add school year and security fix
API CI/CD / Validate (composer + pint) (push) Successful in 3m14s
API CI/CD / Test (PHPUnit) (push) Failing after 3m28s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 56s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped

This commit is contained in:
root
2026-07-06 00:55:01 -04:00
parent 99782c2a3c
commit 39228168c8
40 changed files with 20370 additions and 70 deletions
Binary file not shown.
@@ -0,0 +1,34 @@
<?php
namespace App\Http\Middleware;
use App\Models\User;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Symfony\Component\HttpFoundation\Response;
class EnsureAccountActive
{
public function handle(Request $request, Closure $next): Response
{
/** @var User|null $user */
$user = Auth::user() ?: $request->user();
if (! $user) {
return response()->json(['message' => 'Unauthorized.'], 401);
}
$status = strtolower(trim((string) ($user->status ?? '')));
$isVerified = filter_var($user->is_verified ?? false, FILTER_VALIDATE_BOOLEAN);
$isSuspended = filter_var($user->is_suspended ?? false, FILTER_VALIDATE_BOOLEAN);
if (! $isVerified || $status !== 'active' || $isSuspended) {
return response()->json([
'message' => 'Account unavailable.',
], 403);
}
return $next($request);
}
}
@@ -0,0 +1,23 @@
<?php
namespace App\Http\Requests\SchoolYears;
use App\Services\Auth\PermissionCheckService;
use Illuminate\Foundation\Http\FormRequest;
class ArchiveSchoolYearRequest extends FormRequest
{
public function authorize(): bool
{
$userId = (int) ($this->user()?->id ?? 0);
return app(PermissionCheckService::class)->hasPermission($userId, 'school_year.archive');
}
public function rules(): array
{
return [
'reason' => ['nullable', 'string', 'max:1000'],
];
}
}
@@ -0,0 +1,23 @@
<?php
namespace App\Http\Requests\SchoolYears;
use App\Services\Auth\PermissionCheckService;
use Illuminate\Foundation\Http\FormRequest;
class ReopenSchoolYearRequest extends FormRequest
{
public function authorize(): bool
{
$userId = (int) ($this->user()?->id ?? 0);
return app(PermissionCheckService::class)->hasPermission($userId, 'school_year.reopen');
}
public function rules(): array
{
return [
'reason' => ['nullable', 'string', 'max:1000'],
];
}
}