mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 13:55:21 +00:00
Member view/update bound the target user by global id and authorized only that the requester owns their active company, not that the target belonged to it. Bind the route model under the members param and require shared company membership in UserPolicy so an owner of one company can no longer read or modify users of another. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
75 lines
1.6 KiB
PHP
75 lines
1.6 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Requests;
|
|
|
|
use App\Rules\IdnEmail;
|
|
use Illuminate\Foundation\Http\FormRequest;
|
|
use Illuminate\Validation\Rule;
|
|
|
|
class MemberRequest extends FormRequest
|
|
{
|
|
/**
|
|
* Determine if the user is authorized to make this request.
|
|
*/
|
|
public function authorize(): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Get the validation rules that apply to the request.
|
|
*/
|
|
public function rules(): array
|
|
{
|
|
$rules = [
|
|
'name' => [
|
|
'required',
|
|
],
|
|
'email' => [
|
|
'required',
|
|
new IdnEmail,
|
|
Rule::unique('users'),
|
|
],
|
|
'phone' => [
|
|
'nullable',
|
|
],
|
|
'password' => [
|
|
'required',
|
|
'min:8',
|
|
],
|
|
'companies' => [
|
|
'required',
|
|
],
|
|
'companies.*.id' => [
|
|
'required',
|
|
],
|
|
'companies.*.role' => [
|
|
'required',
|
|
],
|
|
];
|
|
|
|
if ($this->getMethod() == 'PUT') {
|
|
$rules['email'] = [
|
|
'required',
|
|
new IdnEmail,
|
|
Rule::unique('users')->ignore($this->member),
|
|
];
|
|
$rules['password'] = [
|
|
'nullable',
|
|
'min:8',
|
|
];
|
|
}
|
|
|
|
return $rules;
|
|
}
|
|
|
|
public function getUserPayload()
|
|
{
|
|
return collect($this->validated())
|
|
->merge([
|
|
'creator_id' => $this->user()->id,
|
|
])
|
|
->toArray();
|
|
}
|
|
}
|