meetup->isLeader($member))->toBeFalse(); + + $this->artisan('meetups:promote-existing-leaders')->assertSuccessful(); + + expect($meetup->fresh()->isLeader($member))->toBeTrue(); +}); + +it('ensures the creator is a leader even for legacy meetups without a pivot row', function () { + $creator = User::factory()->create(); + $meetup = Meetup::factory()->create(['city_id' => $this->city->id, 'created_by' => $creator->id]); + // Alt-Meetup simulieren: Ersteller-Pivot entfernen. + $meetup->users()->detach(); + expect($meetup->hasMember($creator))->toBeFalse(); + + $this->artisan('meetups:promote-existing-leaders')->assertSuccessful(); + + expect($meetup->fresh()->isLeader($creator))->toBeTrue(); +}); + +it('does not write on a dry run', function () { + $meetup = Meetup::factory()->create(['city_id' => $this->city->id]); + $member = User::factory()->create(); + $meetup->addMember($member); + + $this->artisan('meetups:promote-existing-leaders --dry-run')->assertSuccessful(); + + expect(DB::table('meetup_user')->where('user_id', $member->id)->value('is_leader'))->toBe(0); +}); diff --git a/tests/Feature/Meetups/CreateMeetupEventSeriesTest.php b/tests/Feature/Meetups/CreateMeetupEventSeriesTest.php index 354ccfe..77c853f 100644 --- a/tests/Feature/Meetups/CreateMeetupEventSeriesTest.php +++ b/tests/Feature/Meetups/CreateMeetupEventSeriesTest.php @@ -6,8 +6,8 @@ use App\Models\MeetupEvent; use Livewire\Livewire; it('creates a weekly series via the web editor using the shared action', function () { - actingAsUser(); - $meetup = Meetup::factory()->create(); + // Termin-Verwaltung erfordert Leaderschaft; Ersteller ist per Hook Leader. + $meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]); Livewire::test('meetups.create-edit-events', ['meetup' => $meetup]) ->set('seriesMode', true) @@ -22,15 +22,15 @@ it('creates a weekly series via the web editor using the shared action', functio ->assertHasNoErrors() ->assertRedirect(); - // The web editor parses the end date at midnight, so the occurrence on the end - // date's evening falls outside the range: 2026-07-01, 07-08, 07-15, 07-22 = 4. - // The shared action yields the identical result for the same inputs. - expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(4); + // Das Enddatum aus dem Datums-Picker gilt inklusiv bis zum Tagesende + // (endOfDay), daher ist das Vorkommen am Enddatum-Abend dabei: + // 2026-07-01, 07-08, 07-15, 07-22, 07-29 = 5. Deterministisch, unabhängig + // von der Laufzeit-Uhrzeit. + expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(5); }); it('previews the same dates it will create', function () { - actingAsUser(); - $meetup = Meetup::factory()->create(); + $meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]); Livewire::test('meetups.create-edit-events', ['meetup' => $meetup]) ->set('seriesMode', true) @@ -38,5 +38,5 @@ it('previews the same dates it will create', function () { ->set('startTime', '18:00') ->set('endDate', '2026-07-29') ->set('recurrenceType', RecurrenceType::Weekly->value) - ->assertSet('previewDates', fn ($dates) => count($dates) === 4); + ->assertSet('previewDates', fn ($dates) => count($dates) === 5); }); diff --git a/tests/Feature/Meetups/EditMeetupTest.php b/tests/Feature/Meetups/EditMeetupTest.php index 3bef10f..448dc82 100644 --- a/tests/Feature/Meetups/EditMeetupTest.php +++ b/tests/Feature/Meetups/EditMeetupTest.php @@ -63,23 +63,38 @@ it('allows update when name is unchanged (Rule::unique ignores own id)', functio ->assertHasNoErrors(); }); -it('allows updateMeetup for a member of the meetup_user pivot who is not the creator', function () { +it('allows updateMeetup for a delegated leader who is not the creator', function () { + $leader = actingAsUser(); + $meetup = Meetup::factory()->create([ + 'city_id' => $this->city->id, + 'name' => 'Original Name', + 'created_by' => User::factory()->create()->id, + ]); + $meetup->users()->attach($leader, ['is_leader' => true]); + + Livewire::test('meetups.edit', ['meetup' => $meetup]) + ->set('name', 'Updated By Leader') + ->set('city_id', $this->city->id) + ->set('community', 'einundzwanzig') + ->call('updateMeetup') + ->assertHasNoErrors(); + + expect($meetup->refresh()->name)->toBe('Updated By Leader'); +}); + +it('blocks updateMeetup for a plain member (is_leader = false) who is not the creator', function () { $member = actingAsUser(); $meetup = Meetup::factory()->create([ 'city_id' => $this->city->id, 'name' => 'Original Name', 'created_by' => User::factory()->create()->id, ]); - $meetup->users()->attach($member); + $meetup->users()->attach($member, ['is_leader' => false]); Livewire::test('meetups.edit', ['meetup' => $meetup]) - ->set('name', 'Updated By Member') - ->set('city_id', $this->city->id) - ->set('community', 'einundzwanzig') - ->call('updateMeetup') - ->assertHasNoErrors(); + ->assertStatus(403); - expect($meetup->refresh()->name)->toBe('Updated By Member'); + expect($meetup->refresh()->name)->toBe('Original Name'); }); it('blocks updateMeetup when the user is neither creator nor pivot member', function () { diff --git a/tests/Feature/Meetups/ManageEventsAuthTest.php b/tests/Feature/Meetups/ManageEventsAuthTest.php new file mode 100644 index 0000000..971caaf --- /dev/null +++ b/tests/Feature/Meetups/ManageEventsAuthTest.php @@ -0,0 +1,29 @@ +create(['created_by' => actingAsUser()->id]); + + Livewire::test('meetups.create-edit-events', ['meetup' => $meetup]) + ->assertOk(); +}); + +it('blocks a non-leader member from the event editor', function () { + $member = actingAsUser(); + $meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]); + $meetup->addMember($member); // is_leader = false + + Livewire::test('meetups.create-edit-events', ['meetup' => $meetup]) + ->assertStatus(403); +}); + +it('blocks a stranger from the event editor', function () { + actingAsUser(); + $meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]); + + Livewire::test('meetups.create-edit-events', ['meetup' => $meetup]) + ->assertStatus(403); +});