einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-17 16:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement leadership-based permissions for Meetup management

Browse Source 
- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP.
-  Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`.
- 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views.
- 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates).
- 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling.
-  Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.
This commit is contained in:
HolgerHatGarKeineNode
2026-06-16 22:04:34 +02:00
parent 39af153f52
commit 9f8fda294a
26 changed files with 691 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Mcp/Tools/MeetupEvent/CreateMeetupEventTool.php
+10 -1
View File
@@ -30,7 +30,7 @@ class CreateMeetupEventTool extends Tool
if (! $this->present($request->get('meetup_id'))) {
$meetup = $this->resolveInScope(
Meetup::query()->associatedWith($user->getAuthIdentifier()),
Meetup::query()->ledBy($user->getAuthIdentifier()),
$request,
'Meetups',
'meetup',
@@ -43,6 +43,15 @@ class CreateMeetupEventTool extends Tool
$request->merge(['meetup_id' => $meetup->id]);
}
// Nur Leader/Ersteller des Ziel-Meetups dürfen Termine anlegen (gleiche
// Berechtigung wie die Stammdaten). Greift auch, wenn meetup_id direkt
// übergeben wurde und damit den ledBy-Scope oben umgeht.
$targetMeetup = Meetup::find($request->get('meetup_id'));
if ($targetMeetup === null || Gate::forUser($user)->denies('update', $targetMeetup)) {
return Response::error('Nur Leader oder der Ersteller dürfen Termine für dieses Meetup anlegen.');
}
$storeRequest = new StoreMeetupEventRequest;
$validated = $request->validate(
app/Mcp/Tools/MeetupEvent/UpdateMeetupEventTool.php
+3 -3
View File
@@ -15,7 +15,7 @@ use Laravel\Mcp\Response;
use Laravel\Mcp\Server\Attributes\Description;
use Laravel\Mcp\Server\Tool;
#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller oder ein Super-Admin darf ihn ändern.')]
#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller des Termins, ein Leader des zugehörigen Meetups oder ein Super-Admin darf ihn ändern.')]
class UpdateMeetupEventTool extends Tool
{
use ResolvesEntities;
@@ -31,10 +31,10 @@ class UpdateMeetupEventTool extends Tool
$user = $request->user();
if ($user === null || Gate::forUser($user)->denies('update', $meetupEvent)) {
return Response::error('Nur der Ersteller oder ein Super-Admin darf diesen Meetup-Termin ändern.');
return Response::error('Nur der Ersteller des Termins, ein Leader des Meetups oder ein Super-Admin darf diesen Meetup-Termin ändern.');
}
if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->where('created_by', $user->getAuthIdentifier()), 'Meetups', false)) {
if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->ledBy($user->getAuthIdentifier()), 'Meetups', false)) {
return $error;
}