mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-06-17 16:40:31 +00:00
✨ Implement leadership-based permissions for Meetup management
- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP. - ➕ Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`. - 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views. - 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates). - 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling. - ✨ Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.
This commit is contained in:
HolgerHatGarKeineNode
@@ -3,15 +3,23 @@
|
||||
namespace App\Http\Requests\Api;
|
||||
|
||||
use App\Enums\RecurrenceType;
|
||||
use App\Models\MeetupEvent;
|
||||
use App\Models\Meetup;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
use Illuminate\Validation\Rule;
|
||||
|
||||
class StoreMeetupEventRequest extends FormRequest
|
||||
{
|
||||
/**
|
||||
* Termine darf nur anlegen, wer das zugehörige Meetup bearbeiten darf
|
||||
* (Ersteller/Leader/Super-Admin) — dieselbe Berechtigung wie die
|
||||
* Stammdaten. Existenz/Pflicht von meetup_id prüft rules() (422); ist ein
|
||||
* gültiges Meetup angegeben, muss der Nutzer dafür berechtigt sein.
|
||||
*/
|
||||
public function authorize(): bool
|
||||
{
|
||||
return $this->user()->can('create', MeetupEvent::class);
|
||||
$meetup = Meetup::find($this->input('meetup_id'));
|
||||
|
||||
return $meetup === null || $this->user()->can('update', $meetup);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Requests\Api;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
use swentel\nostr\Key\Key as NostrKey;
|
||||
|
||||
/**
|
||||
* Setzt einen weiteren Leader für ein Meetup per Nostr-npub ein. Nur ein
|
||||
* bestehender Leader (bzw. Ersteller/Super-Admin) darf das (manageLeaders).
|
||||
* Der npub muss ein gültiger bech32-kodierter öffentlicher Schlüssel sein.
|
||||
*/
|
||||
class StoreMeetupLeaderRequest extends FormRequest
|
||||
{
|
||||
public function authorize(): bool
|
||||
{
|
||||
return $this->user()->can('manageLeaders', $this->route('meetup'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, array<int, mixed>>
|
||||
*/
|
||||
public function rules(): array
|
||||
{
|
||||
return [
|
||||
'npub' => [
|
||||
'required',
|
||||
'string',
|
||||
'starts_with:npub1',
|
||||
function (string $attribute, mixed $value, Closure $fail): void {
|
||||
try {
|
||||
(new NostrKey)->convertToHex((string) $value);
|
||||
} catch (\Throwable) {
|
||||
$fail(__('Das ist kein gültiger npub.'));
|
||||
}
|
||||
},
|
||||
],
|
||||
];
|
||||
}
|
||||
}
|
||||
@@ -3,14 +3,27 @@
|
||||
namespace App\Http\Requests\Api;
|
||||
|
||||
use App\Enums\RecurrenceType;
|
||||
use App\Models\Meetup;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
use Illuminate\Validation\Rule;
|
||||
|
||||
class UpdateMeetupEventRequest extends FormRequest
|
||||
{
|
||||
/**
|
||||
* Bearbeiten darf der Ersteller des Termins oder ein Leader des Meetups
|
||||
* (siehe MeetupEventPolicy::update). Ein Verschieben in ein anderes Meetup
|
||||
* (geändertes meetup_id) ist nur erlaubt, wenn der Nutzer auch dieses
|
||||
* Ziel-Meetup führt.
|
||||
*/
|
||||
public function authorize(): bool
|
||||
{
|
||||
return $this->user()->can('update', $this->route('meetupEvent'));
|
||||
if (! $this->user()->can('update', $this->route('meetupEvent'))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$target = $this->filled('meetup_id') ? Meetup::find($this->input('meetup_id')) : null;
|
||||
|
||||
return $target === null || $this->user()->can('update', $target);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user