Files
InvoiceShelf/app/Http/Requests/MemberRequest.php
Darko Gjorgjijoski d3202b8b2a fix(members): scope member view & update to the acting company
Member view/update bound the target user by global id and authorized only that the requester owns their active company, not that the target belonged to it. Bind the route model under the members param and require shared company membership in UserPolicy so an owner of one company can no longer read or modify users of another.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 23:42:11 +02:00

75 lines
1.6 KiB
PHP

<?php
namespace App\Http\Requests;
use App\Rules\IdnEmail;
use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Validation\Rule;
class MemberRequest extends FormRequest
{
/**
* Determine if the user is authorized to make this request.
*/
public function authorize(): bool
{
return true;
}
/**
* Get the validation rules that apply to the request.
*/
public function rules(): array
{
$rules = [
'name' => [
'required',
],
'email' => [
'required',
new IdnEmail,
Rule::unique('users'),
],
'phone' => [
'nullable',
],
'password' => [
'required',
'min:8',
],
'companies' => [
'required',
],
'companies.*.id' => [
'required',
],
'companies.*.role' => [
'required',
],
];
if ($this->getMethod() == 'PUT') {
$rules['email'] = [
'required',
new IdnEmail,
Rule::unique('users')->ignore($this->member),
];
$rules['password'] = [
'nullable',
'min:8',
];
}
return $rules;
}
public function getUserPayload()
{
return collect($this->validated())
->merge([
'creator_id' => $this->user()->id,
])
->toArray();
}
}