diff --git a/src/Mcp/Tools/Commerce/CreateCoupon.php b/src/Mcp/Tools/Commerce/CreateCoupon.php index 04385b2..43d6529 100644 --- a/src/Mcp/Tools/Commerce/CreateCoupon.php +++ b/src/Mcp/Tools/Commerce/CreateCoupon.php @@ -1,19 +1,44 @@ getWorkspace(); + $user = Auth::user(); + + // Verify the caller has permission (admin role check) + $isHades = $user && method_exists($user, 'isHades') && $user->isHades(); + $isWorkspaceAdmin = $user && $workspace->users() + ->wherePivotIn('role', ['admin', 'owner']) + ->where('users.id', $user->id) + ->exists(); + + // If authenticated via API key, we trust the key has proper workspace access + // but we still want to ensure it's not a restricted key if possible. + if (! $isHades && ! $isWorkspaceAdmin && ! $request->attributes->has('api_key')) { + return Response::text(json_encode([ + 'error' => 'Unauthorised. Admin permissions required to create coupons.', + ])); + } + $code = strtoupper($request->input('code')); $name = $request->input('name'); $type = $request->input('type', 'percentage'); @@ -29,10 +54,10 @@ public function handle(Request $request): Response ])); } - // Check for existing code - if (Coupon::where('code', $code)->exists()) { + // Check for existing code (workspace-scoped) + if (Coupon::where('code', $code)->where('workspace_id', $workspace->id)->exists()) { return Response::text(json_encode([ - 'error' => 'A coupon with this code already exists.', + 'error' => 'A coupon with this code already exists in this workspace.', ])); } @@ -52,6 +77,7 @@ public function handle(Request $request): Response try { $coupon = Coupon::create([ + 'workspace_id' => $workspace->id, 'code' => $code, 'name' => $name, 'type' => $type,