einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-17 16:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement leadership-based permissions for Meetup management

Browse Source 
- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP.
-  Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`.
- 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views.
- 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates).
- 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling.
-  Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.
This commit is contained in:
HolgerHatGarKeineNode
2026-06-16 22:04:34 +02:00
parent 39af153f52
commit 9f8fda294a
26 changed files with 691 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Feature/Api/MeetupEventWriteApiTest.php
+45 -2
View File
@@ -11,11 +11,13 @@ it('rejects a guest', function () {
$response->assertUnauthorized();
});
it('lets an authenticated user create', function () {
it('lets a leader of the meetup create an event', function () {
Sanctum::actingAs($user = User::factory()->create());
// Ersteller wird per booted-Hook automatisch Leader des Meetups.
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
$response = $this->postJson('/api/meetup-events', [
'meetup_id' => Meetup::factory()->create()->id,
'meetup_id' => $meetup->id,
'start' => '2026-08-01 18:00:00',
'location' => 'Marktplatz',
]);
@@ -28,6 +30,47 @@ it('lets an authenticated user create', function () {
]);
});
it('lets a delegated leader create an event for the meetup', function () {
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
$leader = User::factory()->create();
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
Sanctum::actingAs($leader);
$this->postJson('/api/meetup-events', [
'meetup_id' => $meetup->id,
'start' => '2026-08-01 18:00:00',
'location' => 'Marktplatz',
])->assertCreated();
});
it('forbids creating an event for a meetup the user does not lead', function () {
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
$member = User::factory()->create();
$meetup->addMember($member); // is_leader = false
Sanctum::actingAs($member);
$this->postJson('/api/meetup-events', [
'meetup_id' => $meetup->id,
'start' => '2026-08-01 18:00:00',
'location' => 'Marktplatz',
])->assertForbidden();
});
it('lets a meetup leader edit an event created by someone else', function () {
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
$leader = User::factory()->create();
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
$event = MeetupEvent::factory()->create([
'meetup_id' => $meetup->id,
'created_by' => User::factory()->create()->id,
]);
Sanctum::actingAs($leader);
$this->patchJson("/api/meetup-events/{$event->id}", ['location' => 'Rathaus'])
->assertSuccessful()
->assertJsonPath('data.location', 'Rathaus');
});
it('fails validation', function () {
Sanctum::actingAs(User::factory()->create());