chore: pr review

Author: smarcet

app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php

@@ -3209,7 +3209,7 @@ public function deleteSocialNetwork($summit_id, $sponsor_id, $social_network_id)
 
     #[OA\Get(
         path: "/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions",
-        description: "required-groups " . IGroup::SuperAdmins . ", " . IGroup::Administrators . ", " . IGroup::SummitAdministrators . ", " . IGroup::Sponsors,
+        description: "required-groups " . IGroup::SuperAdmins . ", " . IGroup::Administrators . ", " . IGroup::SummitAdministrators . ", " . IGroup::Sponsors . ", " . IGroup::SponsorExternalUsers,
         summary: 'Read Sponsor Extra Questions',
         operationId: 'getSponsorExtraQuestions',
         tags: ['Sponsors'],
@@ -3424,6 +3424,7 @@ public function getMetadata($summit_id)
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],

database/migrations/config/APIEndpointsMigrationHelper.php

@@ -39,10 +39,10 @@ trait APIEndpointsMigrationHelper
      * @param string $apiName       API identifier (e.g., 'summits')
      * @param string $endpointName  Endpoint identifier (e.g., 'get-sponsor-extra-questions')
      * @param string $route         Route pattern (e.g., '/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions')
-     * @param string $httpMethod    HTTP method as serialized PHP array (e.g., 'a:1:{i:0;s:3:"GET";}')
+     * @param string $httpMethod    Plain HTTP method string (e.g., 'GET', 'POST', 'PUT', 'DELETE')
      * @param bool   $active        Whether the endpoint is active (default: true)
-     * @param bool   $allowCors     Whether to allow CORS (default: false)
-     * @param bool   $allowCredentials Whether to allow credentials (default: false)
+     * @param bool   $allowCors     Whether to allow CORS (default: true, matches seedApiEndpoints behavior)
+     * @param bool   $allowCredentials Whether to allow credentials (default: true, matches seedApiEndpoints behavior)
      * @return string SQL INSERT statement
      */
     protected function insertEndpoint(
@@ -51,8 +51,8 @@ protected function insertEndpoint(
         string $route,
         string $httpMethod,
         bool $active = true,
-        bool $allowCors = false,
-        bool $allowCredentials = false
+        bool $allowCors = true,
+        bool $allowCredentials = true
     ): string {
         $activeInt = $active ? 1 : 0;
         $corsInt = $allowCors ? 1 : 0;
@@ -195,16 +195,22 @@ protected function deleteEndpointAuthzGroup(string $apiName, string $endpointNam
     /**
      * Generate DELETE for endpoint_api_scopes table (all associations for given scopes).
      *
-     * @param array $scopes List of scope URIs to remove associations for
+     * Constrained by API to prevent removing associations for other APIs that may
+     * reuse the same scope URI (api_scopes.name has no global uniqueness constraint).
+     *
+     * @param string $apiName API identifier (e.g., 'summits')
+     * @param array  $scopes  List of scope URIs to remove associations for
      * @return string SQL DELETE statement
      */
-    protected function deleteScopesEndpoints(array $scopes): string
+    protected function deleteScopesEndpoints(string $apiName, array $scopes): string
     {
         $scopeList = "'" . implode("', '", $scopes) . "'";
         return <<<SQL
 DELETE eas FROM endpoint_api_scopes eas
 INNER JOIN api_scopes s ON s.id = eas.scope_id
-WHERE s.name IN ({$scopeList});
+INNER JOIN apis a ON a.id = s.api_id
+WHERE a.name = '{$apiName}'
+  AND s.name IN ({$scopeList});
 SQL;
     }
 

database/migrations/config/Version20260408143000.php

@@ -102,7 +102,7 @@ public function down(Schema $schema): void
 
         // Reverse order: authz groups → endpoint scopes → api scopes
         $this->addSql($this->deleteEndpointAuthzGroup(self::API_NAME, 'get-sponsor-extra-questions', $externalGroupSlug));
-        $this->addSql($this->deleteScopesEndpoints([$readScope, $writeScope]));
+        $this->addSql($this->deleteScopesEndpoints(self::API_NAME, [$readScope, $writeScope]));
         $this->addSql($this->deleteApiScopes(self::API_NAME, [$readScope, $writeScope]));
     }
 }