einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-18 20:34:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔄 **Refactor and extend meetup membership-based authorization**

Browse Source 
- Updated `authorizeAccess` to restrict `meetups.edit` views and updates to users in "My-Meetups".
- Attached creators to `meetup_user` pivot for default membership.
- Adjusted related tests to validate membership-based edit permissions.

📱 **Improve sidebar and mobile navigation accessibility**
- Added `aria-labels` to improve screen reader support for sidebar and mobile header elements.
- Updated desktop and mobile user menus alignment for consistency.

 **Enhance Lightning login flow**
- Introduced `lightningLoginInProgress` for smoother polling synchronization with the redirect flow.
- Updated logic to dispatch `lightning-login-ready` event instead of immediate redirect, avoiding race conditions.
This commit is contained in:
HolgerHatGarKeineNode
2026-05-17 17:28:17 +02:00
parent 9582880dbf
commit bf9654de87
9 changed files with 183 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/views/livewire/meetups/create.blade.php
+6 -1
View File
@@ -83,7 +83,12 @@ class extends Component {
'visible_on_map' => ['boolean'],
]);
$meetup = Meetup::create($validated);
$meetup = Meetup::create($validated + ['created_by' => auth()->id()]);
// Attach the creator to meetup_user so they appear under "My-Meetups"
// and pass the new edit-permission check (which is based on this pivot,
// not on created_by).
$meetup->users()->attach(auth()->id());
if ($this->logo) {
$meetup
resources/views/livewire/meetups/edit.blade.php
+14 -4
View File
@@ -84,13 +84,23 @@ class extends Component {
}
/**
* Enforce that only the meetup's creator may load or update this view.
* Mirrors services/edit and lecturer-edit. Removing this guard reopens
* the IDOR closed by 90835f8 (security: critical fixes / edit authz).
* Enforce that only users who have added the meetup to their personal
* "My-Meetups" list (the meetup_user pivot) may load or update this view.
* Editing is intentionally not restricted to the original `created_by`
* any member of the meetup's user list is treated as an editor.
*/
protected function authorizeAccess(): void
{
if (! is_null($this->meetup->created_by) && auth()->id() !== $this->meetup->created_by) {
if (! auth()->check()) {
abort(403);
}
$isMember = $this->meetup
->users()
->whereKey(auth()->id())
->exists();
if (! $isMember) {
abort(403);
}
}