mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-06-21 05:50:30 +00:00
✨ Implement leadership-based permissions for Meetup management
- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP. - ➕ Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`. - 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views. - 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates). - 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling. - ✨ Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.
This commit is contained in:
HolgerHatGarKeineNode
@@ -0,0 +1,65 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Console\Commands\Database;
|
||||||
|
|
||||||
|
use App\Models\Meetup;
|
||||||
|
use Illuminate\Console\Attributes\Description;
|
||||||
|
use Illuminate\Console\Attributes\Signature;
|
||||||
|
use Illuminate\Console\Command;
|
||||||
|
use Illuminate\Support\Facades\DB;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Einmalige Fixierung des Ist-Zustands beim Wechsel auf das Leader-Modell:
|
||||||
|
* Bisher durfte jedes „Meine Meetups"-Mitglied (meetup_user) ein Meetup über
|
||||||
|
* das Portal bearbeiten. Dieser Kreis gilt als historisch legitimiert und wird
|
||||||
|
* zu echten Leadern (meetup_user.is_leader = true) befördert. Zusätzlich wird
|
||||||
|
* sichergestellt, dass jeder Ersteller Leader seines Meetups ist (auch bei
|
||||||
|
* Alt-Meetups, die vor dem created-Hook angelegt wurden).
|
||||||
|
*
|
||||||
|
* Nach diesem Lauf berechtigt nur noch is_leader = true zum Bearbeiten; frisch
|
||||||
|
* über addToMine hinzugefügte Mitglieder bleiben is_leader = false.
|
||||||
|
*/
|
||||||
|
#[Signature('meetups:promote-existing-leaders {--dry-run : Nur anzeigen, nichts schreiben}')]
|
||||||
|
#[Description('Befördert alle bestehenden meetup_user-Mitglieder zu Leadern (Ist-Zustand fixieren) und sichert die Ersteller-Leaderschaft.')]
|
||||||
|
class PromoteExistingLeaders extends Command
|
||||||
|
{
|
||||||
|
public function handle(): int
|
||||||
|
{
|
||||||
|
$dryRun = (bool) $this->option('dry-run');
|
||||||
|
|
||||||
|
$memberRows = DB::table('meetup_user')->where('is_leader', false)->count();
|
||||||
|
|
||||||
|
$missingCreators = Meetup::query()
|
||||||
|
->whereNotNull('created_by')
|
||||||
|
->whereDoesntHave('users', function ($query): void {
|
||||||
|
$query->whereColumn('users.id', 'meetups.created_by');
|
||||||
|
})
|
||||||
|
->count();
|
||||||
|
|
||||||
|
if ($dryRun) {
|
||||||
|
$this->info("Dry-Run: {$memberRows} Mitglieder würden zu Leadern befördert.");
|
||||||
|
$this->info("Dry-Run: {$missingCreators} fehlende Ersteller-Mitgliedschaften würden ergänzt (als Leader).");
|
||||||
|
|
||||||
|
return Command::SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
DB::table('meetup_user')->where('is_leader', false)->update(['is_leader' => true]);
|
||||||
|
|
||||||
|
$ensured = 0;
|
||||||
|
Meetup::query()
|
||||||
|
->whereNotNull('created_by')
|
||||||
|
->chunkById(200, function ($meetups) use (&$ensured): void {
|
||||||
|
foreach ($meetups as $meetup) {
|
||||||
|
$meetup->users()->syncWithoutDetaching([
|
||||||
|
$meetup->created_by => ['is_leader' => true],
|
||||||
|
]);
|
||||||
|
$ensured++;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
$this->info("{$memberRows} Mitglieder zu Leadern befördert.");
|
||||||
|
$this->info("Ersteller-Leaderschaft für {$ensured} Meetups sichergestellt.");
|
||||||
|
|
||||||
|
return Command::SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,98 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Controllers\Api;
|
||||||
|
|
||||||
|
use App\Http\Controllers\Controller;
|
||||||
|
use App\Http\Requests\Api\StoreMeetupLeaderRequest;
|
||||||
|
use App\Models\Meetup;
|
||||||
|
use App\Models\User;
|
||||||
|
use App\Support\NostrLogin;
|
||||||
|
use Dedoc\Scramble\Attributes\Group;
|
||||||
|
use Dedoc\Scramble\Attributes\Response;
|
||||||
|
use Illuminate\Http\JsonResponse;
|
||||||
|
use Illuminate\Support\Facades\Gate;
|
||||||
|
use Symfony\Component\HttpFoundation\Response as HttpResponse;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Leader-Delegation für Meetups: ein bestehender Leader (bzw. Ersteller/
|
||||||
|
* Super-Admin) verwaltet die Leader eines Meetups (meetup_user.is_leader).
|
||||||
|
* Leader dürfen die Stammdaten bearbeiten — siehe MeetupPolicy::update().
|
||||||
|
*/
|
||||||
|
#[Group(name: 'Meetups', weight: 3)]
|
||||||
|
class MeetupLeaderController extends Controller
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Leader auflisten
|
||||||
|
*
|
||||||
|
* Liefert alle Leader eines Meetups (id, name, nostr, avatar, is_creator).
|
||||||
|
* Nur für Leader des Meetups sichtbar.
|
||||||
|
*/
|
||||||
|
#[Response(status: 403, description: 'Nur ein Leader darf die Leader-Liste sehen.')]
|
||||||
|
public function index(Meetup $meetup): JsonResponse
|
||||||
|
{
|
||||||
|
Gate::authorize('manageLeaders', $meetup);
|
||||||
|
|
||||||
|
return response()->json(['data' => $this->leaders($meetup)]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Leader einsetzen
|
||||||
|
*
|
||||||
|
* Setzt den Nutzer mit dem angegebenen npub als Leader ein. Existiert noch
|
||||||
|
* kein Account für den npub, wird er angelegt (greift, sobald die Person sich
|
||||||
|
* erstmals einloggt). Idempotent: ein bereits gesetzter Leader bleibt Leader.
|
||||||
|
*/
|
||||||
|
#[Response(status: 403, description: 'Nur ein Leader darf weitere Leader einsetzen.')]
|
||||||
|
#[Response(status: 422, description: 'Ungültiger npub.')]
|
||||||
|
public function store(StoreMeetupLeaderRequest $request, Meetup $meetup): JsonResponse
|
||||||
|
{
|
||||||
|
$user = NostrLogin::findOrCreateUser($request->string('npub')->toString());
|
||||||
|
|
||||||
|
$meetup->users()->syncWithoutDetaching([
|
||||||
|
$user->getKey() => ['is_leader' => true],
|
||||||
|
]);
|
||||||
|
|
||||||
|
return response()->json(['data' => $this->leaders($meetup)], HttpResponse::HTTP_CREATED);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Leader entziehen
|
||||||
|
*
|
||||||
|
* Entzieht dem Nutzer die Leader-Rolle für dieses Meetup (Demote: bleibt
|
||||||
|
* Mitglied in „Meine Meetups", darf aber nicht mehr bearbeiten). Der
|
||||||
|
* Ersteller des Meetups kann nie entzogen werden.
|
||||||
|
*/
|
||||||
|
#[Response(status: 403, description: 'Nur ein Leader darf entziehen; der Ersteller ist geschützt.')]
|
||||||
|
public function destroy(Meetup $meetup, User $user): JsonResponse
|
||||||
|
{
|
||||||
|
Gate::authorize('manageLeaders', $meetup);
|
||||||
|
|
||||||
|
abort_if($user->getKey() === $meetup->created_by, HttpResponse::HTTP_FORBIDDEN, __('Der Ersteller des Meetups kann nicht entzogen werden.'));
|
||||||
|
|
||||||
|
$meetup->users()->updateExistingPivot($user->getKey(), ['is_leader' => false]);
|
||||||
|
|
||||||
|
return response()->json(['data' => $this->leaders($meetup)]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Leader-Liste als flaches Array (Ersteller zuerst).
|
||||||
|
*
|
||||||
|
* @return array<int, array<string, mixed>>
|
||||||
|
*/
|
||||||
|
private function leaders(Meetup $meetup): array
|
||||||
|
{
|
||||||
|
return $meetup->users()
|
||||||
|
->wherePivot('is_leader', true)
|
||||||
|
->get()
|
||||||
|
->map(fn (User $user): array => [
|
||||||
|
'id' => $user->getKey(),
|
||||||
|
'name' => $user->name,
|
||||||
|
'nostr' => $user->nostr,
|
||||||
|
'avatar' => $user->profile_photo_url,
|
||||||
|
'is_creator' => $user->getKey() === $meetup->created_by,
|
||||||
|
])
|
||||||
|
->sortByDesc('is_creator')
|
||||||
|
->values()
|
||||||
|
->all();
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -51,7 +51,9 @@ class UserController extends Controller
|
|||||||
'email' => $user->email,
|
'email' => $user->email,
|
||||||
'nostr' => $user->nostr,
|
'nostr' => $user->nostr,
|
||||||
'is_lecturer' => (bool) $user->is_lecturer,
|
'is_lecturer' => (bool) $user->is_lecturer,
|
||||||
'is_leader' => (bool) $user->is_leader,
|
// Leader-Rolle ist pro Meetup (meetup_user.is_leader); global = ist
|
||||||
|
// der Nutzer Leader IRGENDEINES Meetups. Treibt das Rollen-Badge.
|
||||||
|
'is_leader' => $user->meetups()->wherePivot('is_leader', true)->exists(),
|
||||||
'avatar' => $user->profile_photo_url,
|
'avatar' => $user->profile_photo_url,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,15 +3,23 @@
|
|||||||
namespace App\Http\Requests\Api;
|
namespace App\Http\Requests\Api;
|
||||||
|
|
||||||
use App\Enums\RecurrenceType;
|
use App\Enums\RecurrenceType;
|
||||||
use App\Models\MeetupEvent;
|
use App\Models\Meetup;
|
||||||
use Illuminate\Foundation\Http\FormRequest;
|
use Illuminate\Foundation\Http\FormRequest;
|
||||||
use Illuminate\Validation\Rule;
|
use Illuminate\Validation\Rule;
|
||||||
|
|
||||||
class StoreMeetupEventRequest extends FormRequest
|
class StoreMeetupEventRequest extends FormRequest
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Termine darf nur anlegen, wer das zugehörige Meetup bearbeiten darf
|
||||||
|
* (Ersteller/Leader/Super-Admin) — dieselbe Berechtigung wie die
|
||||||
|
* Stammdaten. Existenz/Pflicht von meetup_id prüft rules() (422); ist ein
|
||||||
|
* gültiges Meetup angegeben, muss der Nutzer dafür berechtigt sein.
|
||||||
|
*/
|
||||||
public function authorize(): bool
|
public function authorize(): bool
|
||||||
{
|
{
|
||||||
return $this->user()->can('create', MeetupEvent::class);
|
$meetup = Meetup::find($this->input('meetup_id'));
|
||||||
|
|
||||||
|
return $meetup === null || $this->user()->can('update', $meetup);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -0,0 +1,41 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Requests\Api;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
use Illuminate\Foundation\Http\FormRequest;
|
||||||
|
use swentel\nostr\Key\Key as NostrKey;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setzt einen weiteren Leader für ein Meetup per Nostr-npub ein. Nur ein
|
||||||
|
* bestehender Leader (bzw. Ersteller/Super-Admin) darf das (manageLeaders).
|
||||||
|
* Der npub muss ein gültiger bech32-kodierter öffentlicher Schlüssel sein.
|
||||||
|
*/
|
||||||
|
class StoreMeetupLeaderRequest extends FormRequest
|
||||||
|
{
|
||||||
|
public function authorize(): bool
|
||||||
|
{
|
||||||
|
return $this->user()->can('manageLeaders', $this->route('meetup'));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return array<string, array<int, mixed>>
|
||||||
|
*/
|
||||||
|
public function rules(): array
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'npub' => [
|
||||||
|
'required',
|
||||||
|
'string',
|
||||||
|
'starts_with:npub1',
|
||||||
|
function (string $attribute, mixed $value, Closure $fail): void {
|
||||||
|
try {
|
||||||
|
(new NostrKey)->convertToHex((string) $value);
|
||||||
|
} catch (\Throwable) {
|
||||||
|
$fail(__('Das ist kein gültiger npub.'));
|
||||||
|
}
|
||||||
|
},
|
||||||
|
],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -3,14 +3,27 @@
|
|||||||
namespace App\Http\Requests\Api;
|
namespace App\Http\Requests\Api;
|
||||||
|
|
||||||
use App\Enums\RecurrenceType;
|
use App\Enums\RecurrenceType;
|
||||||
|
use App\Models\Meetup;
|
||||||
use Illuminate\Foundation\Http\FormRequest;
|
use Illuminate\Foundation\Http\FormRequest;
|
||||||
use Illuminate\Validation\Rule;
|
use Illuminate\Validation\Rule;
|
||||||
|
|
||||||
class UpdateMeetupEventRequest extends FormRequest
|
class UpdateMeetupEventRequest extends FormRequest
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Bearbeiten darf der Ersteller des Termins oder ein Leader des Meetups
|
||||||
|
* (siehe MeetupEventPolicy::update). Ein Verschieben in ein anderes Meetup
|
||||||
|
* (geändertes meetup_id) ist nur erlaubt, wenn der Nutzer auch dieses
|
||||||
|
* Ziel-Meetup führt.
|
||||||
|
*/
|
||||||
public function authorize(): bool
|
public function authorize(): bool
|
||||||
{
|
{
|
||||||
return $this->user()->can('update', $this->route('meetupEvent'));
|
if (! $this->user()->can('update', $this->route('meetupEvent'))) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$target = $this->filled('meetup_id') ? Meetup::find($this->input('meetup_id')) : null;
|
||||||
|
|
||||||
|
return $target === null || $this->user()->can('update', $target);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -32,6 +32,10 @@ class MeetupResource extends JsonResource
|
|||||||
'community' => $this->community,
|
'community' => $this->community,
|
||||||
'visible_on_map' => $this->visible_on_map,
|
'visible_on_map' => $this->visible_on_map,
|
||||||
'is_active' => $this->is_active,
|
'is_active' => $this->is_active,
|
||||||
|
// Nur gesetzt, wenn die meetup_user-Pivot geladen ist (z. B. via
|
||||||
|
// /api/my-meetups). Sagt der App, ob der Token-Inhaber Leader dieses
|
||||||
|
// Meetups ist (darf bearbeiten + Leader verwalten).
|
||||||
|
'is_leader' => $this->whenPivotLoaded('meetup_user', fn (): bool => (bool) $this->pivot->is_leader),
|
||||||
'logo' => $this->getFirstMediaUrl('logo', 'thumb'),
|
'logo' => $this->getFirstMediaUrl('logo', 'thumb'),
|
||||||
'last_event_at' => $this->last_event_at,
|
'last_event_at' => $this->last_event_at,
|
||||||
'created_by' => $this->created_by,
|
'created_by' => $this->created_by,
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ class CreateMeetupEventTool extends Tool
|
|||||||
|
|
||||||
if (! $this->present($request->get('meetup_id'))) {
|
if (! $this->present($request->get('meetup_id'))) {
|
||||||
$meetup = $this->resolveInScope(
|
$meetup = $this->resolveInScope(
|
||||||
Meetup::query()->associatedWith($user->getAuthIdentifier()),
|
Meetup::query()->ledBy($user->getAuthIdentifier()),
|
||||||
$request,
|
$request,
|
||||||
'Meetups',
|
'Meetups',
|
||||||
'meetup',
|
'meetup',
|
||||||
@@ -43,6 +43,15 @@ class CreateMeetupEventTool extends Tool
|
|||||||
$request->merge(['meetup_id' => $meetup->id]);
|
$request->merge(['meetup_id' => $meetup->id]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Nur Leader/Ersteller des Ziel-Meetups dürfen Termine anlegen (gleiche
|
||||||
|
// Berechtigung wie die Stammdaten). Greift auch, wenn meetup_id direkt
|
||||||
|
// übergeben wurde und damit den ledBy-Scope oben umgeht.
|
||||||
|
$targetMeetup = Meetup::find($request->get('meetup_id'));
|
||||||
|
|
||||||
|
if ($targetMeetup === null || Gate::forUser($user)->denies('update', $targetMeetup)) {
|
||||||
|
return Response::error('Nur Leader oder der Ersteller dürfen Termine für dieses Meetup anlegen.');
|
||||||
|
}
|
||||||
|
|
||||||
$storeRequest = new StoreMeetupEventRequest;
|
$storeRequest = new StoreMeetupEventRequest;
|
||||||
|
|
||||||
$validated = $request->validate(
|
$validated = $request->validate(
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ use Laravel\Mcp\Response;
|
|||||||
use Laravel\Mcp\Server\Attributes\Description;
|
use Laravel\Mcp\Server\Attributes\Description;
|
||||||
use Laravel\Mcp\Server\Tool;
|
use Laravel\Mcp\Server\Tool;
|
||||||
|
|
||||||
#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller oder ein Super-Admin darf ihn ändern.')]
|
#[Description('Aktualisiert einen bestehenden Meetup-Termin. Nur der Ersteller des Termins, ein Leader des zugehörigen Meetups oder ein Super-Admin darf ihn ändern.')]
|
||||||
class UpdateMeetupEventTool extends Tool
|
class UpdateMeetupEventTool extends Tool
|
||||||
{
|
{
|
||||||
use ResolvesEntities;
|
use ResolvesEntities;
|
||||||
@@ -31,10 +31,10 @@ class UpdateMeetupEventTool extends Tool
|
|||||||
$user = $request->user();
|
$user = $request->user();
|
||||||
|
|
||||||
if ($user === null || Gate::forUser($user)->denies('update', $meetupEvent)) {
|
if ($user === null || Gate::forUser($user)->denies('update', $meetupEvent)) {
|
||||||
return Response::error('Nur der Ersteller oder ein Super-Admin darf diesen Meetup-Termin ändern.');
|
return Response::error('Nur der Ersteller des Termins, ein Leader des Meetups oder ein Super-Admin darf diesen Meetup-Termin ändern.');
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->where('created_by', $user->getAuthIdentifier()), 'Meetups', false)) {
|
if ($error = $this->mergeForeignKey($request, 'meetup', 'meetup_id', Meetup::query()->ledBy($user->getAuthIdentifier()), 'Meetups', false)) {
|
||||||
return $error;
|
return $error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -185,6 +185,19 @@ class Meetup extends Model implements HasMedia
|
|||||||
return $this->users()->whereKey($user->id)->exists();
|
return $this->users()->whereKey($user->id)->exists();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ist der Nutzer Leader dieses Meetups (meetup_user.is_leader = true)?
|
||||||
|
* Nur Leader (und der Ersteller/Super-Admin) dürfen Stammdaten bearbeiten
|
||||||
|
* und weitere Leader einsetzen/entziehen.
|
||||||
|
*/
|
||||||
|
public function isLeader(User $user): bool
|
||||||
|
{
|
||||||
|
return $this->users()
|
||||||
|
->whereKey($user->id)
|
||||||
|
->wherePivot('is_leader', true)
|
||||||
|
->exists();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Den Nutzer als Mitglied (nicht Leader) zu „Meine Meetups" hinzufügen.
|
* Den Nutzer als Mitglied (nicht Leader) zu „Meine Meetups" hinzufügen.
|
||||||
* Idempotent: ein bereits hinzugefügter Nutzer bleibt unverändert. Gibt
|
* Idempotent: ein bereits hinzugefügter Nutzer bleibt unverändert. Gibt
|
||||||
@@ -233,6 +246,32 @@ class Meetup extends Model implements HasMedia
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Meetups, die der Nutzer als Leader führt (meetup_user.is_leader = true).
|
||||||
|
* Maßgeblich dafür, wer Stammdaten UND Termine bearbeiten darf.
|
||||||
|
*/
|
||||||
|
public function scopeLedBy(Builder $query, int $userId): void
|
||||||
|
{
|
||||||
|
$query->whereHas('users', fn (Builder $user) => $user->whereKey($userId)->wherePivot('is_leader', true));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Führt der eingeloggte Nutzer dieses Meetup als Leader? Steuert die
|
||||||
|
* Sichtbarkeit der Bearbeiten-/Termin-Affordances im Portal-Frontend
|
||||||
|
* (Gegenstück zu {@see belongsToMe()}, aber leader- statt mitgliedschafts-
|
||||||
|
* basiert).
|
||||||
|
*/
|
||||||
|
protected function leadByMe(): Attribute
|
||||||
|
{
|
||||||
|
return Attribute::make(
|
||||||
|
get: fn (): bool => auth()->check() && DB::table('meetup_user')
|
||||||
|
->where('meetup_id', $this->id)
|
||||||
|
->where('user_id', auth()->id())
|
||||||
|
->where('is_leader', true)
|
||||||
|
->exists()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
public function city(): BelongsTo
|
public function city(): BelongsTo
|
||||||
{
|
{
|
||||||
return $this->belongsTo(City::class);
|
return $this->belongsTo(City::class);
|
||||||
|
|||||||
+1
-1
@@ -105,7 +105,7 @@ class User extends Authenticatable implements CipherSweetEncrypted
|
|||||||
|
|
||||||
public function meetups()
|
public function meetups()
|
||||||
{
|
{
|
||||||
return $this->belongsToMany(Meetup::class);
|
return $this->belongsToMany(Meetup::class)->withPivot('is_leader');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function reputations()
|
public function reputations()
|
||||||
|
|||||||
@@ -25,8 +25,23 @@ class MeetupEventPolicy
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Termin bearbeiten: der Ersteller des Termins ODER ein Leader des
|
||||||
|
* zugehörigen Meetups (bzw. Super-Admin). Damit dürfen Meetup-Leader die
|
||||||
|
* Termine ihres Meetups pflegen, auch wenn sie sie nicht selbst angelegt
|
||||||
|
* haben — analog zur Stammdaten-Bearbeitung (MeetupPolicy::update).
|
||||||
|
*/
|
||||||
public function update(User $user, MeetupEvent $meetupEvent): bool
|
public function update(User $user, MeetupEvent $meetupEvent): bool
|
||||||
{
|
{
|
||||||
return $this->owns($user, $meetupEvent);
|
return $this->owns($user, $meetupEvent)
|
||||||
|
|| ($meetupEvent->meetup !== null && $meetupEvent->meetup->isLeader($user));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Termin löschen: gleiche Regel wie das Bearbeiten.
|
||||||
|
*/
|
||||||
|
public function delete(User $user, MeetupEvent $meetupEvent): bool
|
||||||
|
{
|
||||||
|
return $this->update($user, $meetupEvent);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -58,20 +58,26 @@ class MeetupPolicy
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Stammdaten bearbeiten: der Ersteller (bzw. Super-Admin) ODER ein
|
||||||
|
* delegierter Leader (meetup_user.is_leader = true). Die bloße
|
||||||
|
* „Meine Meetups"-Mitgliedschaft (is_leader = false) berechtigt NICHT
|
||||||
|
* mehr zum Bearbeiten — Leader werden über manageLeaders() vergeben.
|
||||||
|
* Gilt einheitlich für REST-API, MCP und Portal-Frontend.
|
||||||
|
*/
|
||||||
public function update(User $user, Meetup $meetup): bool
|
public function update(User $user, Meetup $meetup): bool
|
||||||
{
|
{
|
||||||
return $this->owns($user, $meetup);
|
return $this->owns($user, $meetup) || $meetup->isLeader($user);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gelockerte Update-Regel ausschließlich für das Portal-Frontend (Livewire):
|
* Weitere Leader einsetzen/entziehen: nur ein bestehender Leader bzw. der
|
||||||
* Neben dem Ersteller darf auch jedes Mitglied der meetup_user-Pivot
|
* Ersteller/Super-Admin. Delegation ist damit selbsttragend — jeder Leader
|
||||||
* („Meine Meetups" im Dashboard) die Stammdaten bearbeiten. REST-API und
|
* kann neue Leader benennen (der Ersteller selbst kann nie entzogen werden,
|
||||||
* MCP nutzen weiterhin die strikte update()-Ability. Übergangslösung, bis
|
* das erzwingt der Controller).
|
||||||
* ein echtes Rollen-/Freigabekonzept existiert.
|
|
||||||
*/
|
*/
|
||||||
public function updateViaPortal(User $user, Meetup $meetup): bool
|
public function manageLeaders(User $user, Meetup $meetup): bool
|
||||||
{
|
{
|
||||||
return $this->owns($user, $meetup) || $meetup->hasMember($user);
|
return $this->owns($user, $meetup) || $meetup->isLeader($user);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -179,15 +179,20 @@ class extends Component {
|
|||||||
</a>
|
</a>
|
||||||
</div>
|
</div>
|
||||||
<div class="flex flex-row items-center gap-2 w-full sm:w-auto">
|
<div class="flex flex-row items-center gap-2 w-full sm:w-auto">
|
||||||
<flux:button
|
{{-- Termine & Stammdaten nur für Leader dieses Meetups
|
||||||
:href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
(meetup_user.is_leader); Mitglieder ohne Leaderschaft
|
||||||
variant="primary" icon="calendar" size="xs">
|
können das Meetup nur aus „Meine“ entfernen. --}}
|
||||||
{{ __('Neues Event erstellen') }}
|
@if($meetup->pivot->is_leader)
|
||||||
</flux:button>
|
<flux:button
|
||||||
<flux:button :href="route_with_country('meetups.edit', ['meetup' => $meetup])"
|
:href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
||||||
size="xs" variant="ghost" icon="pencil" class="w-full sm:w-auto">
|
variant="primary" icon="calendar" size="xs">
|
||||||
{{ __('Bearbeiten') }}
|
{{ __('Neues Event erstellen') }}
|
||||||
</flux:button>
|
</flux:button>
|
||||||
|
<flux:button :href="route_with_country('meetups.edit', ['meetup' => $meetup])"
|
||||||
|
size="xs" variant="ghost" icon="pencil" class="w-full sm:w-auto">
|
||||||
|
{{ __('Bearbeiten') }}
|
||||||
|
</flux:button>
|
||||||
|
@endif
|
||||||
<flux:modal.trigger :name="'remove-meetup-' . $meetup->id">
|
<flux:modal.trigger :name="'remove-meetup-' . $meetup->id">
|
||||||
<flux:button class="cursor-pointer" size="xs" variant="danger"
|
<flux:button class="cursor-pointer" size="xs" variant="danger"
|
||||||
icon="trash"></flux:button>
|
icon="trash"></flux:button>
|
||||||
|
|||||||
@@ -44,7 +44,11 @@ class extends Component {
|
|||||||
// Ensure timezone is always set - use fallback if not initialized yet
|
// Ensure timezone is always set - use fallback if not initialized yet
|
||||||
$timezone = $this->userTimezone ?: (auth()->user()->timezone ?? 'Europe/Berlin');
|
$timezone = $this->userTimezone ?: (auth()->user()->timezone ?? 'Europe/Berlin');
|
||||||
$startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone);
|
$startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone);
|
||||||
$endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone);
|
// Enddatum kommt aus einem reinen Datums-Picker: bis zum Ende des
|
||||||
|
// gewählten Tages (inklusiv). endOfDay() macht das deterministisch —
|
||||||
|
// createFromFormat('Y-m-d', …) würde sonst die AKTUELLE Uhrzeit
|
||||||
|
// einsetzen und das letzte Vorkommen je nach Laufzeit ein-/ausschließen.
|
||||||
|
$endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone)->endOfDay();
|
||||||
|
|
||||||
return array_map(fn (\Carbon\Carbon $date): array => [
|
return array_map(fn (\Carbon\Carbon $date): array => [
|
||||||
'date' => $date,
|
'date' => $date,
|
||||||
@@ -97,8 +101,21 @@ class extends Component {
|
|||||||
#[Validate('required|url|max:255')]
|
#[Validate('required|url|max:255')]
|
||||||
public ?string $link = null;
|
public ?string $link = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Termine darf nur verwalten, wer das zugehörige Meetup bearbeiten darf
|
||||||
|
* (Ersteller/Leader/Super-Admin) — dieselbe update-Ability wie die
|
||||||
|
* Stammdaten. Spiegelt meetups.edit::authorizeAccess().
|
||||||
|
*/
|
||||||
|
protected function authorizeManage(): void
|
||||||
|
{
|
||||||
|
if (auth()->guest() || auth()->user()->cannot('update', $this->meetup)) {
|
||||||
|
abort(403);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public function mount(): void
|
public function mount(): void
|
||||||
{
|
{
|
||||||
|
$this->authorizeManage();
|
||||||
$this->country = request()->route('country', config('app.domain_country'));
|
$this->country = request()->route('country', config('app.domain_country'));
|
||||||
$this->userTimezone = auth()->user()->timezone ?? 'Europe/Berlin';
|
$this->userTimezone = auth()->user()->timezone ?? 'Europe/Berlin';
|
||||||
$timezone = $this->userTimezone;
|
$timezone = $this->userTimezone;
|
||||||
@@ -130,6 +147,8 @@ class extends Component {
|
|||||||
|
|
||||||
public function save(): void
|
public function save(): void
|
||||||
{
|
{
|
||||||
|
$this->authorizeManage();
|
||||||
|
|
||||||
$validationRules = [
|
$validationRules = [
|
||||||
'startDate' => 'required|date',
|
'startDate' => 'required|date',
|
||||||
'startTime' => 'required',
|
'startTime' => 'required',
|
||||||
@@ -191,7 +210,9 @@ class extends Component {
|
|||||||
private function createEventSeries(string $timezone): void
|
private function createEventSeries(string $timezone): void
|
||||||
{
|
{
|
||||||
$startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone);
|
$startDate = \Carbon\Carbon::createFromFormat('Y-m-d H:i', $this->startDate . ' ' . $this->startTime, $timezone);
|
||||||
$endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone);
|
// Inklusiv bis zum Ende des gewählten Tages, deterministisch (siehe
|
||||||
|
// getPreviewDatesProperty) — Vorschau und Anlegen erzeugen so dieselbe Liste.
|
||||||
|
$endDate = \Carbon\Carbon::createFromFormat('Y-m-d', $this->endDate, $timezone)->endOfDay();
|
||||||
|
|
||||||
$eventsCreated = 0;
|
$eventsCreated = 0;
|
||||||
|
|
||||||
|
|||||||
@@ -85,15 +85,13 @@ class extends Component {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Portal-Frontend nutzt die gelockerte updateViaPortal-Ability: Ersteller,
|
* Stammdaten bearbeiten dürfen der Ersteller, Super-Admins UND delegierte
|
||||||
* Super-Admins UND Mitglieder der meetup_user-Pivot („Meine Meetups") dürfen
|
* Leader (meetup_user.is_leader). Einheitliche update-Ability für Portal-
|
||||||
* die Stammdaten bearbeiten. REST-API und MCP-Tools bleiben auf der strikten
|
* Frontend, REST-API und MCP-Tools (MeetupPolicy::update).
|
||||||
* update()-Ability (nur Ersteller/Super-Admin). Übergangslösung, bis ein
|
|
||||||
* echtes Rollen-/Freigabekonzept existiert.
|
|
||||||
*/
|
*/
|
||||||
protected function authorizeAccess(): void
|
protected function authorizeAccess(): void
|
||||||
{
|
{
|
||||||
if (auth()->guest() || auth()->user()->cannot('updateViaPortal', $this->meetup)) {
|
if (auth()->guest() || auth()->user()->cannot('update', $this->meetup)) {
|
||||||
abort(403);
|
abort(403);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -185,11 +185,10 @@ class extends Component {
|
|||||||
|
|
||||||
<flux:table.cell>
|
<flux:table.cell>
|
||||||
<div class="flex flex-col space-y-2">
|
<div class="flex flex-col space-y-2">
|
||||||
@if(auth()->check() && $meetup->belongsToMe)
|
@if(auth()->check() && $meetup->leadByMe)
|
||||||
<div>
|
<div>
|
||||||
<flux:button
|
<flux:button
|
||||||
:disabled="!$meetup->belongsToMe"
|
:href="route_with_country('meetups.edit', ['meetup' => $meetup])"
|
||||||
:href="$meetup->belongsToMe ? route_with_country('meetups.edit', ['meetup' => $meetup]) : null"
|
|
||||||
size="xs"
|
size="xs"
|
||||||
variant="filled" icon="pencil">
|
variant="filled" icon="pencil">
|
||||||
{{ __('Bearbeiten') }}
|
{{ __('Bearbeiten') }}
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ class extends Component {
|
|||||||
|
|
||||||
public function deleteEvent(MeetupEvent $event): void
|
public function deleteEvent(MeetupEvent $event): void
|
||||||
{
|
{
|
||||||
if ($this->meetup->belongsToMe) {
|
if ($this->meetup->leadByMe) {
|
||||||
$event->delete();
|
$event->delete();
|
||||||
$this->dispatch('event-deleted');
|
$this->dispatch('event-deleted');
|
||||||
Flux::modals()->close();
|
Flux::modals()->close();
|
||||||
@@ -231,7 +231,7 @@ class extends Component {
|
|||||||
<div class="mt-16">
|
<div class="mt-16">
|
||||||
<div class="flex flex-col sm:flex-row items-center sm:space-x-4 space-y-4 sm:space-y-0 mb-6">
|
<div class="flex flex-col sm:flex-row items-center sm:space-x-4 space-y-4 sm:space-y-0 mb-6">
|
||||||
<flux:heading size="xl">{{ __('Kommende Veranstaltungen') }}</flux:heading>
|
<flux:heading size="xl">{{ __('Kommende Veranstaltungen') }}</flux:heading>
|
||||||
@if(auth()->user() && auth()->user()->meetups()->find($meetup->id)?->exists)
|
@if($meetup->leadByMe)
|
||||||
<flux:button :href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
<flux:button :href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
||||||
variant="primary" icon="calendar">
|
variant="primary" icon="calendar">
|
||||||
{{ __('Neues Event erstellen') }}
|
{{ __('Neues Event erstellen') }}
|
||||||
@@ -281,7 +281,7 @@ class extends Component {
|
|||||||
>
|
>
|
||||||
{{ __('Öffnen/RSVP') }}
|
{{ __('Öffnen/RSVP') }}
|
||||||
</flux:button>
|
</flux:button>
|
||||||
@if($meetup->belongsToMe)
|
@if($meetup->leadByMe)
|
||||||
<flux:button
|
<flux:button
|
||||||
:href="route_with_country('meetups.events.edit', ['meetup' => $meetup, 'event' => $event])"
|
:href="route_with_country('meetups.events.edit', ['meetup' => $meetup, 'event' => $event])"
|
||||||
size="xs"
|
size="xs"
|
||||||
@@ -332,7 +332,7 @@ class extends Component {
|
|||||||
@else
|
@else
|
||||||
<div class="mt-16">
|
<div class="mt-16">
|
||||||
<div class="flex items-center space-x-4 mb-6">
|
<div class="flex items-center space-x-4 mb-6">
|
||||||
@if(auth()->user() && auth()->user()->meetups()->find($meetup->id)?->exists)
|
@if($meetup->leadByMe)
|
||||||
<flux:button :href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
<flux:button :href="route_with_country('meetups.events.create', ['meetup' => $meetup])"
|
||||||
variant="primary" icon="calendar">
|
variant="primary" icon="calendar">
|
||||||
{{ __('Neues Event erstellen') }}
|
{{ __('Neues Event erstellen') }}
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ use App\Http\Controllers\Api\CourseEventController;
|
|||||||
use App\Http\Controllers\Api\LecturerController;
|
use App\Http\Controllers\Api\LecturerController;
|
||||||
use App\Http\Controllers\Api\MeetupController;
|
use App\Http\Controllers\Api\MeetupController;
|
||||||
use App\Http\Controllers\Api\MeetupEventController;
|
use App\Http\Controllers\Api\MeetupEventController;
|
||||||
|
use App\Http\Controllers\Api\MeetupLeaderController;
|
||||||
use App\Http\Controllers\Api\MeetupMapController;
|
use App\Http\Controllers\Api\MeetupMapController;
|
||||||
use App\Http\Controllers\Api\NostrPlebController;
|
use App\Http\Controllers\Api\NostrPlebController;
|
||||||
use App\Http\Controllers\Api\UserController;
|
use App\Http\Controllers\Api\UserController;
|
||||||
@@ -82,6 +83,12 @@ Route::middleware('auth:sanctum')
|
|||||||
Route::delete('my-meetups/{meetup:slug}', [MeetupController::class, 'removeFromMine'])->name('meetup.mine.remove');
|
Route::delete('my-meetups/{meetup:slug}', [MeetupController::class, 'removeFromMine'])->name('meetup.mine.remove');
|
||||||
Route::get('my-meetups/{meetup}', [MeetupController::class, 'mineShow'])->name('meetup.mine.show');
|
Route::get('my-meetups/{meetup}', [MeetupController::class, 'mineShow'])->name('meetup.mine.show');
|
||||||
|
|
||||||
|
// Leader-Delegation: bestehende Leader setzen weitere Leader per npub
|
||||||
|
// ein bzw. entziehen sie (meetup_user.is_leader). Siehe MeetupPolicy.
|
||||||
|
Route::get('meetup/{meetup}/leaders', [MeetupLeaderController::class, 'index'])->name('meetup.leaders.index');
|
||||||
|
Route::post('meetup/{meetup}/leaders', [MeetupLeaderController::class, 'store'])->name('meetup.leaders.store');
|
||||||
|
Route::delete('meetup/{meetup}/leaders/{user}', [MeetupLeaderController::class, 'destroy'])->name('meetup.leaders.destroy');
|
||||||
|
|
||||||
Route::post('meetup-events', [MeetupEventController::class, 'store'])->name('meetup-events.store');
|
Route::post('meetup-events', [MeetupEventController::class, 'store'])->name('meetup-events.store');
|
||||||
Route::patch('meetup-events/{meetupEvent}', [MeetupEventController::class, 'update'])->name('meetup-events.update');
|
Route::patch('meetup-events/{meetupEvent}', [MeetupEventController::class, 'update'])->name('meetup-events.update');
|
||||||
Route::get('my-meetup-events', [MeetupEventController::class, 'mine'])->name('meetup-events.mine');
|
Route::get('my-meetup-events', [MeetupEventController::class, 'mine'])->name('meetup-events.mine');
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ use Laravel\Sanctum\Sanctum;
|
|||||||
|
|
||||||
it('creates a weekly series of individual events', function () {
|
it('creates a weekly series of individual events', function () {
|
||||||
Sanctum::actingAs($user = User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => $meetup->id,
|
'meetup_id' => $meetup->id,
|
||||||
@@ -32,8 +32,8 @@ it('creates a weekly series of individual events', function () {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('creates a monthly series of individual events', function () {
|
it('creates a monthly series of individual events', function () {
|
||||||
Sanctum::actingAs(User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => $meetup->id,
|
'meetup_id' => $meetup->id,
|
||||||
@@ -48,8 +48,8 @@ it('creates a monthly series of individual events', function () {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('caps the series at 100 occurrences', function () {
|
it('caps the series at 100 occurrences', function () {
|
||||||
Sanctum::actingAs(User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => $meetup->id,
|
'meetup_id' => $meetup->id,
|
||||||
@@ -63,8 +63,8 @@ it('caps the series at 100 occurrences', function () {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('still creates a single event without recurrence fields', function () {
|
it('still creates a single event without recurrence fields', function () {
|
||||||
Sanctum::actingAs(User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => $meetup->id,
|
'meetup_id' => $meetup->id,
|
||||||
@@ -78,8 +78,8 @@ it('still creates a single event without recurrence fields', function () {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('creates a single event when recurrence_type is set but no end date', function () {
|
it('creates a single event when recurrence_type is set but no end date', function () {
|
||||||
Sanctum::actingAs(User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => $meetup->id,
|
'meetup_id' => $meetup->id,
|
||||||
|
|||||||
@@ -11,11 +11,13 @@ it('rejects a guest', function () {
|
|||||||
$response->assertUnauthorized();
|
$response->assertUnauthorized();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('lets an authenticated user create', function () {
|
it('lets a leader of the meetup create an event', function () {
|
||||||
Sanctum::actingAs($user = User::factory()->create());
|
Sanctum::actingAs($user = User::factory()->create());
|
||||||
|
// Ersteller wird per booted-Hook automatisch Leader des Meetups.
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
|
||||||
|
|
||||||
$response = $this->postJson('/api/meetup-events', [
|
$response = $this->postJson('/api/meetup-events', [
|
||||||
'meetup_id' => Meetup::factory()->create()->id,
|
'meetup_id' => $meetup->id,
|
||||||
'start' => '2026-08-01 18:00:00',
|
'start' => '2026-08-01 18:00:00',
|
||||||
'location' => 'Marktplatz',
|
'location' => 'Marktplatz',
|
||||||
]);
|
]);
|
||||||
@@ -28,6 +30,47 @@ it('lets an authenticated user create', function () {
|
|||||||
]);
|
]);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('lets a delegated leader create an event for the meetup', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||||
|
$leader = User::factory()->create();
|
||||||
|
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||||
|
|
||||||
|
Sanctum::actingAs($leader);
|
||||||
|
$this->postJson('/api/meetup-events', [
|
||||||
|
'meetup_id' => $meetup->id,
|
||||||
|
'start' => '2026-08-01 18:00:00',
|
||||||
|
'location' => 'Marktplatz',
|
||||||
|
])->assertCreated();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('forbids creating an event for a meetup the user does not lead', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||||
|
$member = User::factory()->create();
|
||||||
|
$meetup->addMember($member); // is_leader = false
|
||||||
|
|
||||||
|
Sanctum::actingAs($member);
|
||||||
|
$this->postJson('/api/meetup-events', [
|
||||||
|
'meetup_id' => $meetup->id,
|
||||||
|
'start' => '2026-08-01 18:00:00',
|
||||||
|
'location' => 'Marktplatz',
|
||||||
|
])->assertForbidden();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('lets a meetup leader edit an event created by someone else', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||||
|
$leader = User::factory()->create();
|
||||||
|
$meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||||
|
$event = MeetupEvent::factory()->create([
|
||||||
|
'meetup_id' => $meetup->id,
|
||||||
|
'created_by' => User::factory()->create()->id,
|
||||||
|
]);
|
||||||
|
|
||||||
|
Sanctum::actingAs($leader);
|
||||||
|
$this->patchJson("/api/meetup-events/{$event->id}", ['location' => 'Rathaus'])
|
||||||
|
->assertSuccessful()
|
||||||
|
->assertJsonPath('data.location', 'Rathaus');
|
||||||
|
});
|
||||||
|
|
||||||
it('fails validation', function () {
|
it('fails validation', function () {
|
||||||
Sanctum::actingAs(User::factory()->create());
|
Sanctum::actingAs(User::factory()->create());
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,158 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use App\Models\City;
|
||||||
|
use App\Models\Country;
|
||||||
|
use App\Models\Meetup;
|
||||||
|
use App\Models\User;
|
||||||
|
use Laravel\Sanctum\Sanctum;
|
||||||
|
use swentel\nostr\Key\Key as NostrKey;
|
||||||
|
|
||||||
|
beforeEach(function () {
|
||||||
|
$country = Country::factory()->create(['code' => 'de']);
|
||||||
|
$this->city = City::factory()->create(['country_id' => $country->id]);
|
||||||
|
$this->creator = User::factory()->create();
|
||||||
|
// Der created-Hook trägt den Ersteller automatisch als Leader ein.
|
||||||
|
$this->meetup = Meetup::factory()->create([
|
||||||
|
'city_id' => $this->city->id,
|
||||||
|
'created_by' => $this->creator->id,
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
|
||||||
|
/** Deterministischer, gültiger npub aus einem 64-stelligen Hex-Pubkey. */
|
||||||
|
function npubFromHex(string $hex): string
|
||||||
|
{
|
||||||
|
return (new NostrKey)->convertPublicKeyToBech32($hex);
|
||||||
|
}
|
||||||
|
|
||||||
|
it('rejects a guest listing leaders', function () {
|
||||||
|
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertUnauthorized();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('lists the creator as a protected leader', function () {
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
|
||||||
|
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")
|
||||||
|
->assertSuccessful()
|
||||||
|
->assertJsonPath('data.0.id', $this->creator->id)
|
||||||
|
->assertJsonPath('data.0.is_creator', true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('forbids a plain member from managing leaders', function () {
|
||||||
|
$member = User::factory()->create();
|
||||||
|
$this->meetup->addMember($member); // is_leader = false
|
||||||
|
|
||||||
|
Sanctum::actingAs($member);
|
||||||
|
|
||||||
|
$this->getJson("/api/meetup/{$this->meetup->id}/leaders")->assertForbidden();
|
||||||
|
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('1', 64, '0'))])
|
||||||
|
->assertForbidden();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('lets a leader appoint a new leader by npub, creating the account', function () {
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
$npub = npubFromHex(str_pad('a', 64, 'a'));
|
||||||
|
|
||||||
|
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub])
|
||||||
|
->assertCreated();
|
||||||
|
|
||||||
|
$newUser = User::where('nostr', $npub)->firstOrFail();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('meetup_user', [
|
||||||
|
'meetup_id' => $this->meetup->id,
|
||||||
|
'user_id' => $newUser->id,
|
||||||
|
'is_leader' => true,
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('promotes an existing member instead of duplicating', function () {
|
||||||
|
$npub = npubFromHex(str_pad('b', 64, 'b'));
|
||||||
|
$existing = User::factory()->create(['nostr' => $npub]);
|
||||||
|
$this->meetup->addMember($existing); // is_leader = false
|
||||||
|
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => $npub])
|
||||||
|
->assertCreated();
|
||||||
|
|
||||||
|
expect($this->meetup->users()->whereKey($existing->id)->count())->toBe(1);
|
||||||
|
$this->assertDatabaseHas('meetup_user', [
|
||||||
|
'meetup_id' => $this->meetup->id,
|
||||||
|
'user_id' => $existing->id,
|
||||||
|
'is_leader' => true,
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('rejects an invalid npub', function () {
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
|
||||||
|
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => 'not-an-npub'])
|
||||||
|
->assertUnprocessable()
|
||||||
|
->assertJsonValidationErrors(['npub']);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('lets a delegated leader appoint further leaders', function () {
|
||||||
|
// Ersteller befördert ein Mitglied zum Leader …
|
||||||
|
$delegate = User::factory()->create();
|
||||||
|
$this->meetup->users()->syncWithoutDetaching([$delegate->id => ['is_leader' => true]]);
|
||||||
|
|
||||||
|
// … der dann selbst weitere Leader einsetzen darf.
|
||||||
|
Sanctum::actingAs($delegate);
|
||||||
|
$this->postJson("/api/meetup/{$this->meetup->id}/leaders", ['npub' => npubFromHex(str_pad('c', 64, 'c'))])
|
||||||
|
->assertCreated();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('demotes a leader but keeps the membership', function () {
|
||||||
|
$leader = User::factory()->create();
|
||||||
|
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||||
|
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
$this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$leader->id}")
|
||||||
|
->assertSuccessful();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('meetup_user', [
|
||||||
|
'meetup_id' => $this->meetup->id,
|
||||||
|
'user_id' => $leader->id,
|
||||||
|
'is_leader' => false,
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('never lets the creator be demoted', function () {
|
||||||
|
$leader = User::factory()->create();
|
||||||
|
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||||
|
|
||||||
|
Sanctum::actingAs($leader);
|
||||||
|
$this->deleteJson("/api/meetup/{$this->meetup->id}/leaders/{$this->creator->id}")
|
||||||
|
->assertForbidden();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('meetup_user', [
|
||||||
|
'meetup_id' => $this->meetup->id,
|
||||||
|
'user_id' => $this->creator->id,
|
||||||
|
'is_leader' => true,
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('lets a delegated leader edit the meetup master data', function () {
|
||||||
|
$leader = User::factory()->create();
|
||||||
|
$this->meetup->users()->syncWithoutDetaching([$leader->id => ['is_leader' => true]]);
|
||||||
|
|
||||||
|
Sanctum::actingAs($leader);
|
||||||
|
$this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Renamed by leader'])
|
||||||
|
->assertSuccessful()
|
||||||
|
->assertJsonPath('data.name', 'Renamed by leader');
|
||||||
|
});
|
||||||
|
|
||||||
|
it('forbids a plain member from editing the meetup master data', function () {
|
||||||
|
$member = User::factory()->create();
|
||||||
|
$this->meetup->addMember($member); // is_leader = false
|
||||||
|
|
||||||
|
Sanctum::actingAs($member);
|
||||||
|
$this->patchJson("/api/meetup/{$this->meetup->id}", ['name' => 'Hacked'])
|
||||||
|
->assertForbidden();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('exposes is_leader on the my-meetups listing', function () {
|
||||||
|
Sanctum::actingAs($this->creator);
|
||||||
|
|
||||||
|
$this->getJson('/api/my-meetups')
|
||||||
|
->assertSuccessful()
|
||||||
|
->assertJsonPath('data.0.is_leader', true);
|
||||||
|
});
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use App\Models\City;
|
||||||
|
use App\Models\Country;
|
||||||
|
use App\Models\Meetup;
|
||||||
|
use App\Models\User;
|
||||||
|
use Illuminate\Support\Facades\DB;
|
||||||
|
|
||||||
|
beforeEach(function () {
|
||||||
|
$country = Country::factory()->create(['code' => 'de']);
|
||||||
|
$this->city = City::factory()->create(['country_id' => $country->id]);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('promotes all existing members to leaders', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||||
|
$member = User::factory()->create();
|
||||||
|
$meetup->addMember($member); // is_leader = false
|
||||||
|
|
||||||
|
expect($meetup->isLeader($member))->toBeFalse();
|
||||||
|
|
||||||
|
$this->artisan('meetups:promote-existing-leaders')->assertSuccessful();
|
||||||
|
|
||||||
|
expect($meetup->fresh()->isLeader($member))->toBeTrue();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('ensures the creator is a leader even for legacy meetups without a pivot row', function () {
|
||||||
|
$creator = User::factory()->create();
|
||||||
|
$meetup = Meetup::factory()->create(['city_id' => $this->city->id, 'created_by' => $creator->id]);
|
||||||
|
// Alt-Meetup simulieren: Ersteller-Pivot entfernen.
|
||||||
|
$meetup->users()->detach();
|
||||||
|
expect($meetup->hasMember($creator))->toBeFalse();
|
||||||
|
|
||||||
|
$this->artisan('meetups:promote-existing-leaders')->assertSuccessful();
|
||||||
|
|
||||||
|
expect($meetup->fresh()->isLeader($creator))->toBeTrue();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('does not write on a dry run', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||||
|
$member = User::factory()->create();
|
||||||
|
$meetup->addMember($member);
|
||||||
|
|
||||||
|
$this->artisan('meetups:promote-existing-leaders --dry-run')->assertSuccessful();
|
||||||
|
|
||||||
|
expect(DB::table('meetup_user')->where('user_id', $member->id)->value('is_leader'))->toBe(0);
|
||||||
|
});
|
||||||
@@ -6,8 +6,8 @@ use App\Models\MeetupEvent;
|
|||||||
use Livewire\Livewire;
|
use Livewire\Livewire;
|
||||||
|
|
||||||
it('creates a weekly series via the web editor using the shared action', function () {
|
it('creates a weekly series via the web editor using the shared action', function () {
|
||||||
actingAsUser();
|
// Termin-Verwaltung erfordert Leaderschaft; Ersteller ist per Hook Leader.
|
||||||
$meetup = Meetup::factory()->create();
|
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||||
|
|
||||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||||
->set('seriesMode', true)
|
->set('seriesMode', true)
|
||||||
@@ -22,15 +22,15 @@ it('creates a weekly series via the web editor using the shared action', functio
|
|||||||
->assertHasNoErrors()
|
->assertHasNoErrors()
|
||||||
->assertRedirect();
|
->assertRedirect();
|
||||||
|
|
||||||
// The web editor parses the end date at midnight, so the occurrence on the end
|
// Das Enddatum aus dem Datums-Picker gilt inklusiv bis zum Tagesende
|
||||||
// date's evening falls outside the range: 2026-07-01, 07-08, 07-15, 07-22 = 4.
|
// (endOfDay), daher ist das Vorkommen am Enddatum-Abend dabei:
|
||||||
// The shared action yields the identical result for the same inputs.
|
// 2026-07-01, 07-08, 07-15, 07-22, 07-29 = 5. Deterministisch, unabhängig
|
||||||
expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(4);
|
// von der Laufzeit-Uhrzeit.
|
||||||
|
expect(MeetupEvent::where('meetup_id', $meetup->id)->count())->toBe(5);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('previews the same dates it will create', function () {
|
it('previews the same dates it will create', function () {
|
||||||
actingAsUser();
|
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||||
$meetup = Meetup::factory()->create();
|
|
||||||
|
|
||||||
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||||
->set('seriesMode', true)
|
->set('seriesMode', true)
|
||||||
@@ -38,5 +38,5 @@ it('previews the same dates it will create', function () {
|
|||||||
->set('startTime', '18:00')
|
->set('startTime', '18:00')
|
||||||
->set('endDate', '2026-07-29')
|
->set('endDate', '2026-07-29')
|
||||||
->set('recurrenceType', RecurrenceType::Weekly->value)
|
->set('recurrenceType', RecurrenceType::Weekly->value)
|
||||||
->assertSet('previewDates', fn ($dates) => count($dates) === 4);
|
->assertSet('previewDates', fn ($dates) => count($dates) === 5);
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -63,23 +63,38 @@ it('allows update when name is unchanged (Rule::unique ignores own id)', functio
|
|||||||
->assertHasNoErrors();
|
->assertHasNoErrors();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('allows updateMeetup for a member of the meetup_user pivot who is not the creator', function () {
|
it('allows updateMeetup for a delegated leader who is not the creator', function () {
|
||||||
|
$leader = actingAsUser();
|
||||||
|
$meetup = Meetup::factory()->create([
|
||||||
|
'city_id' => $this->city->id,
|
||||||
|
'name' => 'Original Name',
|
||||||
|
'created_by' => User::factory()->create()->id,
|
||||||
|
]);
|
||||||
|
$meetup->users()->attach($leader, ['is_leader' => true]);
|
||||||
|
|
||||||
|
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||||
|
->set('name', 'Updated By Leader')
|
||||||
|
->set('city_id', $this->city->id)
|
||||||
|
->set('community', 'einundzwanzig')
|
||||||
|
->call('updateMeetup')
|
||||||
|
->assertHasNoErrors();
|
||||||
|
|
||||||
|
expect($meetup->refresh()->name)->toBe('Updated By Leader');
|
||||||
|
});
|
||||||
|
|
||||||
|
it('blocks updateMeetup for a plain member (is_leader = false) who is not the creator', function () {
|
||||||
$member = actingAsUser();
|
$member = actingAsUser();
|
||||||
$meetup = Meetup::factory()->create([
|
$meetup = Meetup::factory()->create([
|
||||||
'city_id' => $this->city->id,
|
'city_id' => $this->city->id,
|
||||||
'name' => 'Original Name',
|
'name' => 'Original Name',
|
||||||
'created_by' => User::factory()->create()->id,
|
'created_by' => User::factory()->create()->id,
|
||||||
]);
|
]);
|
||||||
$meetup->users()->attach($member);
|
$meetup->users()->attach($member, ['is_leader' => false]);
|
||||||
|
|
||||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||||
->set('name', 'Updated By Member')
|
->assertStatus(403);
|
||||||
->set('city_id', $this->city->id)
|
|
||||||
->set('community', 'einundzwanzig')
|
|
||||||
->call('updateMeetup')
|
|
||||||
->assertHasNoErrors();
|
|
||||||
|
|
||||||
expect($meetup->refresh()->name)->toBe('Updated By Member');
|
expect($meetup->refresh()->name)->toBe('Original Name');
|
||||||
});
|
});
|
||||||
|
|
||||||
it('blocks updateMeetup when the user is neither creator nor pivot member', function () {
|
it('blocks updateMeetup when the user is neither creator nor pivot member', function () {
|
||||||
|
|||||||
@@ -0,0 +1,29 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use App\Models\Meetup;
|
||||||
|
use App\Models\User;
|
||||||
|
use Livewire\Livewire;
|
||||||
|
|
||||||
|
it('lets a leader open the event editor', function () {
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => actingAsUser()->id]);
|
||||||
|
|
||||||
|
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||||
|
->assertOk();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('blocks a non-leader member from the event editor', function () {
|
||||||
|
$member = actingAsUser();
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||||
|
$meetup->addMember($member); // is_leader = false
|
||||||
|
|
||||||
|
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||||
|
->assertStatus(403);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('blocks a stranger from the event editor', function () {
|
||||||
|
actingAsUser();
|
||||||
|
$meetup = Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
|
||||||
|
|
||||||
|
Livewire::test('meetups.create-edit-events', ['meetup' => $meetup])
|
||||||
|
->assertStatus(403);
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user