mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-06-17 16:40:31 +00:00
✨ Implement leadership-based permissions for Meetup management
- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP. - ➕ Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`. - 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views. - 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates). - 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling. - ✨ Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.
This commit is contained in:
HolgerHatGarKeineNode
@@ -7,7 +7,7 @@ use Laravel\Sanctum\Sanctum;
|
||||
|
||||
it('creates a weekly series of individual events', function () {
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
$meetup = Meetup::factory()->create();
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
@@ -32,8 +32,8 @@ it('creates a weekly series of individual events', function () {
|
||||
});
|
||||
|
||||
it('creates a monthly series of individual events', function () {
|
||||
Sanctum::actingAs(User::factory()->create());
|
||||
$meetup = Meetup::factory()->create();
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
@@ -48,8 +48,8 @@ it('creates a monthly series of individual events', function () {
|
||||
});
|
||||
|
||||
it('caps the series at 100 occurrences', function () {
|
||||
Sanctum::actingAs(User::factory()->create());
|
||||
$meetup = Meetup::factory()->create();
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
@@ -63,8 +63,8 @@ it('caps the series at 100 occurrences', function () {
|
||||
});
|
||||
|
||||
it('still creates a single event without recurrence fields', function () {
|
||||
Sanctum::actingAs(User::factory()->create());
|
||||
$meetup = Meetup::factory()->create();
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
@@ -78,8 +78,8 @@ it('still creates a single event without recurrence fields', function () {
|
||||
});
|
||||
|
||||
it('creates a single event when recurrence_type is set but no end date', function () {
|
||||
Sanctum::actingAs(User::factory()->create());
|
||||
$meetup = Meetup::factory()->create();
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
|
||||
@@ -11,11 +11,13 @@ it('rejects a guest', function () {
|
||||
$response->assertUnauthorized();
|
||||
});
|
||||
|
||||
it('lets an authenticated user create', function () {
|
||||
it('lets a leader of the meetup create an event', function () {
|
||||
Sanctum::actingAs($user = User::factory()->create());
|
||||
// Ersteller wird per booted-Hook automatisch Leader des Meetups.
|
||||
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||
|
||||
$response = $this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => Meetup::factory()->create()->id,
|
||||
'meetup_id' => $meetup->id,
|
||||
'start' => '2026-08-01 18:00:00',
|
||||
'location' => 'Marktplatz',
|
||||
]);
|
||||
@@ -28,6 +30,47 @@ it('lets an authenticated user create', function () {
|
||||
]);
|
||||
});
|
||||
|
||||
it('lets a delegated leader create an event for the meetup', function () {
|
||||
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||
$leader = User::factory()->create();
|
||||
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||
|
||||
Sanctum::actingAs($leader);
|
||||
$this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
'start' => '2026-08-01 18:00:00',
|
||||
'location' => 'Marktplatz',
|
||||
])->assertCreated();
|
||||
});
|
||||
|
||||
it('forbids creating an event for a meetup the user does not lead', function () {
|
||||
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||
$member = User::factory()->create();
|
||||
$meetup->addMember($member); // is_leader = false
|
||||
|
||||
Sanctum::actingAs($member);
|
||||
$this->postJson('/api/meetup-events', [
|
||||
'meetup_id' => $meetup->id,
|
||||
'start' => '2026-08-01 18:00:00',
|
||||
'location' => 'Marktplatz',
|
||||
])->assertForbidden();
|
||||
});
|
||||
|
||||
it('lets a meetup leader edit an event created by someone else', function () {
|
||||
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||
$leader = User::factory()->create();
|
||||
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||
$event = MeetupEvent::factory()->create([
|
||||
'meetup_id' => $meetup->id,
|
||||
'created_by' => User::factory()->create()->id,
|
||||
]);
|
||||
|
||||
Sanctum::actingAs($leader);
|
||||
$this->patchJson("/api/meetup-events/{$event->id}", ['location' => 'Rathaus'])
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('data.location', 'Rathaus');
|
||||
});
|
||||
|
||||
it('fails validation', function () {
|
||||
Sanctum::actingAs(User::factory()->create());
|
||||
|
||||
|
||||
@@ -0,0 +1,158 @@
|
||||
<?php
|
||||
|
||||
use App\Models\City;
|
||||
use App\Models\Country;
|
||||
use App\Models\Meetup;
|
||||
use App\Models\User;
|
||||
use Laravel\Sanctum\Sanctum;
|
||||
use swentel\nostr\Key\Key as NostrKey;
|
||||
|
||||
beforeEach(function () {
|
||||
$country = Country::factory()->create(['code' => 'de']);
|
||||
$this->city = City::factory()->create(['country_id' => $country->id]);
|
||||
$this->creator = User::factory()->create();
|
||||
// Der created-Hook trägt den Ersteller automatisch als Leader ein.
|
||||
$this->meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'created_by' => $this->creator->id,
|
||||
]);
|
||||
});
|
||||
|
||||
/** Deterministischer, gültiger npub aus einem 64-stelligen Hex-Pubkey. */
|
||||
function npubFromHex(string $hex): string
|
||||
{
|
||||
return (new NostrKey)->convertPublicKeyToBech32($hex);
|
||||
}
|
||||
|
||||
it('rejects a guest listing leaders', function () {
|
||||
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertUnauthorized();
|
||||
});
|
||||
|
||||
it('lists the creator as a protected leader', function () {
|
||||
Sanctum::actingAs($this->creator);
|
||||
|
||||
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('data.0.id', $this->creator->id)
|
||||
->assertJsonPath('data.0.is_creator', true);
|
||||
});
|
||||
|
||||
it('forbids a plain member from managing leaders', function () {
|
||||
$member = User::factory()->create();
|
||||
$this->meetup->addMember($member); // is_leader = false
|
||||
|
||||
Sanctum::actingAs($member);
|
||||
|
||||
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertForbidden();
|
||||
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('1', 64, '0'))])
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
it('lets a leader appoint a new leader by npub, creating the account', function () {
|
||||
Sanctum::actingAs($this->creator);
|
||||
$npub = npubFromHex(str_pad('a', 64, 'a'));
|
||||
|
||||
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub])
|
||||
->assertCreated();
|
||||
|
||||
$newUser = User::where('nostr', $npub)->firstOrFail();
|
||||
|
||||
$this->assertDatabaseHas('meetup_user', [
|
||||
'meetup_id' => $this->meetup->id,
|
||||
'user_id' => $newUser->id,
|
||||
'is_leader' => true,
|
||||
]);
|
||||
});
|
||||
|
||||
it('promotes an existing member instead of duplicating', function () {
|
||||
$npub = npubFromHex(str_pad('b', 64, 'b'));
|
||||
$existing = User::factory()->create(['nostr' => $npub]);
|
||||
$this->meetup->addMember($existing); // is_leader = false
|
||||
|
||||
Sanctum::actingAs($this->creator);
|
||||
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub])
|
||||
->assertCreated();
|
||||
|
||||
expect($this->meetup->users()->whereKey($existing->id)->count())->toBe(1);
|
||||
$this->assertDatabaseHas('meetup_user', [
|
||||
'meetup_id' => $this->meetup->id,
|
||||
'user_id' => $existing->id,
|
||||
'is_leader' => true,
|
||||
]);
|
||||
});
|
||||
|
||||
it('rejects an invalid npub', function () {
|
||||
Sanctum::actingAs($this->creator);
|
||||
|
||||
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => 'not-an-npub'])
|
||||
->assertUnprocessable()
|
||||
->assertJsonValidationErrors(['npub']);
|
||||
});
|
||||
|
||||
it('lets a delegated leader appoint further leaders', function () {
|
||||
// Ersteller befördert ein Mitglied zum Leader …
|
||||
$delegate = User::factory()->create();
|
||||
$this->meetup->users()->syncWithoutDetaching([$delegate->id => ['is_leader' => true]]);
|
||||
|
||||
// … der dann selbst weitere Leader einsetzen darf.
|
||||
Sanctum::actingAs($delegate);
|
||||
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('c', 64, 'c'))])
|
||||
->assertCreated();
|
||||
});
|
||||
|
||||
it('demotes a leader but keeps the membership', function () {
|
||||
$leader = User::factory()->create();
|
||||
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||
|
||||
Sanctum::actingAs($this->creator);
|
||||
$this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$leader->id}")
|
||||
->assertSuccessful();
|
||||
|
||||
$this->assertDatabaseHas('meetup_user', [
|
||||
'meetup_id' => $this->meetup->id,
|
||||
'user_id' => $leader->id,
|
||||
'is_leader' => false,
|
||||
]);
|
||||
});
|
||||
|
||||
it('never lets the creator be demoted', function () {
|
||||
$leader = User::factory()->create();
|
||||
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||
|
||||
Sanctum::actingAs($leader);
|
||||
$this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$this->creator->id}")
|
||||
->assertForbidden();
|
||||
|
||||
$this->assertDatabaseHas('meetup_user', [
|
||||
'meetup_id' => $this->meetup->id,
|
||||
'user_id' => $this->creator->id,
|
||||
'is_leader' => true,
|
||||
]);
|
||||
});
|
||||
|
||||
it('lets a delegated leader edit the meetup master data', function () {
|
||||
$leader = User::factory()->create();
|
||||
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||
|
||||
Sanctum::actingAs($leader);
|
||||
$this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Renamed by leader'])
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('data.name', 'Renamed by leader');
|
||||
});
|
||||
|
||||
it('forbids a plain member from editing the meetup master data', function () {
|
||||
$member = User::factory()->create();
|
||||
$this->meetup->addMember($member); // is_leader = false
|
||||
|
||||
Sanctum::actingAs($member);
|
||||
$this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Hacked'])
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
it('exposes is_leader on the my-meetups listing', function () {
|
||||
Sanctum::actingAs($this->creator);
|
||||
|
||||
$this->getJson('/api/my-meetups')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('data.0.is_leader', true);
|
||||
});
|
||||
@@ -0,0 +1,46 @@
|
||||
<?php
|
||||
|
||||
use App\Models\City;
|
||||
use App\Models\Country;
|
||||
use App\Models\Meetup;
|
||||
use App\Models\User;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
|
||||
beforeEach(function () {
|
||||
$country = Country::factory()->create(['code' => 'de']);
|
||||
$this->city = City::factory()->create(['country_id' => $country->id]);
|
||||
});
|
||||
|
||||
it('promotes all existing members to leaders', function () {
|
||||
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||
$member = User::factory()->create();
|
||||
$meetup->addMember($member); // is_leader = false
|
||||
|
||||
expect($meetup->isLeader($member))->toBeFalse();
|
||||
|
||||
$this->artisan('meetups:promote-existing-leaders')->assertSuccessful();
|
||||
|
||||
expect($meetup->fresh()->isLeader($member))->toBeTrue();
|
||||
});
|
||||
|
||||
it('ensures the creator is a leader even for legacy meetups without a pivot row', function () {
|
||||
$creator = User::factory()->create();
|
||||
$meetup = Meetup::factory()->create(['city_id' => $this->city->id, 'created_by' => $creator->id]);
|
||||
// Alt-Meetup simulieren: Ersteller-Pivot entfernen.
|
||||
$meetup->users()->detach();
|
||||
expect($meetup->hasMember($creator))->toBeFalse();
|
||||
|
||||
$this->artisan('meetups:promote-existing-leaders')->assertSuccessful();
|
||||
|
||||
expect($meetup->fresh()->isLeader($creator))->toBeTrue();
|
||||
});
|
||||
|
||||
it('does not write on a dry run', function () {
|
||||
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||
$member = User::factory()->create();
|
||||
$meetup->addMember($member);
|
||||
|
||||
$this->artisan('meetups:promote-existing-leaders --dry-run')->assertSuccessful();
|
||||
|
||||
expect(DB::table('meetup_user')->where('user_id', $member->id)->value('is_leader'))->toBe(0);
|
||||
});
|
||||
@@ -6,8 +6,8 @@ use App\Models\MeetupEvent;
|
||||
use Livewire\Livewire;
|
||||
|
||||
it('creates a weekly series via the web editor using the shared action', function () {
|
||||
actingAsUser();
|
||||
$meetup = Meetup::factory()->create();
|
||||
// Termin-Verwaltung erfordert Leaderschaft; Ersteller ist per Hook Leader.
|
||||
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||
->set('seriesMode', true)
|
||||
@@ -22,15 +22,15 @@ it('creates a weekly series via the web editor using the shared action', functio
|
||||
->assertHasNoErrors()
|
||||
->assertRedirect();
|
||||
|
||||
// The web editor parses the end date at midnight, so the occurrence on the end
|
||||
// date's evening falls outside the range: 2026-07-01, 07-08, 07-15, 07-22 = 4.
|
||||
// The shared action yields the identical result for the same inputs.
|
||||
expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(4);
|
||||
// Das Enddatum aus dem Datums-Picker gilt inklusiv bis zum Tagesende
|
||||
// (endOfDay), daher ist das Vorkommen am Enddatum-Abend dabei:
|
||||
// 2026-07-01, 07-08, 07-15, 07-22, 07-29 = 5. Deterministisch, unabhängig
|
||||
// von der Laufzeit-Uhrzeit.
|
||||
expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(5);
|
||||
});
|
||||
|
||||
it('previews the same dates it will create', function () {
|
||||
actingAsUser();
|
||||
$meetup = Meetup::factory()->create();
|
||||
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||
->set('seriesMode', true)
|
||||
@@ -38,5 +38,5 @@ it('previews the same dates it will create', function () {
|
||||
->set('startTime', '18:00')
|
||||
->set('endDate', '2026-07-29')
|
||||
->set('recurrenceType', RecurrenceType::Weekly->value)
|
||||
->assertSet('previewDates', fn ($dates) => count($dates) === 4);
|
||||
->assertSet('previewDates', fn ($dates) => count($dates) === 5);
|
||||
});
|
||||
|
||||
@@ -63,23 +63,38 @@ it('allows update when name is unchanged (Rule::unique ignores own id)', functio
|
||||
->assertHasNoErrors();
|
||||
});
|
||||
|
||||
it('allows updateMeetup for a member of the meetup_user pivot who is not the creator', function () {
|
||||
it('allows updateMeetup for a delegated leader who is not the creator', function () {
|
||||
$leader = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
'created_by' => User::factory()->create()->id,
|
||||
]);
|
||||
$meetup->users()->attach($leader, ['is_leader' => true]);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
->set('name', 'Updated By Leader')
|
||||
->set('city_id', $this->city->id)
|
||||
->set('community', 'einundzwanzig')
|
||||
->call('updateMeetup')
|
||||
->assertHasNoErrors();
|
||||
|
||||
expect($meetup->refresh()->name)->toBe('Updated By Leader');
|
||||
});
|
||||
|
||||
it('blocks updateMeetup for a plain member (is_leader = false) who is not the creator', function () {
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
'created_by' => User::factory()->create()->id,
|
||||
]);
|
||||
$meetup->users()->attach($member);
|
||||
$meetup->users()->attach($member, ['is_leader' => false]);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
->set('name', 'Updated By Member')
|
||||
->set('city_id', $this->city->id)
|
||||
->set('community', 'einundzwanzig')
|
||||
->call('updateMeetup')
|
||||
->assertHasNoErrors();
|
||||
->assertStatus(403);
|
||||
|
||||
expect($meetup->refresh()->name)->toBe('Updated By Member');
|
||||
expect($meetup->refresh()->name)->toBe('Original Name');
|
||||
});
|
||||
|
||||
it('blocks updateMeetup when the user is neither creator nor pivot member', function () {
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
<?php
|
||||
|
||||
use App\Models\Meetup;
|
||||
use App\Models\User;
|
||||
use Livewire\Livewire;
|
||||
|
||||
it('lets a leader open the event editor', function () {
|
||||
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||
->assertOk();
|
||||
});
|
||||
|
||||
it('blocks a non-leader member from the event editor', function () {
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||
$meetup->addMember($member); // is_leader = false
|
||||
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||
->assertStatus(403);
|
||||
});
|
||||
|
||||
it('blocks a stranger from the event editor', function () {
|
||||
actingAsUser();
|
||||
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||
->assertStatus(403);
|
||||
});
|
||||
Reference in New Issue
Block a user