replace hardcoded inertia props with organization delete/update perms

update and invalid email

.env.ci

@@ -34,7 +34,12 @@ SESSION_DRIVER=database
 SESSION_LIFETIME=120
 
 # Mail
-MAIL_MAILER=log
+MAIL_MAILER=smtp
+MAIL_HOST=localhost
+MAIL_PORT=1025
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
 MAIL_FROM_ADDRESS="no-reply@solidtime.test"
 MAIL_FROM_NAME="solidtime"
 MAIL_REPLY_TO_ADDRESS="hello@solidtime.test"
@@ -55,4 +60,7 @@ AUDITING_ENABLED=true
 TELESCOPE_ENABLED=false
 
 # Services
-GOTENBERG_URL=http://0.0.0.0:3000
+GOTENBERG_URL=http://localhost:3000
+
+# Octane
+OCTANE_SERVER=frankenphp

.env.example

@@ -77,11 +77,13 @@ TELESCOPE_ENABLED=false
 # Services
 GOTENBERG_URL=http://gotenberg:3000
 
+# Octane
+OCTANE_SERVER=frankenphp
+
 # Local setup
 NGINX_HOST_NAME=solidtime.test
 NETWORK_NAME=reverse-proxy-docker-traefik_routing
-FORWARD_DB_PORT=5432
-FORWARD_WEB_PORT=8083
+FORWARD_DB_PORT=54329
 VITE_HOST_NAME=vite.solidtime.test
 VITE_APP_NAME="${APP_NAME}"
 #SAIL_XDEBUG_MODE=develop,debug,coverage

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,11 @@
-<!--
-This project is early stage. The structure and APIs are still subject to change and not stable.
-Therefore, we do not currently accept any contributions, unless you are a member of the team.
+## What does this PR do?
 
-As soon as we feel comfortable enough that the application structure is stable enough, we will open up the project for contributions.
+<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 
-We do accept contributions in the [documentation repository](https://github.com/solidtime-io/docs) f.e. to add new self-hosting guides.
--->
+- Fixes #XXXX (GitHub issue number)
+
+## Checklist (DO NOT REMOVE)
+
+- [ ] I read the [contributing guide](https://github.com/solidtime-io/solidtime/blob/main/CONTRIBUTING.md)
+- [ ] I signed the [Contributor License Agreement](https://cla-assistant.io/solidtime-io/solidtime).
+- [ ] I commented my code, particularly in hard-to-understand areas

.github/workflows/build-onpremise.yml

@@ -0,0 +1,216 @@
+on:
+  push:
+    branches:
+      - main
+      - develop
+    tags:
+      - '*'
+  pull_request:
+    paths:
+      - '.github/workflows/build-onpremise.yml'
+      - 'docker/prod/**'
+  workflow_dispatch:
+
+permissions:
+  packages: write
+  contents: read
+  attestations: write
+  id-token: write
+
+env:
+  DOCKER_REPO: registry.on-premise.solidtime.io/solidtime/solidtime
+
+name: Build - On Premise
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runs-on: "ubuntu-24.04-arm"
+            platform: "linux/arm64"
+          - runs-on: "ubuntu-24.04"
+            platform: "linux/amd64"
+    runs-on: ${{ matrix.runs-on }}
+    timeout-minutes: 90
+
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for WyriHaximus/github-action-get-previous-tag
+
+      - name: "Get build"
+        id: release-build
+        run: echo "build=$(git rev-parse --short=8 HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: "Get Previous tag (normal push)"
+        id: previoustag
+        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        uses: "WyriHaximus/github-action-get-previous-tag@v1"
+        with:
+          prefix: "v"
+
+      - name: "Get version"
+        id: release-version
+        run: |
+          if ${{ !startsWith(github.ref, 'refs/tags/v') }}; then
+            if ${{ startsWith(steps.previoustag.outputs.tag, 'v') }}; then
+              version=$(echo "${{ steps.previoustag.outputs.tag }}" | cut -c 2-)
+              echo "app_version=${version}" >> "$GITHUB_OUTPUT"
+            else
+              echo "ERROR: No previous tag found";
+              exit 1;
+            fi
+          else
+            version=$(echo "${{ github.ref }}" | cut -c 12-)
+            echo "app_version=${version}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: "Copy .env template for production"
+        run: |
+          cp .env.production .env
+          rm .env.production .env.ci .env.example
+
+      - name: "Add version to .env"
+        run: sed -i 's/APP_VERSION=0.0.0/APP_VERSION=${{ steps.release-version.outputs.app_version }}/g' .env
+
+      - name: "Add build to .env"
+        run: sed -i 's/APP_BUILD=0/APP_BUILD=${{ steps.release-build.outputs.build }}/g' .env
+
+      - name: "Output .env"
+        run: cat .env
+
+      - name: "Setup PHP with PECL extension"
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          extensions: mbstring, dom, fileinfo, pgsql
+
+      - name: "Install dependencies"
+        run: composer install --no-dev --no-ansi --no-interaction --prefer-dist --ignore-platform-reqs --classmap-authoritative
+        if: steps.cache-vendor.outputs.cache-hit != 'true' # Skip if cache hit
+
+      - name: "Use Node.js"
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.x'
+
+      - name: "Checkout invoicing extension"
+        uses: actions/checkout@v4
+        with:
+          repository: solidtime-io/extension-invoicing
+          path: extensions/Invoicing
+          ssh-key: ${{ secrets.SSH_PRIVATE_KEY_INVOICING_EXTENSION }}
+
+      - name: "Install composer dependencies in invoicing extension"
+        run: cd extensions/Invoicing && composer install --no-dev --no-ansi --no-interaction --prefer-dist --ignore-platform-reqs --classmap-authoritative
+
+      - name: "Install npm dependencies in invoicing extension"
+        run: cd extensions/Invoicing && npm ci
+
+      - name: "Activate invoicing extension"
+        run: php artisan module:enable Invoicing
+
+      - name: "Install npm dependencies"
+        run: npm ci
+
+      - name: "Build"
+        run: npm run build
+
+      - name: "Prepare"
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: "Docker meta"
+        id: "meta"
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_REPO }}
+
+      - name: "Login to solidtime OnPremise Registry"
+        uses: docker/login-action@v3
+        with:
+          registry: registry.on-premise.solidtime.io
+          username: ${{ secrets.ONPREMISE_USERNAME }}
+          password: ${{ secrets.ONPREMISE_TOKEN }}
+
+      - name: "Set up QEMU"
+        uses: docker/setup-qemu-action@v3
+
+      - name: "Set up Docker Buildx"
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Build and push by digest"
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/prod/Dockerfile
+          build-args: |
+            DOCKER_FILES_BASE_PATH=docker/prod/
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,"name=${{ env.DOCKER_REPO }}",push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: "Export digest"
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: "Upload digest"
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+    needs:
+      - build
+    steps:
+      - name: "Download digests"
+        uses: actions/download-artifact@v6
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: "Login to solidtime OnPremise Registry"
+        uses: docker/login-action@v3
+        with:
+          registry: registry.on-premise.solidtime.io
+          username: ${{ secrets.ONPREMISE_USERNAME }}
+          password: ${{ secrets.ONPREMISE_TOKEN }}
+
+      - name: "Set up Docker Buildx"
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Docker meta"
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_REPO }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: "Create manifest list and push"
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.DOCKER_REPO }}@sha256:%s ' *)
+
+      - name: "Inspect image"
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_REPO }}:${{ steps.meta.outputs.version }}

.github/workflows/build-private.yml

@@ -10,6 +10,8 @@ on:
       - '.github/workflows/build-private.yml'
       - 'docker/prod/**'
   workflow_dispatch:
+permissions:
+  contents: read
 
 name: Build - Private
 jobs:
@@ -17,9 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
+
     steps:
       - name: "Check out code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Required for WyriHaximus/github-action-get-previous-tag
 
@@ -65,12 +68,12 @@ jobs:
         run: cat .env
 
       - name: "Use Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 
       - name: "Checkout billing extension"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: solidtime-io/extension-billing
           path: extensions/Billing
@@ -90,7 +93,7 @@ jobs:
         run: cd extensions/Billing && npm ci
 
       - name: "Checkout services extension"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: solidtime-io/extension-services
           path: extensions/Services
@@ -108,7 +111,7 @@ jobs:
         run: cd extensions/Services && npm ci
 
       - name: "Checkout invoicing extension"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: solidtime-io/extension-invoicing
           path: extensions/Invoicing

.github/workflows/build-public.yml

@@ -11,6 +11,12 @@ on:
       - 'docker/prod/**'
   workflow_dispatch:
 
+permissions:
+  packages: write
+  contents: read
+  attestations: write
+  id-token: write
+
 env:
   DOCKERHUB_REPO: solidtime/solidtime
   GHCR_REPO: ghcr.io/solidtime-io/solidtime
@@ -26,16 +32,11 @@ jobs:
           - runs-on: "ubuntu-24.04"
             platform: "linux/amd64"
     runs-on: ${{ matrix.runs-on }}
-    permissions:
-      packages: write
-      contents: read
-      attestations: write
-      id-token: write
     timeout-minutes: 90
 
     steps:
       - name: "Check out code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Required for WyriHaximus/github-action-get-previous-tag
 
@@ -91,7 +92,7 @@ jobs:
         if: steps.cache-vendor.outputs.cache-hit != 'true' # Skip if cache hit
 
       - name: "Use Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 
@@ -163,17 +164,12 @@ jobs:
 
   merge:
     runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-      attestations: write
-      id-token: write
     timeout-minutes: 90
     needs:
       - build
     steps:
       - name: "Download digests"
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*

.github/workflows/generate-api-docs.yml

@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   api_docs:
     runs-on: ubuntu-latest
@@ -26,7 +29,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2

.github/workflows/npm-build.yml

@@ -1,6 +1,8 @@
 name: NPM Build
 
 on: [push]
+permissions:
+  contents: read
 
 jobs:
   build:
@@ -9,7 +11,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup PHP (for Ziggy)"
         uses: shivammathur/setup-php@v2
@@ -22,7 +24,7 @@ jobs:
         run: composer install -n --prefer-dist
 
       - name: "Use Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 

.github/workflows/npm-format-check.yml

@@ -0,0 +1,23 @@
+name: NPM Format Check
+
+on: [push]
+
+jobs:
+  format-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v5
+
+      - name: "Use Node.js"
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.x'
+
+      - name: "Install npm dependencies"
+        run: npm ci
+
+      - name: "Check code formatting"
+        run: npm run format:check 

.github/workflows/npm-lint.yml

@@ -1,6 +1,8 @@
 name: NPM Lint
 
 on: [push]
+permissions:
+  contents: read
 
 jobs:
   build:
@@ -9,10 +11,10 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Use Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 

.github/workflows/npm-publish-api.yml

@@ -1,6 +1,8 @@
 name: Publish API package to NPM
 on:
   workflow_dispatch
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -9,11 +11,11 @@ jobs:
       id-token: write
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       # Setup .npmrc file to publish to npm
       - name: Install root project dependencies
         run: npm ci
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/npm-publish-ui.yml

@@ -1,6 +1,8 @@
 name: Publish UI package to NPM
 on:
   workflow_dispatch
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -9,9 +11,9 @@ jobs:
       id-token: write
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/npm-test-unit.yml

@@ -0,0 +1,27 @@
+name: NPM Test Unit
+
+on: [push]
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      TZ: UTC
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+
+      - name: "Use Node.js"
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+
+      - name: "Install npm dependencies"
+        run: npm ci
+
+      - name: "Run vitest"
+        run: npm run test:unit

.github/workflows/npm-typecheck.yml

@@ -1,7 +1,8 @@
 name: NPM Typecheck
 
 on: [push]
-
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -9,7 +10,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup PHP (for Ziggy)"
         uses: shivammathur/setup-php@v2
@@ -22,7 +23,7 @@ jobs:
         run: composer install -n --prefer-dist
 
       - name: "Use Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 

.github/workflows/phpstan.yml

@@ -1,5 +1,7 @@
 name: Static code analysis (PHPStan)
 on: push
+permissions:
+  contents: read
 jobs:
   phpstan:
     runs-on: ubuntu-latest
@@ -7,7 +9,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2

.github/workflows/phpunit.yml

@@ -1,13 +1,18 @@
 name: PHPUnit Tests
 on: push
+permissions:
+  contents: read
 jobs:
   phpunit:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    strategy:
+      matrix:
+        postgres_version: [ 15, 16, 17 ]
 
     services:
       pgsql_test:
-        image: postgres:15
+        image: postgres:${{ matrix.postgres_version }}
         env:
           PGPASSWORD: 'root'
           POSTGRES_DB: 'laravel'
@@ -31,7 +36,7 @@ jobs:
           --health-retries 5
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup PHP"
         uses: shivammathur/setup-php@v2
@@ -43,7 +48,7 @@ jobs:
       - name: "Run composer install"
         run: composer install -n --prefer-dist
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 
@@ -63,7 +68,7 @@ jobs:
         run: php artisan test --stop-on-failure --coverage-text --coverage-clover=coverage.xml
 
       - name: "Upload coverage reports to Codecov"
-        uses: codecov/codecov-action@v5.4.2
+        uses: codecov/codecov-action@v5.5.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: solidtime-io/solidtime

.github/workflows/pint.yml

@@ -1,5 +1,7 @@
 name: PHP Linting
 on: push
+permissions:
+  contents: read
 jobs:
   pint:
     runs-on: ubuntu-latest
@@ -7,9 +9,9 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Check code style"
-        uses: aglipanci/laravel-pint-action@2.5
+        uses: aglipanci/laravel-pint-action@2.6
         with:
           configPath: "pint.json"

.github/workflows/playwright.yml

@@ -1,13 +1,23 @@
 name: Playwright Tests
 on: [push]
+permissions:
+  contents: read
 jobs:
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8]
+        shardTotal: [8]
 
     services:
       mailpit:
         image: 'axllent/mailpit:latest'
+        ports:
+          - 1025:1025
+          - 8025:8025
       pgsql_test:
         image: postgres:15
         env:
@@ -25,10 +35,10 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: "Setup node"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20.x'
 
@@ -55,22 +65,63 @@ jobs:
       - name: "Build Frontend"
         run: npm run build
 
-      - name: "Run Laravel Server"
-        run: php artisan serve > /dev/null 2>&1 &
+      - name: "Install FrankenPHP"
+        run: |
+          ARCH="$(uname -m)"
+          curl -fsSL "https://github.com/dunglas/frankenphp/releases/latest/download/frankenphp-linux-${ARCH}" -o /usr/local/bin/frankenphp
+          chmod +x /usr/local/bin/frankenphp
+
+      - name: "Run Laravel Octane Server"
+        run: php artisan octane:start --server=frankenphp --host=127.0.0.1 --port=8000 --workers=4 --max-requests=500 > /dev/null 2>&1 &
+        env:
+          OCTANE_SERVER: frankenphp
 
       - name: "Install Playwright Browsers"
         run: npx playwright install --with-deps
 
       - name: "Run Playwright tests"
-        run: npx playwright test
+        run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
         env:
           PLAYWRIGHT_BASE_URL: 'http://127.0.0.1:8000'
+          MAILPIT_BASE_URL: 'http://localhost:8025'
 
-      - name: "Upload test results"
+      - name: "Upload blob report"
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: test-results
-          path: test-results/
-          retention-days: 30
+          name: blob-report-${{ matrix.shardIndex }}
+          path: blob-report/
+          retention-days: 7
 
+  merge-reports:
+    if: always()
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+
+      - name: "Setup node"
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+
+      - name: "Install dependencies"
+        run: npm ci
+
+      - name: "Download blob reports"
+        uses: actions/download-artifact@v4
+        with:
+          path: all-blob-reports
+          pattern: blob-report-*
+          merge-multiple: true
+
+      - name: "Merge reports"
+        run: npx playwright merge-reports --reporter html ./all-blob-reports
+
+      - name: "Upload merged HTML report"
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 30

.gitignore

@@ -42,3 +42,4 @@ yarn-error.log
 /data
 /config/caddy
 /config/composer
+/AGENTS.md

.npmrc

@@ -0,0 +1 @@
+min-release-age=7

.prettierignore

@@ -0,0 +1,27 @@
+# Ignore build outputs
+node_modules/
+vendor/
+storage/
+bootstrap/cache/
+public/build/
+public/hot/
+
+# Ignore lock files
+package-lock.json
+composer.lock
+
+# Ignore generated files
+*.min.js
+*.min.css
+
+# Ignore test results
+test-results/
+playwright-report/
+
+# Ignore IDE files
+.idea/
+.vscode/
+
+# Ignore OS files
+.DS_Store
+Thumbs.db 

.prettierrc.json

@@ -3,5 +3,6 @@
     "tabWidth": 4,
     "singleQuote": true,
     "bracketSameLine": true,
-    "quoteProps": "preserve"
+    "quoteProps": "preserve",
+    "printWidth": 100
 }

CONTRIBUTING.md

@@ -0,0 +1,81 @@
+# Contributing to solidtime
+
+Contributions are greatly apprecited, please make sure to read the rules and vision for solidtime before contributing. 
+
+## Rules
+
+### Issues for Bugs, Discussions for Feature requests
+
+In order to keep the issues of the repository clean we decided to only use them for bugs. Feature Requests and enhancement are handled in discussions. This also helps us to see which feature requests are popular as they can be upvoted. 
+
+### Only work on approved issues
+
+To respect your time and help us manage contributions effectively, please open an issue or start a discussion and wait for approval before submitting a pull request (PR). This does not apply to tiny fixes or changes however, please keep in mind that we might not merge PRs for various reasons. 
+
+### Contributor License Agreement
+
+You'll also notice that we’ve set up a [Contributor License Agreement (CLA)](https://cla-assistant.io/solidtime-io/solidtime), which must be signed before any PR can be merged. Don’t worry - the process is quick and only takes a few clicks.
+
+We want to be transparent about why we require the CLA and what it means for your contributions and the codebase. That’s why we’ve written a few paragraphs below outlining our plans and vision for solidtime in the **Vision** part of this document. 
+
+### Prevent Duplicate Work
+
+Before you submit a new PR, make sure that none exists already. If you plan to work on an issue, make sure to let us and others know by commenting on the issue/discussion. 
+
+### Give context
+
+Tell us what you thinking was behind the decisions you made while drafting the PR. Treat the PR itself as documentation for everyone who wants to go back and understand why certain decisions were made. 
+
+### Summarize your PR
+
+Please make sure to include a short summary at the top of your PR to make it easy for us to quickly check what the PR is about, without looking at the code changes. 
+
+### Use Github Keywords and Auto-Link Issues
+
+Use phrases like "Closes #123" or "Fixes #123" in the PR description to link the PR with the issue that you are adressing. 
+
+### Mention what you tested and how
+
+Explain how you tested and validated the implementation. 
+
+### Keep Naming consistent
+
+Look at existing code patterns and use naming conventions that already exist in the code base. 
+
+### Testing
+
+We have an exhaustive test-suite of PHPUnit (Backend) and Playwright (Frontend) testing. Whereever applicable please make sure to write add tests to the codebase. 
+
+### Linting & Formatting
+
+Make sure to run linting and formatting commands before you commit the changes. 
+
+For backend changes:
+
+```
+composer fix
+composer analyse
+```
+
+For frontend changes: 
+
+```
+npm run lint:fix
+npm run format
+```
+
+## Vision
+
+We started solidtime to provide an open infrastructure solution for time tracking—one that empowers teams and individuals to fully own their data, instead of depending on proprietary platforms. We believe infrastructure software should be open, accessible, and built to last. However, competing with established market leaders in this space requires long-term financial sustainability.
+
+solidtime is licensed under the AGPL, which we believe is the best available license to strike a balance between openness and financial viability. The AGPL gives us, as the copyright holders, certain exclusive rights that we plan to leverage to fund development. To ensure we retain those rights across the entire codebase, we've put a CLA in place that contributors must sign before submitting code.
+
+One of solidtime’s key advantages is that it's built to be self-hostable. This makes it a great solution for organizations like governments, healthcare providers, and enterprises that are required to keep data on their own infrastructure due to regulations or internal policies. These organizations may need custom licenses, integrations, or modifications that aren't suitable for the open-source version. To support them, we offer relicensed versions of solidtime along with support plans.
+
+We’ll also provide proprietary extensions for solidtime. These will be available to enterprise customers with support plans, but also to individual users or teams who don’t need support, at much more accessible price points. For companies running solidtime on their own infrastructure, this is the easiest way to support the project while gaining additional functionality. While we plan to make it easier to build custom extensions in the future, our current APIs are still highly experimental.
+
+Finally - and perhaps most importantly - we offer a hosted SaaS version called solidtime Cloud, for users who can’t or don’t want to run the software themselves. This version includes proprietary extensions, always runs the latest commit, and includes monitoring and billing features available exclusively on this hosted instance. We expect solidtime Cloud to play a critical role in funding the project long-term.
+
+Having full control over the source code’s licensing also gives us the ability to change the license of the main project in the future. That said, we have no plans to do so and would only consider it in extreme cases - for example, if a malicious actor were to directly compete with our hosted service in a way that threatens the sustainability of the project, the legal interpretation of AGPL changes in a way that would make it unreasonable to use for certain companies, or a new similar license gains wide-spread adoption. Regardless, solidtime will always remain free to self-host for individuals and companies who use it as part of their work, and all previous releases will remain licensed under AGPL.
+
+If you are using the open-source version of solidtime and want to support us, the best way to do so is to spread the word. 

README.md

@@ -1,4 +1,4 @@
-# solidtime - The modern Open-Source Time Tracker
+# solidtime - The modern Open-Source TimeTracker
 
 [![GitHub License](https://img.shields.io/github/license/solidtime-io/solidtime?style=flat-square)](https://github.com/solidtime-io/solidtime/blob/main/LICENSE.md)
 [![Codecov](https://img.shields.io/codecov/c/github/solidtime-io/solidtime?style=flat-square&logo=codecov)](https://codecov.io/gh/solidtime-io/solidtime)
@@ -35,10 +35,11 @@ If you have a **feature request**, please [**create a discussion**](https://gith
 
 ## Contributing
 
-This project is in a very early stage. The structure and APIs are still subject to change and not stable. 
-Therefore, we do not currently accept any contributions, unless you are a member of the team.
+Please open an issue or start a discussion and wait for approval before submitting a pull request. This does not apply to tiny fixes or changes however, please keep in mind that we might not merge PRs for various reasons. 
 
-As soon as we feel comfortable enough that the application structure is stable enough, we will open up the project for contributions.
+**If you submit an AI slop pull request (especially without following the proper procedure), you will be banned from future contributions to solidtime.**
+
+Please read the [CONTRIBUTING.md](./CONTRIBUTING.md) before sumbitting a Pull Request.
 
 We do accept contributions in the [documentation repository](https://github.com/solidtime-io/docs) f.e. to add new self-hosting guides.
 

SECURITY.md

@@ -3,3 +3,18 @@
 ## Reporting a Vulnerability
 
 If you discover a security vulnerability regarding this project, please e-mail me to [security@solidtime.io](mailto:security@solidtime.io)!
+
+## Out of scope
+
+
+Reports we typically won't issue an advisory for:
+
+* Theoretical findings without a working PoC
+* Raw scanner output without manual validation
+* Missing/weak security headers in isolation (CSP, X-Frame-Options, HSTS, etc.)
+* SPF/DKIM/DMARC on non-mail-sending domains; missing DNSSEC/CAA; TLS cipher preferences
+* Self-XSS; CSRF on non-state-changing endpoints (logout, theme)
+* CSV / spreadsheet formula injection in exports — treated as a spreadsheet-application issue
+* Org owners or admins acting destructively within their own organization
+* Anything requiring direct DB, shell, or filesystem access on a self-hosted instance
+* Missing OAuth Scope enforcement (this is not implemented yet, but AI scanners flag it which is why it is included in this list until we actually support it)

app/Actions/Fortify/CreateNewUser.php

@@ -16,7 +16,6 @@ use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 use Korridor\LaravelModelValidationRules\Rules\UniqueEloquent;
 use Laravel\Fortify\Contracts\CreatesNewUsers;
-use Laravel\Jetstream\Jetstream;
 use Log;
 
 class CreateNewUser implements CreatesNewUsers
@@ -26,7 +25,7 @@ class CreateNewUser implements CreatesNewUsers
     /**
      * Create a newly registered user.
      *
-     * @param  array<string, string>  $input
+     * @param  array<string, mixed>  $input
      *
      * @throws ValidationException
      */
@@ -55,7 +54,7 @@ class CreateNewUser implements CreatesNewUsers
                 }),
             ],
             'password' => $this->passwordRules(),
-            'terms' => Jetstream::hasTermsAndPrivacyPolicyFeature() ? ['accepted', 'required'] : '',
+            'terms' => ['accepted', 'required'],
             'newsletter_consent' => [
                 'boolean',
             ],

app/Actions/Fortify/UpdateUserProfileInformation.php

@@ -4,14 +4,9 @@ declare(strict_types=1);
 
 namespace App\Actions\Fortify;
 
-use App\Enums\Weekday;
+use App\Exceptions\MovedToApiException;
 use App\Models\User;
-use Illuminate\Contracts\Auth\MustVerifyEmail;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Facades\Validator;
-use Illuminate\Validation\Rule;
 use Illuminate\Validation\ValidationException;
-use Korridor\LaravelModelValidationRules\Rules\UniqueEloquent;
 use Laravel\Fortify\Contracts\UpdatesUserProfileInformation;
 
 class UpdateUserProfileInformation implements UpdatesUserProfileInformation
@@ -25,57 +20,6 @@ class UpdateUserProfileInformation implements UpdatesUserProfileInformation
      */
     public function update(User $user, array $input): void
     {
-        Validator::make($input, [
-            'name' => [
-                'required',
-                'string',
-                'max:255',
-            ],
-            'email' => [
-                'required',
-                'email',
-                'max:255',
-                UniqueEloquent::make(User::class, 'email')->ignore($user->id)->query(function (Builder $query) {
-                    /** @var Builder<User> $query */
-                    return $query->where('is_placeholder', '=', false);
-                }),
-            ],
-            'photo' => [
-                'nullable',
-                'mimes:jpg,jpeg,png',
-                'max:1024',
-            ],
-            'timezone' => [
-                'required',
-                'timezone:all',
-            ],
-            'week_start' => [
-                'required',
-                Rule::enum(Weekday::class),
-            ],
-        ])->validateWithBag('updateProfileInformation');
-
-        if (isset($input['photo'])) {
-            $user->updateProfilePhoto($input['photo']);
-        }
-
-        if ($input['email'] !== $user->email &&
-            $user instanceof MustVerifyEmail) {
-            $user->forceFill([
-                'name' => $input['name'],
-                'email' => $input['email'],
-                'email_verified_at' => null,
-                'timezone' => $input['timezone'],
-                'week_start' => $input['week_start'],
-            ])->save();
-
-            $user->sendEmailVerificationNotification();
-        } else {
-            $user->forceFill([
-                'name' => $input['name'],
-                'timezone' => $input['timezone'],
-                'week_start' => $input['week_start'],
-            ])->save();
-        }
+        throw new MovedToApiException;
     }
 }

app/Actions/Jetstream/AddOrganizationMember.php

@@ -1,94 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Enums\Role;
-use App\Models\Organization;
-use App\Models\User;
-use App\Service\MemberService;
-use Closure;
-use Illuminate\Contracts\Validation\ValidationRule;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Facades\Gate;
-use Illuminate\Support\Facades\Validator;
-use Illuminate\Validation\Rule;
-use Illuminate\Validation\Rules\In;
-use Korridor\LaravelModelValidationRules\Rules\ExistsEloquent;
-use Laravel\Jetstream\Contracts\AddsTeamMembers;
-
-class AddOrganizationMember implements AddsTeamMembers
-{
-    /**
-     * Add a new team member to the given team.
-     */
-    public function add(User $owner, Organization $organization, string $email, ?string $role = null): void
-    {
-        Gate::forUser($owner)->authorize('addTeamMember', $organization); // TODO: refactor after owner refactoring
-
-        $this->validate($organization, $email, $role);
-
-        $newOrganizationMember = User::query()
-            ->where('email', $email)
-            ->where('is_placeholder', '=', false)
-            ->firstOrFail();
-
-        app(MemberService::class)->addMember($newOrganizationMember, $organization, Role::from($role));
-    }
-
-    /**
-     * Validate the add member operation.
-     */
-    protected function validate(Organization $organization, string $email, ?string $role): void
-    {
-        Validator::make([
-            'email' => $email,
-            'role' => $role,
-        ], $this->rules())->after(
-            $this->ensureUserIsNotAlreadyOnTeam($organization, $email)
-        )->validateWithBag('addTeamMember');
-    }
-
-    /**
-     * Get the validation rules for adding a team member.
-     *
-     * @return array<string, array<ValidationRule|Rule|string|In>>
-     */
-    protected function rules(): array
-    {
-        return array_filter([
-            'email' => [
-                'required',
-                'email',
-                ExistsEloquent::make(User::class, 'email', function (Builder $builder) {
-                    /** @var Builder<User> $builder */
-                    return $builder->where('is_placeholder', '=', false);
-                })->withMessage(__('We were unable to find a registered user with this email address.')),
-            ],
-            'role' => [
-                'required',
-                'string',
-                Rule::in([
-                    Role::Admin->value,
-                    Role::Manager->value,
-                    Role::Employee->value,
-                ]),
-            ],
-        ]);
-    }
-
-    /**
-     * Ensure that the user is not already on the team.
-     */
-    protected function ensureUserIsNotAlreadyOnTeam(Organization $team, string $email): Closure
-    {
-        return function ($validator) use ($team, $email): void {
-            $validator->errors()->addIf(
-                $team->hasRealUserWithEmail($email),
-                'email',
-                __('This user already belongs to the team.')
-            );
-        };
-    }
-}

app/Actions/Jetstream/CreateOrganization.php

@@ -1,59 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Events\AfterCreateOrganization;
-use App\Models\Organization;
-use App\Models\User;
-use App\Service\IpLookup\IpLookupServiceContract;
-use App\Service\OrganizationService;
-use Illuminate\Auth\Access\AuthorizationException;
-use Illuminate\Support\Facades\Gate;
-use Illuminate\Support\Facades\Validator;
-use Illuminate\Validation\ValidationException;
-use Laravel\Jetstream\Contracts\CreatesTeams;
-use Laravel\Jetstream\Jetstream;
-
-class CreateOrganization implements CreatesTeams
-{
-    /**
-     * Validate and create a new team for the given user.
-     *
-     * @param  array<string, string>  $input
-     *
-     * @throws AuthorizationException
-     * @throws ValidationException
-     */
-    public function create(User $user, array $input): Organization
-    {
-        Gate::forUser($user)->authorize('create', Jetstream::newTeamModel());
-
-        Validator::make($input, [
-            'name' => ['required', 'string', 'max:255'],
-        ])->validateWithBag('createTeam');
-
-        $ipLookupResponse = app(IpLookupServiceContract::class)->lookup(request()->ip());
-
-        $currency = null;
-        if ($ipLookupResponse !== null) {
-            $currency = $ipLookupResponse->currency;
-        }
-
-        $organization = app(OrganizationService::class)->createOrganization(
-            $input['name'],
-            $user,
-            false,
-            $currency
-        );
-
-        $user->switchTeam($organization);
-
-        // Note: The refresh is necessary for currently unknown reasons. Do not remove it.
-        $organization = $organization->refresh();
-        AfterCreateOrganization::dispatch($organization);
-
-        return $organization;
-    }
-}

app/Actions/Jetstream/DeleteOrganization.php

@@ -1,21 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Models\Organization;
-use App\Service\DeletionService;
-use Laravel\Jetstream\Contracts\DeletesTeams;
-
-class DeleteOrganization implements DeletesTeams
-{
-    /**
-     * Delete the given team.
-     */
-    public function delete(Organization $organization): void
-    {
-        /** @see ValidateOrganizationDeletion */
-        app(DeletionService::class)->deleteOrganization($organization);
-    }
-}

app/Actions/Jetstream/DeleteUser.php

@@ -1,30 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Exceptions\Api\ApiException;
-use App\Models\User;
-use App\Service\DeletionService;
-use Illuminate\Validation\ValidationException;
-use Laravel\Jetstream\Contracts\DeletesUsers;
-
-class DeleteUser implements DeletesUsers
-{
-    /**
-     * Delete the given user.
-     *
-     * @throws ValidationException
-     */
-    public function delete(User $user): void
-    {
-        try {
-            app(DeletionService::class)->deleteUser($user);
-        } catch (ApiException $exception) {
-            throw ValidationException::withMessages([
-                'password' => $exception->getTranslatedMessage(),
-            ]);
-        }
-    }
-}

app/Actions/Jetstream/InviteOrganizationMember.php

@@ -1,24 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Exceptions\MovedToApiException;
-use App\Models\Organization;
-use App\Models\User;
-use Exception;
-use Laravel\Jetstream\Contracts\InvitesTeamMembers;
-
-class InviteOrganizationMember implements InvitesTeamMembers
-{
-    /**
-     * Invite a new team member to the given team.
-     *
-     * @throws Exception
-     */
-    public function invite(User $user, Organization $organization, string $email, ?string $role = null): void
-    {
-        throw new MovedToApiException;
-    }
-}

app/Actions/Jetstream/RemoveOrganizationMember.php

@@ -1,24 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Exceptions\MovedToApiException;
-use App\Models\Organization;
-use App\Models\User;
-use Exception;
-use Laravel\Jetstream\Contracts\RemovesTeamMembers;
-
-class RemoveOrganizationMember implements RemovesTeamMembers
-{
-    /**
-     * Remove the team member from the given team.
-     *
-     * @throws Exception
-     */
-    public function remove(User $user, Organization $organization, User $teamMember): void
-    {
-        throw new MovedToApiException;
-    }
-}

app/Actions/Jetstream/UpdateMemberRole.php

@@ -1,25 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Enums\Role;
-use App\Exceptions\MovedToApiException;
-use App\Models\Member;
-use App\Models\Organization;
-use App\Models\User;
-use Exception;
-
-class UpdateMemberRole
-{
-    /**
-     * Update the role for the given team member.
-     *
-     * @throws Exception
-     */
-    public function update(User $actingUser, Organization $organization, string $userId, string $role): void
-    {
-        throw new MovedToApiException;
-    }
-}

app/Actions/Jetstream/UpdateOrganization.php

@@ -1,48 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Models\Organization;
-use App\Models\User;
-use App\Rules\CurrencyRule;
-use Illuminate\Auth\Access\AuthorizationException;
-use Illuminate\Support\Facades\Gate;
-use Illuminate\Support\Facades\Validator;
-use Illuminate\Validation\ValidationException;
-use Laravel\Jetstream\Contracts\UpdatesTeamNames;
-
-class UpdateOrganization implements UpdatesTeamNames
-{
-    /**
-     * Validate and update the given team's name.
-     *
-     * @param  array<string, string>  $input
-     *
-     * @throws AuthorizationException
-     * @throws ValidationException
-     */
-    public function update(User $user, Organization $organization, array $input): void
-    {
-        Gate::forUser($user)->authorize('update', $organization);
-
-        Validator::make($input, [
-            'name' => [
-                'required',
-                'string',
-                'max:255',
-            ],
-            'currency' => [
-                'required',
-                'string',
-                new CurrencyRule,
-            ],
-        ])->validateWithBag('updateTeamName');
-
-        $organization->forceFill([
-            'name' => $input['name'],
-            'currency' => $input['currency'],
-        ])->save();
-    }
-}

app/Actions/Jetstream/ValidateOrganizationDeletion.php

@@ -1,28 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Actions\Jetstream;
-
-use App\Models\Organization;
-use App\Models\User;
-use App\Service\PermissionStore;
-use Illuminate\Auth\Access\AuthorizationException;
-
-class ValidateOrganizationDeletion
-{
-    /**
-     * Validate that the team can be deleted by the given user.
-     *
-     * @param  User  $user  Authenticated user
-     * @param  Organization  $organization  Organization to be deleted
-     *
-     * @throws AuthorizationException
-     */
-    public function validate(User $user, Organization $organization): void
-    {
-        if (! app(PermissionStore::class)->userHas($organization, $user, 'organizations:delete')) {
-            throw new AuthorizationException;
-        }
-    }
-}

app/Console/Commands/Admin/UserCreateCommand.php

@@ -69,7 +69,7 @@ class UserCreateCommand extends Command
             );
         });
         /** @var Organization|null $organization */
-        $organization = $user->ownedTeams->first();
+        $organization = $user->ownedOrganizations->first();
         if ($organization === null) {
             throw new LogicException('User does not have an organization');
         }

app/Console/Commands/Auth/AuthSendReminderForExpiringApiTokensCommand.php

@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands\Auth;
+
+use App\Mail\AuthApiTokenExpirationReminderMail;
+use App\Mail\AuthApiTokenExpiredMail;
+use App\Models\Passport\Token;
+use App\Models\User;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Mail;
+
+class AuthSendReminderForExpiringApiTokensCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'auth:send-mails-expiring-api-tokens '.
+        ' { --dry-run : Do not actually send emails or save anything to the database, just output what would happen }';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Sends emails about expiring API tokens, one week before and when they expired.';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(): int
+    {
+        $dryRun = (bool) $this->option('dry-run');
+        if ($dryRun) {
+            $this->comment('Running in dry-run mode. No emails will be sent and nothing will be saved to the database.');
+        }
+
+        $this->comment('Sending reminder emails about expiring API tokens...');
+        $sentMails = 0;
+        Token::query()
+            ->where('expires_at', '<=', Carbon::now()->addDays(7))
+            ->whereNull('reminder_sent_at')
+            ->with([
+                'client',
+                'user',
+            ])
+            ->whereHas('user', function (Builder $query): void {
+                /** @var Builder<User> $query */
+                $query->where('is_placeholder', '=', false);
+            })
+            ->isApiToken(true)
+            ->orderBy('created_at', 'asc')
+            ->chunk(500, function (Collection $tokens) use ($dryRun, &$sentMails): void {
+                /** @var Collection<int, Token> $tokens */
+                foreach ($tokens as $token) {
+                    $user = $token->user;
+                    $this->info('Start sending email to user "'.$user->email.'" ('.$user->getKey().') reminding about API token '.$token->getKey());
+                    $sentMails++;
+                    if (! $dryRun) {
+                        Mail::to($user->email)
+                            ->queue(new AuthApiTokenExpirationReminderMail($token, $user));
+                        $token->reminder_sent_at = Carbon::now();
+                        $token->save();
+                    }
+                }
+            });
+        $this->comment('Finished sending '.$sentMails.' expiring API token emails...');
+
+        $this->comment('Sent emails about expired API tokens');
+        $sentMails = 0;
+        Token::query()
+            ->where('expires_at', '<=', Carbon::now())
+            ->whereNull('expired_info_sent_at')
+            ->with([
+                'client',
+                'user',
+            ])
+            ->whereHas('user', function (Builder $query): void {
+                /** @var Builder<User> $query */
+                $query->where('is_placeholder', '=', false);
+            })
+            ->isApiToken(true)
+            ->orderBy('created_at', 'asc')
+            ->chunk(500, function (Collection $tokens) use ($dryRun, &$sentMails): void {
+                /** @var Collection<int, Token> $tokens */
+                foreach ($tokens as $token) {
+                    $user = $token->user;
+                    $this->info('Start sending email to user "'.$user->email.'" ('.$user->getKey().') about expired API token '.$token->getKey());
+                    $sentMails++;
+                    if (! $dryRun) {
+                        Mail::to($user->email)
+                            ->queue(new AuthApiTokenExpiredMail($token, $user));
+                        $token->expired_info_sent_at = Carbon::now();
+                        $token->save();
+                    }
+                }
+            });
+        $this->comment('Finished sending '.$sentMails.' expired API token emails...');
+
+        return self::SUCCESS;
+    }
+}

app/Console/Commands/SelfHost/SelfHostDatabaseConsistency.php

@@ -0,0 +1,123 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands\SelfHost;
+
+use Illuminate\Console\Command;
+use Illuminate\Database\Query\Builder;
+use Illuminate\Database\Query\JoinClause;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+
+class SelfHostDatabaseConsistency extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'self-host:database-consistency';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = '';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(): int
+    {
+        $hadAProblem = false;
+
+        // Task need to be part of project in time entries
+        $problems = DB::table('time_entries')
+            ->select(['time_entries.id as id'])
+            ->join('tasks', 'time_entries.task_id', '=', 'tasks.id')
+            ->where('tasks.project_id', '!=', DB::raw('time_entries.project_id'))
+            ->get();
+        $this->logProblems($problems, 'Time entries have a task that does not belong to the project of the time entry', $hadAProblem);
+
+        // Client id is the client id of the project
+        $problems = DB::table('time_entries')
+            ->select(['time_entries.id as id'])
+            ->join('projects', 'time_entries.project_id', '=', 'projects.id')
+            ->where(DB::raw('coalesce(projects.client_id::varchar, \'\')'), '!=', DB::raw('coalesce(time_entries.client_id::varchar, \'\')'))
+            ->get();
+        $this->logProblems($problems, 'Time entries have a client that does not match the client of the project', $hadAProblem);
+
+        // Client id can only be not null if the project id is not null
+        $problems = DB::table('time_entries')
+            ->select(['time_entries.id as id'])
+            ->whereNotNull('client_id')
+            ->whereNull('project_id')
+            ->get();
+        $this->logProblems($problems, 'Time entries have a client but no project', $hadAProblem);
+
+        // Every user needs to be a member of at least one organization
+        $problems = DB::table('users')
+            ->select(['users.id as id'])
+            ->leftJoin('members', 'users.id', '=', 'members.user_id')
+            ->whereNull('members.id')
+            ->get();
+        $this->logProblems($problems, 'Users are not member of any organization', $hadAProblem);
+
+        // Every organization needs at least an owner
+        $problems = DB::table('organizations')
+            ->select(['organizations.id as id'])
+            ->leftJoin('members', function (JoinClause $join): void {
+                $join->on('organizations.id', '=', 'members.organization_id')
+                    ->where('members.role', '=', 'owner');
+            })
+            ->whereNull('members.id')
+            ->get();
+        $this->logProblems($problems, 'Organizations without an owner', $hadAProblem);
+
+        // Every member can only have one running time entry
+        $problems = DB::table('time_entries')
+            ->select(['user_id as id'])
+            ->whereNull('end')
+            ->groupBy('user_id')
+            ->havingRaw('count(*) > 1')
+            ->get(['user_id', DB::raw('count(*) as count')]);
+        $this->logProblems($problems, 'Users with more than one running time entry', $hadAProblem);
+
+        // Users have a current organization that they are not a member of
+        $problems = DB::table('users')
+            ->select(['users.id as id'])
+            ->whereNotNull('current_team_id')
+            ->whereNotIn('current_team_id', function (Builder $query): void {
+                $query->select('organization_id')
+                    ->from('members')
+                    ->whereColumn('members.user_id', 'users.id');
+            })->get();
+        $this->logProblems($problems, 'Users have a current organization that they are not a member of', $hadAProblem);
+
+        return $hadAProblem ? self::FAILURE : self::SUCCESS;
+    }
+
+    /**
+     * @param  Collection<int, \stdClass>  $problems
+     */
+    private function logProblems(Collection $problems, string $message, bool &$hadAProblem): void
+    {
+        $message = 'Consistency problem: '.$message;
+        if ($problems->isNotEmpty()) {
+            $ids = $problems->pluck('id');
+            $hadAProblem = true;
+            Log::error($message, [
+                'ids' => $ids,
+            ]);
+
+            $error = $message;
+            foreach ($ids as $id) {
+                $error .= "\n  - ".$id;
+            }
+            $this->error($error);
+        }
+    }
+}

app/Console/Kernel.php

@@ -18,13 +18,35 @@ class Kernel extends ConsoleKernel
             ->when(fn (): bool => config('scheduling.tasks.time_entry_send_still_running_mails'))
             ->everyTenMinutes();
 
-        $schedule->command('self-host:check-for-update')
-            ->when(fn (): bool => config('scheduling.tasks.self_hosting_check_for_update'))
-            ->twiceDaily();
+        $schedule->command('auth:send-mails-expiring-api-tokens')
+            ->when(fn (): bool => config('scheduling.tasks.auth_send_mails_expiring_api_tokens'))
+            ->everyTenMinutes();
 
-        $schedule->command('self-host:telemetry')
-            ->when(fn (): bool => config('scheduling.tasks.self_hosting_telemetry'))
-            ->twiceDaily();
+        if (config('app.key') && (config('scheduling.tasks.self_hosting_check_for_update') || config('scheduling.tasks.self_hosting_telemetry'))) {
+            // Convert string to a stable integer for seeding
+            /** @var int $seed Take the first 8 hex chars → 32-bit int */
+            $seed = hexdec(substr(hash('md5', config('app.key')), 0, 8));
+            $seed = abs($seed); // Ensure it's positive
+            mt_srand($seed);
+            $firstHour = mt_rand(0, 23);
+            $secondHour = ($firstHour + 12) % 24;
+            $minuteOffset = mt_rand(0, 59);
+            mt_srand(null); // Reset the random number generator
+
+            if (config('scheduling.tasks.self_hosting_check_for_update')) {
+                $schedule->command('self-host:check-for-update')
+                    ->twiceDailyAt($firstHour, $secondHour, $minuteOffset);
+            }
+
+            if (config('scheduling.tasks.self_hosting_telemetry')) {
+                $schedule->command('self-host:telemetry')
+                    ->twiceDailyAt($firstHour, $secondHour, $minuteOffset);
+            }
+        }
+
+        $schedule->command('self-host:database-consistency')
+            ->when(fn (): bool => config('scheduling.tasks.self_hosting_database_consistency'))
+            ->everySixHours();
     }
 
     /**

app/Enums/DateFormat.php

@@ -10,26 +10,26 @@ enum DateFormat: string
 {
     use LaravelEnumHelper;
 
-    case PointSeperatedDMYYYY = 'point-seperated-d-m-yyyy';
-    case SlashSeperatedMMDDYYYY = 'slash-seperated-mm-dd-yyyy';
+    case PointSeparatedDMYYYY = 'point-separated-d-m-yyyy';
+    case SlashSeparatedMMDDYYYY = 'slash-separated-mm-dd-yyyy';
 
-    case SlashSeperatedDDMMYYYY = 'slash-seperated-dd-mm-yyyy';
+    case SlashSeparatedDDMMYYYY = 'slash-separated-dd-mm-yyyy';
 
-    case HyphenSeperatedDDMMYYY = 'hyphen-seperated-dd-mm-yyyy';
+    case HyphenSeparatedDDMMYYY = 'hyphen-separated-dd-mm-yyyy';
 
-    case HyphenSeperatedMMDDDYYYY = 'hyphen-seperated-mm-dd-yyyy';
+    case HyphenSeparatedMMDDDYYYY = 'hyphen-separated-mm-dd-yyyy';
 
-    case HyphenSeperatedYYYYMMDD = 'hyphen-seperated-yyyy-mm-dd';
+    case HyphenSeparatedYYYYMMDD = 'hyphen-separated-yyyy-mm-dd';
 
     public function toCarbonFormat(): string
     {
         return match ($this->value) {
-            self::PointSeperatedDMYYYY->value => 'j.n.Y',
-            self::SlashSeperatedMMDDYYYY->value => 'm/d/Y',
-            self::SlashSeperatedDDMMYYYY->value => 'd/m/Y',
-            self::HyphenSeperatedDDMMYYY->value => 'd-m-Y',
-            self::HyphenSeperatedMMDDDYYYY->value => 'm-d-Y',
-            self::HyphenSeperatedYYYYMMDD->value => 'Y-m-d',
+            self::PointSeparatedDMYYYY->value => 'j.n.Y',
+            self::SlashSeparatedMMDDYYYY->value => 'm/d/Y',
+            self::SlashSeparatedDDMMYYYY->value => 'd/m/Y',
+            self::HyphenSeparatedDDMMYYY->value => 'd-m-Y',
+            self::HyphenSeparatedMMDDDYYYY->value => 'm-d-Y',
+            self::HyphenSeparatedYYYYMMDD->value => 'Y-m-d',
         };
     }
 

app/Enums/IntervalFormat.php

@@ -13,9 +13,9 @@ enum IntervalFormat: string
     case Decimal = 'decimal';
     case HoursMinutes = 'hours-minutes';
 
-    case HoursMinutesColonSeperated = 'hours-minutes-colon-seperated';
+    case HoursMinutesColonSeparated = 'hours-minutes-colon-separated';
 
-    case HoursMinutesSecondsColonSeperated = 'hours-minutes-seconds-colon-seperated';
+    case HoursMinutesSecondsColonSeparated = 'hours-minutes-seconds-colon-separated';
 
     /**
      * @return array<string, string>

app/Enums/Role.php

@@ -4,8 +4,12 @@ declare(strict_types=1);
 
 namespace App\Enums;
 
+use Datomatic\LaravelEnumHelper\LaravelEnumHelper;
+
 enum Role: string
 {
+    use LaravelEnumHelper;
+
     case Owner = 'owner';
     case Admin = 'admin';
     case Manager = 'manager';

app/Enums/TimeEntryAggregationType.php

@@ -20,6 +20,7 @@ enum TimeEntryAggregationType: string
     case Client = 'client';
     case Billable = 'billable';
     case Description = 'description';
+    case Tag = 'tag';
 
     public static function fromInterval(TimeEntryAggregationTypeInterval $timeEntryAggregationTypeInterval): TimeEntryAggregationType
     {

app/Enums/TimeEntryRoundingType.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Enums;
+
+use Datomatic\LaravelEnumHelper\LaravelEnumHelper;
+
+enum TimeEntryRoundingType: string
+{
+    use LaravelEnumHelper;
+
+    case Up = 'up';
+    case Down = 'down';
+    case Nearest = 'nearest';
+}

app/Events/DatabaseSeederAfterSeed.php

@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Events;
+
+use Illuminate\Foundation\Events\Dispatchable;
+
+class DatabaseSeederAfterSeed
+{
+    use Dispatchable;
+
+    public function __construct() {}
+}

app/Events/DatabaseSeederBeforeDelete.php

@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Events;
+
+use Illuminate\Foundation\Events\Dispatchable;
+
+class DatabaseSeederBeforeDelete
+{
+    use Dispatchable;
+
+    public function __construct() {}
+}

app/Events/MemberAdded.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Events;
+
+use App\Models\Member;
+use App\Models\Organization;
+use App\Models\User;
+use Illuminate\Foundation\Events\Dispatchable;
+
+class MemberAdded
+{
+    use Dispatchable;
+
+    public Member $member;
+
+    public Organization $organization;
+
+    public User $user;
+
+    public function __construct(Member $member, Organization $organization, User $user)
+    {
+        $this->member = $member;
+        $this->organization = $organization;
+        $this->user = $user;
+    }
+}

app/Events/MemberAdding.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Events;
+
+use App\Enums\Role;
+use App\Models\Organization;
+use App\Models\User;
+use Illuminate\Foundation\Events\Dispatchable;
+
+class MemberAdding
+{
+    use Dispatchable;
+
+    public User $user;
+
+    public Organization $organization;
+
+    public Role $role;
+
+    public function __construct(User $user, Organization $organization, Role $role)
+    {
+        $this->user = $user;
+        $this->organization = $organization;
+        $this->role = $role;
+    }
+}

app/Events/OrganizationInvitationAdding.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Events;
+
+use App\Enums\Role;
+use App\Models\Organization;
+use App\Models\User;
+use Illuminate\Foundation\Events\Dispatchable;
+
+class OrganizationInvitationAdding
+{
+    use Dispatchable;
+
+    public Organization $organization;
+
+    public string $email;
+
+    public Role $role;
+
+    public User $inviter;
+
+    public function __construct(
+        Organization $organization,
+        string $email,
+        Role $role,
+        User $inviter
+    ) {
+        $this->role = $role;
+        $this->email = $email;
+        $this->organization = $organization;
+        $this->inviter = $inviter;
+    }
+}

app/Exceptions/Api/InvitationForTheEmailAlreadyExistsApiException.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions\Api;
+
+class InvitationForTheEmailAlreadyExistsApiException extends ApiException
+{
+    public const string KEY = 'invitation_for_the_email_already_exists';
+}

app/Exceptions/Api/OverlappingTimeEntryApiException.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions\Api;
+
+class OverlappingTimeEntryApiException extends ApiException
+{
+    public const string KEY = 'overlapping_time_entry';
+}

app/Exceptions/Api/UserResendEmailVerificationNoPendingEmailApiException.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions\Api;
+
+class UserResendEmailVerificationNoPendingEmailApiException extends ApiException
+{
+    public const string KEY = 'user_resend_email_verification_no_pending_email';
+}

app/Extensions/Scramble/PaginatedResourceCollectionTypeToSchema.php

@@ -41,9 +41,7 @@ class PaginatedResourceCollectionTypeToSchema extends TypeToSchemaExtension
             return null;
         }
 
-        if (! ($collectingType = $this->openApiTransformer->transform($collectingClassType))) {
-            return null;
-        }
+        $collectingType = $this->openApiTransformer->transform($collectingClassType);
 
         $newType = new OpenApiObjectType;
         $newType->addProperty('data', (new ArrayType)->setItems($collectingType));

app/Filament/Resources/AuditResource.php

@@ -13,7 +13,7 @@ use Filament\Tables;
 use Filament\Tables\Columns\IconColumn;
 use Filament\Tables\Table;
 use Illuminate\Support\Str;
-use Novadaemon\FilamentPrettyJson\PrettyJson;
+use Novadaemon\FilamentPrettyJson\Form\PrettyJsonField;
 
 class AuditResource extends Resource
 {
@@ -38,8 +38,8 @@ class AuditResource extends Resource
                     ->maxLength(255),
                 Forms\Components\TextInput::make('auditable_id')
                     ->required(),
-                PrettyJson::make('old_values'),
-                PrettyJson::make('new_values'),
+                PrettyJsonField::make('old_values'),
+                PrettyJsonField::make('new_values'),
                 Forms\Components\Textarea::make('url'),
                 Forms\Components\TextInput::make('ip_address'),
                 Forms\Components\TextInput::make('user_agent')

app/Filament/Resources/FailedJobResource.php

@@ -15,12 +15,13 @@ use Filament\Resources\Resource;
 use Filament\Tables\Actions\Action;
 use Filament\Tables\Actions\BulkAction;
 use Filament\Tables\Actions\DeleteAction;
+use Filament\Tables\Actions\DeleteBulkAction;
 use Filament\Tables\Actions\ViewAction;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Artisan;
-use Novadaemon\FilamentPrettyJson\PrettyJson;
+use Novadaemon\FilamentPrettyJson\Form\PrettyJsonField;
 
 /**
  * @source https://gitlab.com/amvisor/filament-failed-jobs
@@ -49,8 +50,8 @@ class FailedJobResource extends Resource
                 TextInput::make('queue')->disabled(),
 
                 // make text a little bit smaller because often a complete Stack Trace is shown:
-                TextArea::make('exception')->disabled()->columnSpan(4)->extraInputAttributes(['style' => 'font-size: 80%;']),
-                PrettyJson::make('payload')->disabled()->columnSpan(4),
+                Textarea::make('exception')->disabled()->columnSpan(4)->extraInputAttributes(['style' => 'font-size: 80%;']),
+                PrettyJsonField::make('payload')->disabled()->columnSpan(4),
             ])->columns(4);
     }
 
@@ -75,7 +76,8 @@ class FailedJobResource extends Resource
             ->filters([])
             ->bulkActions([
                 BulkAction::make('retry')
-                    ->label('Retry')
+                    ->icon('heroicon-o-arrow-path')
+                    ->label('Retry selected')
                     ->requiresConfirmation()
                     ->action(function (Collection $records): void {
                         /** @var FailedJob $record */
@@ -87,11 +89,13 @@ class FailedJobResource extends Resource
                             ->success()
                             ->send();
                     }),
+                DeleteBulkAction::make(),
             ])
             ->actions([
-                DeleteAction::make('Delete'),
-                ViewAction::make('View'),
+                DeleteAction::make(),
+                ViewAction::make(),
                 Action::make('retry')
+                    ->icon('heroicon-o-arrow-path')
                     ->label('Retry')
                     ->requiresConfirmation()
                     ->action(function (FailedJob $record): void {
@@ -109,7 +113,6 @@ class FailedJobResource extends Resource
         return [
             'index' => ListFailedJobs::route('/'),
             'view' => ViewFailedJobs::route('/{record}'),
-
         ];
     }
 }

app/Filament/Resources/FailedJobResource/Pages/ListFailedJobs.php

@@ -6,8 +6,8 @@ namespace App\Filament\Resources\FailedJobResource\Pages;
 
 use App\Filament\Resources\FailedJobResource;
 use App\Models\FailedJob;
+use Filament\Actions\Action;
 use Filament\Notifications\Notification;
-use Filament\Pages\Actions\Action;
 use Filament\Resources\Pages\ListRecords;
 use Illuminate\Support\Facades\Artisan;
 
@@ -19,7 +19,8 @@ class ListFailedJobs extends ListRecords
     {
         return [
             Action::make('retry_all')
-                ->label('Retry all failed Jobs')
+                ->icon('heroicon-o-arrow-path')
+                ->label('Retry all')
                 ->requiresConfirmation()
                 ->action(function (): void {
                     Artisan::call('queue:retry all');
@@ -30,7 +31,8 @@ class ListFailedJobs extends ListRecords
                 }),
 
             Action::make('delete_all')
-                ->label('Delete all failed Jobs')
+                ->icon('heroicon-o-trash')
+                ->label('Delete all')
                 ->requiresConfirmation()
                 ->color('danger')
                 ->action(function (): void {

app/Filament/Resources/OrganizationInvitationResource.php

@@ -39,7 +39,7 @@ class OrganizationInvitationResource extends Resource
                     ->required(),
                 Select::make('role')
                     ->options(Role::class),
-                Forms\Components\Select::make('organization_id')
+                Select::make('organization_id')
                     ->label('Organization')
                     ->relationship(name: 'organization', titleAttribute: 'name')
                     ->searchable(['name'])

app/Filament/Resources/OrganizationResource.php

@@ -55,7 +55,7 @@ class OrganizationResource extends Resource
                     ->label('Is personal?')
                     ->hiddenOn(['create'])
                     ->required(),
-                Forms\Components\Select::make('user_id')
+                Select::make('user_id')
                     ->label('Owner')
                     ->relationship(name: 'owner', titleAttribute: 'email')
                     ->searchable(['name', 'email'])
@@ -76,7 +76,7 @@ class OrganizationResource extends Resource
                 Select::make('time_format')
                     ->options(TimeFormat::toSelectArray())
                     ->required(),
-                Forms\Components\Select::make('currency')
+                Select::make('currency')
                     ->label('Currency')
                     ->options(function (): array {
                         $currencies = ISOCurrencyProvider::getInstance()->getAvailableCurrencies();
@@ -114,22 +114,22 @@ class OrganizationResource extends Resource
     {
         return $table
             ->columns([
-                Tables\Columns\TextColumn::make('name')
+                TextColumn::make('name')
                     ->searchable()
                     ->sortable(),
                 Tables\Columns\IconColumn::make('personal_team')
                     ->boolean()
                     ->label('Is personal?')
                     ->sortable(),
-                Tables\Columns\TextColumn::make('owner.email')
+                TextColumn::make('owner.email')
                     ->sortable(),
-                Tables\Columns\TextColumn::make('currency'),
+                TextColumn::make('currency'),
                 TextColumn::make('billable_rate')
                     ->money(fn (Organization $resource) => $resource->currency, divideBy: 100),
-                Tables\Columns\TextColumn::make('created_at')
+                TextColumn::make('created_at')
                     ->dateTime()
                     ->sortable(),
-                Tables\Columns\TextColumn::make('updated_at')
+                TextColumn::make('updated_at')
                     ->dateTime()
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
@@ -223,7 +223,7 @@ class OrganizationResource extends Resource
 
                                 return $select;
                             }),
-                        Forms\Components\Select::make('timezone')
+                        Select::make('timezone')
                             ->label('Timezone')
                             ->options(fn (): array => app(TimezoneService::class)->getSelectOptions())
                             ->searchable()

app/Filament/Resources/OrganizationResource/RelationManagers/InvitationsRelationManager.php

@@ -21,7 +21,7 @@ use Illuminate\Validation\Rule;
 
 class InvitationsRelationManager extends RelationManager
 {
-    protected static string $relationship = 'teamInvitations';
+    protected static string $relationship = 'organizationInvitations';
 
     protected static ?string $title = 'Invitations';
 
@@ -64,7 +64,7 @@ class InvitationsRelationManager extends RelationManager
                         $ownerRecord = $this->getOwnerRecord();
 
                         return app(InvitationService::class)
-                            ->inviteUser($ownerRecord, $data['email'], Role::from($data['role']));
+                            ->inviteUser($ownerRecord, $data['email'], Role::from($data['role']), auth()->user());
                     }),
             ])
             ->actions([

app/Filament/Resources/OrganizationResource/RelationManagers/UsersRelationManager.php

@@ -49,13 +49,13 @@ class UsersRelationManager extends RelationManager
         return $table
             ->recordTitleAttribute('name')
             ->columns([
-                Tables\Columns\TextColumn::make('name'),
-                Tables\Columns\TextColumn::make('role'),
+                TextColumn::make('name'),
+                TextColumn::make('role'),
                 TextColumn::make('billable_rate')
                     ->money($organization->currency, divideBy: 100),
             ])
             ->headerActions([
-                Tables\Actions\AttachAction::make()
+                AttachAction::make()
                     ->recordTitle(fn (User $record): string => "{$record->name} ({$record->email})")
                     ->form(fn (AttachAction $action): array => [
                         $action->getRecordSelect(),

app/Filament/Resources/ReportResource.php

@@ -18,7 +18,7 @@ use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Columns\ToggleColumn;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
-use Novadaemon\FilamentPrettyJson\PrettyJson;
+use Novadaemon\FilamentPrettyJson\Form\PrettyJsonField;
 
 class ReportResource extends Resource
 {
@@ -58,16 +58,16 @@ class ReportResource extends Resource
                 Forms\Components\TextInput::make('share_secret')
                     ->label('Share Secret')
                     ->nullable(),
-                PrettyJson::make('properties')
+                PrettyJsonField::make('properties')
                     ->formatStateUsing(function (ReportPropertiesDto $state, Report $record): string {
                         return $record->getRawOriginal('properties');
                     })
                     ->disabled(),
-                Forms\Components\DateTimePicker::make('created_at')
+                DateTimePicker::make('created_at')
                     ->label('Created At')
                     ->hiddenOn(['create'])
                     ->disabled(),
-                Forms\Components\DateTimePicker::make('updated_at')
+                DateTimePicker::make('updated_at')
                     ->label('Updated At')
                     ->hiddenOn(['create'])
                     ->disabled(),
@@ -78,10 +78,10 @@ class ReportResource extends Resource
     {
         return $table
             ->columns([
-                Tables\Columns\TextColumn::make('name')
+                TextColumn::make('name')
                     ->searchable()
                     ->sortable(),
-                Tables\Columns\TextColumn::make('description')
+                TextColumn::make('description')
                     ->searchable()
                     ->sortable(),
                 ToggleColumn::make('is_public')
@@ -90,10 +90,10 @@ class ReportResource extends Resource
                 TextColumn::make('organization.name')
                     ->searchable()
                     ->sortable(),
-                Tables\Columns\TextColumn::make('created_at')
+                TextColumn::make('created_at')
                     ->dateTime()
                     ->sortable(),
-                Tables\Columns\TextColumn::make('updated_at')
+                TextColumn::make('updated_at')
                     ->dateTime()
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),

app/Filament/Resources/TimeEntryResource.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Filament\Resources;
 
 use App\Filament\Resources\TimeEntryResource\Pages;
+use App\Models\Member;
 use App\Models\TimeEntry;
 use Filament\Forms\Components\DateTimePicker;
 use Filament\Forms\Components\Select;
@@ -16,6 +17,7 @@ use Filament\Tables;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
 
 class TimeEntryResource extends Resource
 {
@@ -51,15 +53,23 @@ class TimeEntryResource extends Resource
                     ->rules([
                         'after_or_equal:start',
                     ]),
-                Select::make('user_id')
-                    ->relationship(name: 'user', titleAttribute: 'email')
-                    ->searchable(['name', 'email'])
+                Select::make('member_id')
+                    ->relationship(
+                        name: 'member',
+                        titleAttribute: 'id',
+                        modifyQueryUsing: fn (Builder $query) => $query->with(['user', 'organization'])
+                    )
+                    ->getOptionLabelFromRecordUsing(fn (Member $record): string => $record->user->email.' ('.$record->organization->name.')')
+                    ->searchable()
                     ->required(),
                 Select::make('project_id')
                     ->relationship(name: 'project', titleAttribute: 'name')
                     ->searchable(['name'])
                     ->nullable(),
-                // TODO
+                Select::make('task_id')
+                    ->relationship(name: 'task', titleAttribute: 'name')
+                    ->searchable(['name'])
+                    ->nullable(),
             ]);
     }
 
@@ -83,11 +93,11 @@ class TimeEntryResource extends Resource
                             ($record->end?->toDateTimeString('minute') ?? '...').')';
                     })
                     ->label('Time'),
-                Tables\Columns\TextColumn::make('organization.name')
+                TextColumn::make('organization.name')
                     ->sortable(),
-                Tables\Columns\TextColumn::make('created_at')
+                TextColumn::make('created_at')
                     ->sortable(),
-                Tables\Columns\TextColumn::make('updated_at')
+                TextColumn::make('updated_at')
                     ->sortable(),
             ])
             ->filters([

app/Filament/Resources/TimeEntryResource/Pages/CreateTimeEntry.php

@@ -5,9 +5,28 @@ declare(strict_types=1);
 namespace App\Filament\Resources\TimeEntryResource\Pages;
 
 use App\Filament\Resources\TimeEntryResource;
+use App\Models\Member;
 use Filament\Resources\Pages\CreateRecord;
 
 class CreateTimeEntry extends CreateRecord
 {
     protected static string $resource = TimeEntryResource::class;
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array<string, mixed>
+     */
+    protected function mutateFormDataBeforeCreate(array $data): array
+    {
+        if (isset($data['member_id'])) {
+            /** @var Member|null $member */
+            $member = Member::query()->find($data['member_id']);
+            if ($member !== null) {
+                $data['user_id'] = $member->user_id;
+                $data['organization_id'] = $member->organization_id;
+            }
+        }
+
+        return $data;
+    }
 }

app/Filament/Resources/TimeEntryResource/Pages/EditTimeEntry.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Filament\Resources\TimeEntryResource\Pages;
 
 use App\Filament\Resources\TimeEntryResource;
+use App\Models\Member;
 use Filament\Actions;
 use Filament\Resources\Pages\EditRecord;
 
@@ -19,4 +20,22 @@ class EditTimeEntry extends EditRecord
                 ->icon('heroicon-m-trash'),
         ];
     }
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array<string, mixed>
+     */
+    protected function mutateFormDataBeforeSave(array $data): array
+    {
+        if (isset($data['member_id'])) {
+            /** @var Member|null $member */
+            $member = Member::query()->find($data['member_id']);
+            if ($member !== null) {
+                $data['user_id'] = $member->user_id;
+                $data['organization_id'] = $member->organization_id;
+            }
+        }
+
+        return $data;
+    }
 }

app/Filament/Resources/TokenResource.php

@@ -5,7 +5,6 @@ declare(strict_types=1);
 namespace App\Filament\Resources;
 
 use App\Filament\Resources\TokenResource\Pages;
-use App\Models\Passport\Client;
 use App\Models\Passport\Token;
 use Filament\Forms;
 use Filament\Forms\Form;
@@ -40,7 +39,7 @@ class TokenResource extends Resource
                     ->label('Name')
                     ->required()
                     ->maxLength(255),
-                Forms\Components\Select::make('user_id')
+                Forms\Components\Select::make('owner_id')
                     ->label('User')
                     ->relationship(name: 'user', titleAttribute: 'name')
                     ->searchable(['name'])
@@ -79,10 +78,12 @@ class TokenResource extends Resource
                 Tables\Columns\TextColumn::make('client.name')
                     ->searchable()
                     ->sortable(),
-                Tables\Columns\IconColumn::make('client.personal_access_client')
+                Tables\Columns\IconColumn::make('personal_access_client')
+                    ->state(function (Token $token): bool {
+                        return in_array('personal_access', $token->client->grant_types ?? [], true);
+                    })
                     ->boolean()
-                    ->label('API token?')
-                    ->sortable(),
+                    ->label('API token?'),
                 Tables\Columns\IconColumn::make('revoked')
                     ->boolean()
                     ->label('Revoked?')
@@ -104,17 +105,11 @@ class TokenResource extends Resource
                     ->queries(
                         true: function (Builder $query) {
                             /** @var Builder<Token> $query */
-                            return $query->whereHas('client', function (Builder $query) {
-                                /** @var Builder<Client> $query */
-                                return $query->where('personal_access_client', true);
-                            });
+                            return $query->isApiToken();
                         },
                         false: function (Builder $query) {
                             /** @var Builder<Token> $query */
-                            return $query->whereHas('client', function (Builder $query) {
-                                /** @var Builder<Client> $query */
-                                return $query->where('personal_access_client', false);
-                            });
+                            return $query->isApiToken(false);
                         },
                         blank: function (Builder $query) {
                             /** @var Builder<Token> $query */

app/Filament/Resources/UserResource.php

@@ -12,6 +12,7 @@ use App\Filament\Resources\UserResource\RelationManagers\OwnedOrganizationsRelat
 use App\Models\User;
 use App\Service\DeletionService;
 use App\Service\TimezoneService;
+use App\Service\UserService;
 use Brick\Money\ISOCurrencyProvider;
 use Exception;
 use Filament\Forms;
@@ -23,6 +24,7 @@ use Filament\Tables;
 use Filament\Tables\Filters\TernaryFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
 use Korridor\LaravelModelValidationRules\Rules\UniqueEloquent;
@@ -46,17 +48,17 @@ class UserResource extends Resource
         return $form
             ->columns(1)
             ->schema([
-                Forms\Components\TextInput::make('id')
+                TextInput::make('id')
                     ->label('ID')
                     ->disabled()
                     ->visibleOn(['update', 'show'])
                     ->readOnly()
                     ->maxLength(255),
-                Forms\Components\TextInput::make('name')
+                TextInput::make('name')
                     ->label('Name')
                     ->required()
                     ->maxLength(255),
-                Forms\Components\TextInput::make('email')
+                TextInput::make('email')
                     ->label('Email')
                     ->required()
                     ->rules($record?->is_placeholder ? [] : [
@@ -178,7 +180,7 @@ class UserResource extends Resource
             ])
             ->actions([
                 Impersonate::make()->before(function (User $record): void {
-                    if ($record->currentTeam === null) {
+                    if ($record->currentOrganization === null) {
                         $organization = $record->organizations()->where('personal_team', '=', true)->first();
                         if ($organization === null) {
                             $organization = $record->organizations()->first();
@@ -186,8 +188,7 @@ class UserResource extends Resource
                         if ($organization === null) {
                             throw new Exception('User has no organization');
                         }
-                        $record->currentTeam()->associate($organization);
-                        $record->save();
+                        app(UserService::class)->switchCurrentOrganization($record, $organization);
                     }
                 }),
                 Tables\Actions\EditAction::make(),
@@ -207,6 +208,14 @@ class UserResource extends Resource
                     }),
             ])
             ->bulkActions([
+                Tables\Actions\BulkAction::make('Resend verification email')
+                    ->icon('heroicon-o-paper-airplane')
+                    ->action(function (Collection $records): void {
+                        foreach ($records as $user) {
+                            /** @var User $user */
+                            $user->sendEmailVerificationNotification();
+                        }
+                    }),
             ]);
     }
 

app/Filament/Resources/UserResource/RelationManagers/OwnedOrganizationsRelationManager.php

@@ -16,7 +16,7 @@ class OwnedOrganizationsRelationManager extends RelationManager
 {
     protected static ?string $title = 'Owned Organizations';
 
-    protected static string $relationship = 'ownedTeams';
+    protected static string $relationship = 'ownedOrganizations';
 
     public function form(Form $form): Form
     {

app/Http/Controllers/Api/V1/ApiTokenController.php

@@ -8,16 +8,19 @@ use App\Exceptions\Api\PersonalAccessClientIsNotConfiguredException;
 use App\Http\Requests\V1\ApiToken\ApiTokenStoreRequest;
 use App\Http\Resources\V1\ApiToken\ApiTokenCollection;
 use App\Http\Resources\V1\ApiToken\ApiTokenWithAccessTokenResource;
+use App\Models\Passport\Client;
 use App\Models\Passport\Token;
 use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Str;
 
 class ApiTokenController extends Controller
 {
     /**
      * List all api token of the currently authenticated user
      *
-     * This endpoint is independent of organization.
+     * This endpoint is independent of the organization.
      *
      * @operationId getApiTokens
      *
@@ -28,7 +31,11 @@ class ApiTokenController extends Controller
         $user = $this->user();
 
         $tokens = $user->tokens()
-            ->where('client_id', '=', config('passport.personal_access_client.id'))
+            ->whereHas('client', function (Builder $query): void {
+                /** @var Builder<Client> $query */
+                $query->whereJsonContains('grant_types', 'personal_access');
+            })
+            ->orderBy('created_at', 'desc')
             ->get();
 
         return new ApiTokenCollection($tokens);
@@ -48,15 +55,21 @@ class ApiTokenController extends Controller
     {
         $user = $this->user();
 
-        if (config('passport.personal_access_client.id') === null || config('passport.personal_access_client.secret') === null) {
-            throw new PersonalAccessClientIsNotConfiguredException;
+        try {
+            $token = $user->createToken($request->getName(), ['*']);
+
+            /** @var Token $tokenModel */
+            $tokenModel = $token->getToken();
+
+            return new ApiTokenWithAccessTokenResource($tokenModel, $token->accessToken);
+        } catch (\RuntimeException $exception) {
+            report($exception);
+            if (Str::contains($exception->getMessage(), ['Personal access client not found'])) {
+                throw new PersonalAccessClientIsNotConfiguredException;
+            }
+
+            throw $exception;
         }
-
-        $token = $user->createToken($request->getName(), ['*']);
-        /** @var Token $tokenModel */
-        $tokenModel = $token->token;
-
-        return new ApiTokenWithAccessTokenResource($tokenModel, $token->accessToken);
     }
 
     /**
@@ -71,13 +84,10 @@ class ApiTokenController extends Controller
     {
         $user = $this->user();
 
-        if (config('passport.personal_access_client.id') === null || config('passport.personal_access_client.secret') === null) {
-            throw new PersonalAccessClientIsNotConfiguredException;
-        }
         if ($apiToken->user_id !== $user->getKey()) {
             throw new AuthorizationException('API token does not belong to user');
         }
-        if ($apiToken->client_id !== config('passport.personal_access_client.id')) {
+        if (! ($apiToken->client?->hasGrantType('personal_access') ?? false)) {
             throw new AuthorizationException('API token is not a personal access token');
         }
 
@@ -97,13 +107,10 @@ class ApiTokenController extends Controller
     {
         $user = $this->user();
 
-        if (config('passport.personal_access_client.id') === null || config('passport.personal_access_client.secret') === null) {
-            throw new PersonalAccessClientIsNotConfiguredException;
-        }
         if ($apiToken->user_id !== $user->getKey()) {
             throw new AuthorizationException('API token does not belong to user');
         }
-        if ($apiToken->client_id !== config('passport.personal_access_client.id')) {
+        if (! ($apiToken->client?->hasGrantType('personal_access') ?? false)) {
             throw new AuthorizationException('API token is not a personal access token');
         }
 

app/Http/Controllers/Api/V1/ChartController.php

@@ -14,6 +14,8 @@ use Illuminate\Http\JsonResponse;
 class ChartController extends Controller
 {
     /**
+     * Get chart data for the weekly project overview.
+     *
      * @throws AuthorizationException
      *
      * @operationId weeklyProjectOverview
@@ -31,6 +33,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for the latest tasks.
+     *
      * @throws AuthorizationException
      *
      * @operationId latestTasks
@@ -48,6 +52,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for the last seven days.
+     *
      * @throws AuthorizationException
      *
      * @operationId lastSevenDays
@@ -65,6 +71,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for the latest team activity.
+     *
      * @throws AuthorizationException
      *
      * @operationId latestTeamActivity
@@ -81,6 +89,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for daily tracked hours.
+     *
      * @throws AuthorizationException
      *
      * @operationId dailyTrackedHours
@@ -92,12 +102,14 @@ class ChartController extends Controller
         $this->checkPermission($organization, 'charts:view:own');
         $user = $this->user();
 
-        $dailyTrackedHours = $dashboardService->getDailyTrackedHours($user, $organization, 60);
+        $dailyTrackedHours = $dashboardService->getDailyTrackedHours($user, $organization, 100);
 
         return response()->json($dailyTrackedHours);
     }
 
     /**
+     * Get chart data for total weekly time.
+     *
      * @throws AuthorizationException
      *
      * @operationId totalWeeklyTime
@@ -115,6 +127,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for total weekly billable time.
+     *
      * @throws AuthorizationException
      *
      * @operationId totalWeeklyBillableTime
@@ -132,6 +146,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for total weekly billable amount.
+     *
      * @throws AuthorizationException
      *
      * @operationId totalWeeklyBillableAmount
@@ -154,6 +170,8 @@ class ChartController extends Controller
     }
 
     /**
+     * Get chart data for weekly history.
+     *
      * @throws AuthorizationException
      *
      * @operationId weeklyHistory

app/Http/Controllers/Api/V1/ClientController.php

@@ -38,11 +38,17 @@ class ClientController extends Controller
     public function index(Organization $organization, ClientIndexRequest $request): ClientCollection
     {
         $this->checkPermission($organization, 'clients:view');
+        $canViewAllClients = $this->hasPermission($organization, 'clients:view:all');
+        $user = $this->user();
 
         $clientsQuery = Client::query()
             ->whereBelongsTo($organization, 'organization')
             ->orderBy('created_at', 'desc');
 
+        if (! $canViewAllClients) {
+            $clientsQuery->visibleByEmployee($user);
+        }
+
         $filterArchived = $request->getFilterArchived();
         if ($filterArchived === 'true') {
             $clientsQuery->whereNotNull('archived_at');

app/Http/Controllers/Api/V1/CurrencyController.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Controller;
+use App\Service\CurrencyService;
+use Brick\Money\Currency;
+use Brick\Money\ISOCurrencyProvider;
+use Illuminate\Http\JsonResponse;
+
+class CurrencyController extends Controller
+{
+    /**
+     * Get all currencies
+     *
+     * @response array{code: string, name: string, symbol: string}[]
+     *
+     * @operationId getCurrencies
+     */
+    public function index(): JsonResponse
+    {
+        $currencyService = app(CurrencyService::class);
+
+        $currencies = array_values(array_map(
+            fn (Currency $currency): array => [
+                'code' => $currency->getCurrencyCode(),
+                'name' => $currency->getName(),
+                'symbol' => $currencyService->getCurrencySymbol($currency->getCurrencyCode()),
+            ],
+            ISOCurrencyProvider::getInstance()->getAvailableCurrencies()
+        ));
+
+        return response()->json($currencies);
+    }
+}

app/Http/Controllers/Api/V1/InvitationController.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api\V1;
 
+use App\Exceptions\Api\InvitationForTheEmailAlreadyExistsApiException;
 use App\Exceptions\Api\UserIsAlreadyMemberOfOrganizationApiException;
 use App\Http\Requests\V1\Invitation\InvitationIndexRequest;
 use App\Http\Requests\V1\Invitation\InvitationStoreRequest;
@@ -39,7 +40,8 @@ class InvitationController extends Controller
     {
         $this->checkPermission($organization, 'invitations:view');
 
-        $invitations = $organization->teamInvitations()
+        $invitations = $organization->organizationInvitations()
+            ->orderBy('created_at', 'desc')
             ->paginate(config('app.pagination_per_page_default'));
 
         return InvitationCollection::make($invitations);
@@ -50,6 +52,7 @@ class InvitationController extends Controller
      *
      * @throws AuthorizationException
      * @throws UserIsAlreadyMemberOfOrganizationApiException
+     * @throws InvitationForTheEmailAlreadyExistsApiException
      *
      * @operationId invite
      */
@@ -60,7 +63,7 @@ class InvitationController extends Controller
         $email = $request->getEmail();
         $role = $request->getRole();
 
-        $invitationService->inviteUser($organization, $email, $role);
+        $invitationService->inviteUser($organization, $email, $role, $this->user());
 
         return response()->json(null, 204);
     }

app/Http/Controllers/Api/V1/MemberController.php

@@ -10,12 +10,14 @@ use App\Exceptions\Api\CanNotRemoveOwnerFromOrganization;
 use App\Exceptions\Api\ChangingRoleOfPlaceholderIsNotAllowed;
 use App\Exceptions\Api\ChangingRoleToPlaceholderIsNotAllowed;
 use App\Exceptions\Api\EntityStillInUseApiException;
+use App\Exceptions\Api\InvitationForTheEmailAlreadyExistsApiException;
 use App\Exceptions\Api\OnlyOwnerCanChangeOwnership;
 use App\Exceptions\Api\OnlyPlaceholdersCanBeMergedIntoAnotherMember;
 use App\Exceptions\Api\OrganizationNeedsAtLeastOneOwner;
 use App\Exceptions\Api\ThisPlaceholderCanNotBeInvitedUseTheMergeToolInsteadException;
 use App\Exceptions\Api\UserIsAlreadyMemberOfOrganizationApiException;
 use App\Exceptions\Api\UserNotPlaceholderApiException;
+use App\Http\Requests\V1\Member\MemberDestroyRequest;
 use App\Http\Requests\V1\Member\MemberIndexRequest;
 use App\Http\Requests\V1\Member\MemberMergeIntoRequest;
 use App\Http\Requests\V1\Member\MemberUpdateRequest;
@@ -58,6 +60,7 @@ class MemberController extends Controller
         $members = Member::query()
             ->whereBelongsTo($organization, 'organization')
             ->with(['user'])
+            ->orderBy('created_at', 'desc')
             ->paginate(config('app.pagination_per_page_default'));
 
         return MemberCollection::make($members);
@@ -100,11 +103,13 @@ class MemberController extends Controller
      *
      * @operationId removeMember
      */
-    public function destroy(Organization $organization, Member $member, MemberService $memberService): JsonResponse
+    public function destroy(MemberDestroyRequest $request, Organization $organization, Member $member, MemberService $memberService): JsonResponse
     {
         $this->checkPermission($organization, 'members:delete', $member);
 
-        $memberService->removeMember($member, $organization);
+        $deleteRelated = $request->getDeleteRelated();
+
+        $memberService->removeMember($member, $organization, $deleteRelated);
 
         return response()
             ->json(null, 204);
@@ -170,6 +175,7 @@ class MemberController extends Controller
      * @throws UserNotPlaceholderApiException
      * @throws UserIsAlreadyMemberOfOrganizationApiException
      * @throws ThisPlaceholderCanNotBeInvitedUseTheMergeToolInsteadException
+     * @throws InvitationForTheEmailAlreadyExistsApiException
      *
      * @operationId invitePlaceholder
      */
@@ -186,7 +192,7 @@ class MemberController extends Controller
             throw new ThisPlaceholderCanNotBeInvitedUseTheMergeToolInsteadException;
         }
 
-        $invitationService->inviteUser($organization, $user->email, Role::Employee);
+        $invitationService->inviteUser($organization, $user->email, Role::Employee, $this->user());
 
         return response()->json(null, 204);
     }

app/Http/Controllers/Api/V1/OrganizationController.php

@@ -5,11 +5,18 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api\V1;
 
 use App\Enums\Role;
+use App\Events\AfterCreateOrganization;
+use App\Http\Requests\V1\Organization\OrganizationStoreRequest;
 use App\Http\Requests\V1\Organization\OrganizationUpdateRequest;
 use App\Http\Resources\V1\Organization\OrganizationResource;
 use App\Models\Organization;
 use App\Service\BillableRateService;
+use App\Service\DeletionService;
+use App\Service\IpLookup\IpLookupServiceContract;
+use App\Service\OrganizationService;
+use App\Service\UserService;
 use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Http\JsonResponse;
 
 class OrganizationController extends Controller
 {
@@ -46,6 +53,9 @@ class OrganizationController extends Controller
         if ($request->getEmployeesCanSeeBillableRates() !== null) {
             $organization->employees_can_see_billable_rates = $request->getEmployeesCanSeeBillableRates();
         }
+        if ($request->getEmployeesCanManageTasks() !== null) {
+            $organization->employees_can_manage_tasks = $request->getEmployeesCanManageTasks();
+        }
         if ($request->getNumberFormat() !== null) {
             $organization->number_format = $request->getNumberFormat();
         }
@@ -61,6 +71,9 @@ class OrganizationController extends Controller
         if ($request->getTimeFormat() !== null) {
             $organization->time_format = $request->getTimeFormat();
         }
+        if ($request->getPreventOverlappingTimeEntries() !== null) {
+            $organization->prevent_overlapping_time_entries = $request->getPreventOverlappingTimeEntries();
+        }
         $hasBillableRate = $request->has('billable_rate');
         if ($hasBillableRate) {
             $oldBillableRate = $organization->billable_rate;
@@ -74,4 +87,46 @@ class OrganizationController extends Controller
 
         return new OrganizationResource($organization, true);
     }
+
+    /**
+     * Create organization
+     *
+     * @operationId createOrganization
+     */
+    public function store(OrganizationStoreRequest $request, OrganizationService $organizationService): OrganizationResource
+    {
+        $user = $this->user();
+        $ipLookupResponse = app(IpLookupServiceContract::class)->lookup($request->ip());
+
+        $currency = $ipLookupResponse?->currency;
+
+        $organization = $organizationService->createOrganization(
+            $request->getName(),
+            $user,
+            false,
+            $currency
+        );
+
+        app(UserService::class)->switchCurrentOrganization($user, $organization);
+
+        AfterCreateOrganization::dispatch($organization);
+
+        return new OrganizationResource($organization, true);
+    }
+
+    /**
+     * Delete organization
+     *
+     * @operationId deleteOrganization
+     *
+     * @throws AuthorizationException
+     */
+    public function destroy(Organization $organization, DeletionService $deletionService): JsonResponse
+    {
+        $this->checkPermission($organization, 'organizations:delete');
+
+        $deletionService->deleteOrganization($organization);
+
+        return response()->json(null, 204);
+    }
 }

app/Http/Controllers/Api/V1/ProjectController.php

@@ -60,7 +60,9 @@ class ProjectController extends Controller
             $projectsQuery->whereNull('archived_at');
         }
 
-        $projects = $projectsQuery->paginate(config('app.pagination_per_page_default'));
+        $projects = $projectsQuery
+            ->orderBy('created_at', 'desc')
+            ->paginate(config('app.pagination_per_page_default'));
 
         $showBillableRate = $this->member($organization)->role !== Role::Employee->value || $organization->employees_can_see_billable_rates;
 
@@ -76,7 +78,7 @@ class ProjectController extends Controller
      */
     public function show(Organization $organization, Project $project): JsonResource
     {
-        $this->checkPermission($organization, 'projects:view', $project);
+        $this->checkPermission($organization, 'projects:view:all', $project);
 
         // Note: There is currently no need to check if a user is a member of the project,
         // since this is only relevant for users with the role "employee" and they can not access this endpoint.

app/Http/Controllers/Api/V1/ProjectMemberController.php

@@ -6,6 +6,7 @@ namespace App\Http\Controllers\Api\V1;
 
 use App\Exceptions\Api\InactiveUserCanNotBeUsedApiException;
 use App\Exceptions\Api\UserIsAlreadyMemberOfProjectApiException;
+use App\Http\Requests\V1\ProjectMember\ProjectMemberIndexRequest;
 use App\Http\Requests\V1\ProjectMember\ProjectMemberStoreRequest;
 use App\Http\Requests\V1\ProjectMember\ProjectMemberUpdateRequest;
 use App\Http\Resources\V1\ProjectMember\ProjectMemberCollection;
@@ -41,12 +42,13 @@ class ProjectMemberController extends Controller
      *
      * @operationId getProjectMembers
      */
-    public function index(Organization $organization, Project $project): ProjectMemberCollection
+    public function index(Organization $organization, Project $project, ProjectMemberIndexRequest $request): ProjectMemberCollection
     {
         $this->checkPermission($organization, 'project-members:view', $project);
 
         $projectMembers = ProjectMember::query()
             ->whereBelongsTo($project, 'project')
+            ->orderBy('created_at', 'desc')
             ->paginate(config('app.pagination_per_page_default'));
 
         return new ProjectMemberCollection($projectMembers);

app/Http/Controllers/Api/V1/Public/ReportController.php

@@ -73,7 +73,9 @@ class ReportController extends Controller
             false,
             $report->properties->start,
             $report->properties->end,
-            true
+            true,
+            $report->properties->roundingType,
+            $report->properties->roundingMinutes,
         );
         $historyData = $timeEntryAggregationService->getAggregatedTimeEntriesWithDescriptions(
             $timeEntriesQuery->clone(),
@@ -84,7 +86,9 @@ class ReportController extends Controller
             true,
             $report->properties->start,
             $report->properties->end,
-            true
+            true,
+            $report->properties->roundingType,
+            $report->properties->roundingMinutes,
         );
 
         return new DetailedWithDataReportResource($report, $data, $historyData);

app/Http/Controllers/Api/V1/ReportController.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api\V1;
 
 use App\Enums\Weekday;
+use App\Http\Requests\V1\Report\ReportIndexRequest;
 use App\Http\Requests\V1\Report\ReportStoreRequest;
 use App\Http\Requests\V1\Report\ReportUpdateRequest;
 use App\Http\Resources\V1\Report\DetailedReportResource;
@@ -40,7 +41,7 @@ class ReportController extends Controller
      *
      * @operationId getReports
      */
-    public function index(Organization $organization): ReportCollection
+    public function index(Organization $organization, ReportIndexRequest $request): ReportCollection
     {
         $this->checkPermission($organization, 'reports:view');
 
@@ -107,6 +108,8 @@ class ReportController extends Controller
             }
         }
         $properties->timezone = $timezone;
+        $properties->roundingType = $request->getPropertyRoundingType();
+        $properties->roundingMinutes = $request->getPropertyRoundingMinutes();
         $report->properties = $properties;
         if ($isPublic) {
             $report->share_secret = $reportService->generateSecret();
@@ -148,6 +151,9 @@ class ReportController extends Controller
                 $report->share_secret = null;
                 $report->public_until = null;
             }
+        } elseif ($report->is_public && $request->has('public_until')) {
+            // Allow updating expiration date on already-public reports
+            $report->public_until = $request->getPublicUntil();
         }
         $report->save();
 

app/Http/Controllers/Api/V1/TagController.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api\V1;
 
 use App\Exceptions\Api\EntityStillInUseApiException;
+use App\Http\Requests\V1\Tag\TagIndexRequest;
 use App\Http\Requests\V1\Tag\TagStoreRequest;
 use App\Http\Requests\V1\Tag\TagUpdateRequest;
 use App\Http\Resources\V1\Tag\TagCollection;
@@ -34,7 +35,7 @@ class TagController extends Controller
      *
      * @throws AuthorizationException
      */
-    public function index(Organization $organization): TagCollection
+    public function index(Organization $organization, TagIndexRequest $request): TagCollection
     {
         $this->checkPermission($organization, 'tags:view');
 

app/Http/Controllers/Api/V1/TaskController.php

@@ -11,6 +11,7 @@ use App\Http\Requests\V1\Task\TaskUpdateRequest;
 use App\Http\Resources\V1\Task\TaskCollection;
 use App\Http\Resources\V1\Task\TaskResource;
 use App\Models\Organization;
+use App\Models\Project;
 use App\Models\Task;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Http\JsonResponse;
@@ -27,6 +28,26 @@ class TaskController extends Controller
         }
     }
 
+    /**
+     * Check scoped permission and verify user has access to the project
+     *
+     * @throws AuthorizationException
+     */
+    private function checkScopedPermissionForProject(Organization $organization, Project $project, string $permission): void
+    {
+        $this->checkPermission($organization, $permission);
+
+        $user = $this->user();
+        $hasAccess = Project::query()
+            ->where('id', $project->id)
+            ->visibleByEmployee($user)
+            ->exists();
+
+        if (! $hasAccess) {
+            throw new AuthorizationException('You do not have permission to '.$permission.' in this project.');
+        }
+    }
+
     /**
      * Get tasks
      *
@@ -61,7 +82,9 @@ class TaskController extends Controller
             $query->whereNull('done_at');
         }
 
-        $tasks = $query->paginate(config('app.pagination_per_page_default'));
+        $tasks = $query
+            ->orderBy('created_at', 'desc')
+            ->paginate(config('app.pagination_per_page_default'));
 
         return new TaskCollection($tasks);
     }
@@ -75,7 +98,15 @@ class TaskController extends Controller
      */
     public function store(Organization $organization, TaskStoreRequest $request): JsonResource
     {
-        $this->checkPermission($organization, 'tasks:create');
+        /** @var Project $project */
+        $project = Project::query()->findOrFail($request->input('project_id'));
+
+        if ($this->hasPermission($organization, 'tasks:create:all')) {
+            $this->checkPermission($organization, 'tasks:create:all');
+        } else {
+            $this->checkScopedPermissionForProject($organization, $project, 'tasks:create');
+        }
+
         $task = new Task;
         $task->name = $request->input('name');
         $task->project_id = $request->input('project_id');
@@ -97,7 +128,17 @@ class TaskController extends Controller
      */
     public function update(Organization $organization, Task $task, TaskUpdateRequest $request): JsonResource
     {
-        $this->checkPermission($organization, 'tasks:update', $task);
+        // Check task belongs to organization
+        if ($task->organization_id !== $organization->id) {
+            throw new AuthorizationException('Task does not belong to organization');
+        }
+
+        if ($this->hasPermission($organization, 'tasks:update:all')) {
+            $this->checkPermission($organization, 'tasks:update:all');
+        } else {
+            $this->checkScopedPermissionForProject($organization, $task->project, 'tasks:update');
+        }
+
         $task->name = $request->input('name');
         if ($this->canAccessPremiumFeatures($organization) && $request->has('estimated_time')) {
             $task->estimated_time = $request->getEstimatedTime();
@@ -119,7 +160,16 @@ class TaskController extends Controller
      */
     public function destroy(Organization $organization, Task $task): JsonResponse
     {
-        $this->checkPermission($organization, 'tasks:delete', $task);
+        // Check task belongs to organization
+        if ($task->organization_id !== $organization->id) {
+            throw new AuthorizationException('Task does not belong to organization');
+        }
+
+        if ($this->hasPermission($organization, 'tasks:delete:all')) {
+            $this->checkPermission($organization, 'tasks:delete:all');
+        } else {
+            $this->checkScopedPermissionForProject($organization, $task->project, 'tasks:delete');
+        }
 
         if ($task->timeEntries()->exists()) {
             throw new EntityStillInUseApiException('task', 'time_entry');

app/Http/Controllers/Api/V1/TimeEntryController.php

@@ -7,6 +7,7 @@ namespace App\Http\Controllers\Api\V1;
 use App\Enums\ExportFormat;
 use App\Enums\Role;
 use App\Exceptions\Api\FeatureIsNotAvailableInFreePlanApiException;
+use App\Exceptions\Api\OverlappingTimeEntryApiException;
 use App\Exceptions\Api\PdfRendererIsNotConfiguredException;
 use App\Exceptions\Api\TimeEntryCanNotBeRestartedApiException;
 use App\Exceptions\Api\TimeEntryStillRunningApiException;
@@ -33,6 +34,7 @@ use App\Service\ReportExport\TimeEntriesDetailedExport;
 use App\Service\ReportExport\TimeEntriesReportExport;
 use App\Service\TimeEntryAggregationService;
 use App\Service\TimeEntryFilter;
+use App\Service\TimeEntryService;
 use App\Service\TimezoneService;
 use Gotenberg\Exceptions\GotenbergApiErrored;
 use Gotenberg\Exceptions\NoOutputFileInResponse;
@@ -44,16 +46,56 @@ use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\File;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Resources\Json\JsonResource;
+use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use Maatwebsite\Excel\Facades\Excel;
 use Spatie\TemporaryDirectory\TemporaryDirectory;
 
 class TimeEntryController extends Controller
 {
+    private function assertNoOverlap(Organization $organization, Member $member, Carbon $start, ?Carbon $end, ?TimeEntry $exclude = null): void
+    {
+        if (! $organization->prevent_overlapping_time_entries) {
+            return;
+        }
+
+        $query = TimeEntry::query()
+            ->where('organization_id', $organization->getKey())
+            ->where('user_id', $member->user_id)
+            ->when($exclude !== null, function (Builder $q) use ($exclude): void {
+                $q->where('id', '!=', $exclude->getKey());
+            })
+            ->where(function (Builder $q) use ($start, $end): void {
+                $q->where(function (Builder $q2) use ($start): void {
+                    $q2->where('end', '>', $start)
+                        ->where('start', '<', $start);
+                });
+
+                if ($end !== null) {
+                    $q->orWhere(function (Builder $q4) use ($end): void {
+                        $q4->where('start', '<', $end)
+                            ->where('end', '>', $end);
+                    });
+                    // Check if the new entry completely surrounds an existing entry
+                    $q->orWhere(function (Builder $q6) use ($start, $end): void {
+                        $q6->where('start', '>=', $start)
+                            ->where('end', '<=', $end);
+                    });
+                }
+
+            });
+
+        if ($query->exists()) {
+            throw new OverlappingTimeEntryApiException;
+        }
+    }
+
     protected function checkPermission(Organization $organization, string $permission, ?TimeEntry $timeEntry = null): void
     {
         parent::checkPermission($organization, $permission);
@@ -84,7 +126,8 @@ class TimeEntryController extends Controller
             $this->checkPermission($organization, 'time-entries:view:all');
         }
 
-        $timeEntriesQuery = $this->getTimeEntriesQuery($organization, $request, $member);
+        $canAccessPremiumFeatures = $this->canAccessPremiumFeatures($organization);
+        $timeEntriesQuery = $this->getTimeEntriesQuery($organization, $request, $member, $canAccessPremiumFeatures);
 
         $totalCount = $timeEntriesQuery->count();
 
@@ -138,10 +181,19 @@ class TimeEntryController extends Controller
     /**
      * @return Builder<TimeEntry>
      */
-    private function getTimeEntriesQuery(Organization $organization, TimeEntryIndexRequest|TimeEntryIndexExportRequest $request, ?Member $member): Builder
+    private function getTimeEntriesQuery(Organization $organization, TimeEntryIndexRequest|TimeEntryIndexExportRequest $request, ?Member $member, bool $canAccessPremiumFeatures): Builder
     {
+        $select = TimeEntry::SELECT_COLUMNS;
+        $roundingType = $canAccessPremiumFeatures ? $request->getRoundingType() : null;
+        $roundingMinutes = $canAccessPremiumFeatures ? $request->getRoundingMinutes() : null;
+        if ($roundingType !== null && $roundingMinutes !== null) {
+            $select = array_diff($select, ['start', 'end']);
+            $select[] = DB::raw(app(TimeEntryService::class)->getStartSelectRawForRounding($roundingType, $roundingMinutes).' as start');
+            $select[] = DB::raw(app(TimeEntryService::class)->getEndSelectRawForRounding($roundingType, $roundingMinutes).' as end');
+        }
         $timeEntriesQuery = TimeEntry::query()
             ->whereBelongsTo($organization, 'organization')
+            ->select($select)
             ->orderBy('start', 'desc');
 
         $filter = new TimeEntryFilter($timeEntriesQuery);
@@ -175,16 +227,19 @@ class TimeEntryController extends Controller
         } else {
             $this->checkPermission($organization, 'time-entries:view:all');
         }
+        $canAccessPremiumFeatures = $this->canAccessPremiumFeatures($organization);
         $debug = $request->getDebug();
         $format = $request->getFormatValue();
-        if ($format === ExportFormat::PDF && ! $this->canAccessPremiumFeatures($organization)) {
+        if ($format === ExportFormat::PDF && ! $canAccessPremiumFeatures) {
             throw new FeatureIsNotAvailableInFreePlanApiException;
         }
         $user = $this->user();
         $timezone = $user->timezone;
         $showBillableRate = $this->member($organization)->role !== Role::Employee->value || $organization->employees_can_see_billable_rates;
+        $roundingType = $canAccessPremiumFeatures ? $request->getRoundingType() : null;
+        $roundingMinutes = $canAccessPremiumFeatures ? $request->getRoundingMinutes() : null;
 
-        $timeEntriesQuery = $this->getTimeEntriesQuery($organization, $request, $member);
+        $timeEntriesQuery = $this->getTimeEntriesQuery($organization, $request, $member, $canAccessPremiumFeatures);
         $timeEntriesQuery->with([
             'task',
             'client',
@@ -192,7 +247,7 @@ class TimeEntryController extends Controller
             'user',
             'tagsRelation',
         ]);
-        $filename = 'time-entries-export-'.now()->format('Y-m-d_H-i-s').'.'.$format->getFileExtension();
+        $filename = 'time-entries-export-'.now()->format('Y-m-d_H-i-s').'-'.Str::uuid().'.'.$format->getFileExtension();
         $folderPath = 'exports';
         $path = $folderPath.'/'.$filename;
         $localizationService = LocalizationService::forOrganization($organization);
@@ -207,8 +262,9 @@ class TimeEntryController extends Controller
             if ($viewFile === false) {
                 throw new \LogicException('View file not found');
             }
+            $timeEntriesAggregateQuery = $this->getTimeEntriesAggregateQuery($organization, $request, $member);
             $aggregatedData = $timeEntryAggregationService->getAggregatedTimeEntries(
-                $timeEntriesQuery->clone()->reorder()->withOnly([]),
+                $timeEntriesAggregateQuery,
                 null,
                 null,
                 $user->timezone,
@@ -216,7 +272,9 @@ class TimeEntryController extends Controller
                 false,
                 null,
                 null,
-                $showBillableRate
+                $showBillableRate,
+                $roundingType,
+                $roundingMinutes,
             );
             $html = Blade::render($viewFile, [
                 'timeEntries' => $timeEntriesQuery->get(),
@@ -226,6 +284,7 @@ class TimeEntryController extends Controller
                 'start' => $request->getStart()->timezone($timezone),
                 'end' => $request->getEnd()->timezone($timezone),
                 'localization' => $localizationService,
+                'showBillableRate' => $showBillableRate,
             ]);
             $footerViewFile = file_get_contents(resource_path('views/reports/time-entry-index/pdf-footer.blade.php'));
             if ($footerViewFile === false) {
@@ -317,12 +376,15 @@ class TimeEntryController extends Controller
         } else {
             $this->checkPermission($organization, 'time-entries:view:all');
         }
+        $canAccessPremiumFeatures = $this->canAccessPremiumFeatures($organization);
         $user = $this->user();
         $showBillableRate = $this->member($organization)->role !== Role::Employee->value || $organization->employees_can_see_billable_rates;
 
         $group1Type = $request->getGroup();
         $group2Type = $request->getSubGroup();
         $timeEntriesAggregateQuery = $this->getTimeEntriesAggregateQuery($organization, $request, $member);
+        $roundingType = $canAccessPremiumFeatures ? $request->getRoundingType() : null;
+        $roundingMinutes = $canAccessPremiumFeatures ? $request->getRoundingMinutes() : null;
 
         $aggregatedData = $timeEntryAggregationService->getAggregatedTimeEntries(
             $timeEntriesAggregateQuery,
@@ -333,7 +395,9 @@ class TimeEntryController extends Controller
             $request->getFillGapsInTimeGroups(),
             $request->getStart(),
             $request->getEnd(),
-            $showBillableRate
+            $showBillableRate,
+            $roundingType,
+            $roundingMinutes
         );
 
         return [
@@ -361,6 +425,7 @@ class TimeEntryController extends Controller
         } else {
             $this->checkPermission($organization, 'time-entries:view:all');
         }
+        $canAccessPremiumFeatures = $this->canAccessPremiumFeatures($organization);
         $format = $request->getFormatValue();
         if ($format === ExportFormat::PDF && ! $this->canAccessPremiumFeatures($organization)) {
             throw new FeatureIsNotAvailableInFreePlanApiException;
@@ -372,6 +437,8 @@ class TimeEntryController extends Controller
         $group = $request->getGroup();
         $subGroup = $request->getSubGroup();
         $timeEntriesAggregateQuery = $this->getTimeEntriesAggregateQuery($organization, $request, $member);
+        $roundingType = $canAccessPremiumFeatures ? $request->getRoundingType() : null;
+        $roundingMinutes = $canAccessPremiumFeatures ? $request->getRoundingMinutes() : null;
 
         $aggregatedData = $timeEntryAggregationService->getAggregatedTimeEntriesWithDescriptions(
             $timeEntriesAggregateQuery->clone(),
@@ -382,7 +449,9 @@ class TimeEntryController extends Controller
             false,
             $request->getStart(),
             $request->getEnd(),
-            $showBillableRate
+            $showBillableRate,
+            $roundingType,
+            $roundingMinutes
         );
         $dataHistoryChart = $timeEntryAggregationService->getAggregatedTimeEntries(
             $timeEntriesAggregateQuery->clone(),
@@ -393,13 +462,15 @@ class TimeEntryController extends Controller
             true,
             $request->getStart(),
             $request->getEnd(),
-            $showBillableRate
+            $showBillableRate,
+            $roundingType,
+            $roundingMinutes
         );
         $currency = $organization->currency;
         $timezone = app(TimezoneService::class)->getTimezoneFromUser($this->user());
         $localizationService = LocalizationService::forOrganization($organization);
 
-        $filename = 'time-entries-report-'.now()->format('Y-m-d_H-i-s').'.'.$format->getFileExtension();
+        $filename = 'time-entries-report-'.now()->format('Y-m-d_H-i-s').'-'.Str::uuid().'.'.$format->getFileExtension();
         $folderPath = 'exports';
         $path = $folderPath.'/'.$filename;
 
@@ -428,6 +499,7 @@ class TimeEntryController extends Controller
                 'end' => $request->getEnd()->timezone($timezone),
                 'debug' => $debug,
                 'localization' => $localizationService,
+                'showBillableRate' => $showBillableRate,
             ]);
             $footerViewFile = file_get_contents(resource_path('views/reports/time-entry-aggregate/pdf-footer.blade.php'));
             if ($footerViewFile === false) {
@@ -456,7 +528,7 @@ class TimeEntryController extends Controller
                 ->putFileAs($folderPath, new File($tempFolder->path($filenameTemp)), $filename);
         } else {
             Excel::store(
-                new TimeEntriesReportExport($aggregatedData, $format, $currency, $group, $subGroup),
+                new TimeEntriesReportExport($aggregatedData, $format, $currency, $group, $subGroup, $showBillableRate),
                 $path,
                 config('filesystems.private'),
                 $format->getExportPackageType(),
@@ -475,7 +547,7 @@ class TimeEntryController extends Controller
     /**
      * @return Builder<TimeEntry>
      */
-    private function getTimeEntriesAggregateQuery(Organization $organization, TimeEntryAggregateRequest|TimeEntryAggregateExportRequest $request, ?Member $member): Builder
+    private function getTimeEntriesAggregateQuery(Organization $organization, TimeEntryAggregateRequest|TimeEntryAggregateExportRequest|TimeEntryIndexExportRequest $request, ?Member $member): Builder
     {
         $timeEntriesQuery = TimeEntry::query()
             ->whereBelongsTo($organization, 'organization');
@@ -517,17 +589,15 @@ class TimeEntryController extends Controller
             throw new TimeEntryStillRunningApiException;
         }
 
+        // Overlap check for create
+        $start = Carbon::parse($request->input('start'));
+        $end = $request->input('end') !== null ? Carbon::parse($request->input('end')) : null;
+        $this->assertNoOverlap($organization, $member, $start, $end);
+
         $project = $request->input('project_id') !== null ? Project::findOrFail((string) $request->input('project_id')) : null;
         $client = $project?->client;
         $task = $request->input('task_id') !== null ? $project->tasks()->findOrFail((string) $request->input('task_id')) : null;
 
-        if ($project !== null) {
-            RecalculateSpentTimeForProject::dispatch($project);
-        }
-        if ($task !== null) {
-            RecalculateSpentTimeForTask::dispatch($task);
-        }
-
         $timeEntry = new TimeEntry;
         $timeEntry->fill($request->validated());
         $timeEntry->client()->associate($client);
@@ -537,6 +607,13 @@ class TimeEntryController extends Controller
         $timeEntry->setComputedAttributeValue('billable_rate');
         $timeEntry->save();
 
+        if ($project !== null) {
+            RecalculateSpentTimeForProject::dispatch($project);
+        }
+        if ($task !== null) {
+            RecalculateSpentTimeForTask::dispatch($task);
+        }
+
         return new TimeEntryResource($timeEntry);
     }
 
@@ -552,15 +629,22 @@ class TimeEntryController extends Controller
         /** @var Member|null $member */
         $member = $request->has('member_id') ? Member::query()->findOrFail($request->input('member_id')) : null;
         if ($timeEntry->member->user_id === Auth::id() && ($member === null || $member->user_id === Auth::id())) {
-            $this->checkPermission($organization, 'time-entries:update:own');
+            $this->checkPermission($organization, 'time-entries:update:own', $timeEntry);
         } else {
-            $this->checkPermission($organization, 'time-entries:update:all');
+            $this->checkPermission($organization, 'time-entries:update:all', $timeEntry);
         }
 
         if ($timeEntry->end !== null && $request->has('end') && $request->input('end') === null) {
             throw new TimeEntryCanNotBeRestartedApiException;
         }
 
+        // Overlap check for update (exclude current)
+        /** @var Member $effectiveMember */
+        $effectiveMember = $request->has('member_id') ? Member::query()->findOrFail($request->input('member_id')) : $timeEntry->member;
+        $effectiveStart = $request->has('start') ? Carbon::parse($request->input('start')) : $timeEntry->start;
+        $effectiveEnd = $request->has('end') ? ($request->input('end') !== null ? Carbon::parse($request->input('end')) : null) : $timeEntry->end;
+        $this->assertNoOverlap($organization, $effectiveMember, $effectiveStart, $effectiveEnd, $timeEntry);
+
         $oldProject = $timeEntry->project;
         $oldTask = $timeEntry->task;
 

app/Http/Controllers/Api/V1/TimeZoneController.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Service\TimezoneService;
+use Illuminate\Http\JsonResponse;
+
+class TimeZoneController extends Controller
+{
+    /**
+     * Get all timezones
+     *
+     * @response object{key: string}[]
+     *
+     * @operationId getTimezones
+     */
+    public function index(): JsonResponse
+    {
+        $timezones = app(TimezoneService::class)->getTimezones();
+
+        $response = [];
+
+        foreach ($timezones as $timezone) {
+            $response[] = (object) [
+                'key' => $timezone,
+            ];
+        }
+
+        return response()->json($response);
+    }
+}

app/Http/Controllers/Api/V1/UserController.php

@@ -4,15 +4,29 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api\V1;
 
+use App\Exceptions\Api\CanNotDeleteUserWhoIsOwnerOfOrganizationWithMultipleMembers;
+use App\Exceptions\Api\UserResendEmailVerificationNoPendingEmailApiException;
+use App\Http\Requests\V1\User\UserUpdateCurrentOrganizationRequest;
+use App\Http\Requests\V1\User\UserUpdateRequest;
 use App\Http\Resources\V1\User\UserResource;
+use App\Mail\VerifyUpdatedEmailMail;
+use App\Models\Organization;
+use App\Models\User;
+use App\Service\DeletionService;
+use App\Service\UserService;
+use App\Support\Base64File;
 use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 
 class UserController extends Controller
 {
     /**
      * Get the current user
      *
-     * This endpoint is independent of organization.
+     * This endpoint is independent of the organization.
      *
      * @operationId getMe
      *
@@ -24,4 +38,169 @@ class UserController extends Controller
 
         return new UserResource($user);
     }
+
+    /**
+     * Update the current organization of the current user
+     *
+     * Switches the organization that the user is currently working in. The user
+     * must be a member of the given organization. This endpoint is independent of
+     * the organization.
+     *
+     * @operationId updateMyCurrentOrganization
+     *
+     * @throws AuthorizationException
+     */
+    public function updateMyCurrentOrganization(UserUpdateCurrentOrganizationRequest $request, UserService $userService): UserResource
+    {
+        $user = $this->user();
+
+        /** @var Organization|null $organization */
+        $organization = $user->organizations()
+            ->whereKey($request->getOrganizationId())
+            ->first();
+
+        if ($organization === null) {
+            throw new AuthorizationException;
+        }
+
+        $userService->switchCurrentOrganization($user, $organization);
+
+        return new UserResource($user->refresh());
+    }
+
+    /**
+     * Update the current user
+     *
+     * This endpoint is independent of the organization.
+     *
+     * @operationId updateUser
+     */
+    public function update(User $user, UserUpdateRequest $request): UserResource
+    {
+        if ($user->getKey() !== $this->user()->getKey()) {
+            throw new AuthorizationException;
+        }
+
+        if ($request->hasPhotoKey()) {
+            $photoDisk = (string) config('filesystems.public');
+            $previousPhotoPath = $user->profile_photo_path;
+            $newPhoto = $request->getPhoto();
+
+            if ($newPhoto === null) {
+                $user->profile_photo_path = null;
+            } else {
+                $decoded = Base64File::decode($newPhoto);
+                assert($decoded !== null);
+                $extension = Base64File::extension($decoded['mime_type']);
+                assert($extension !== null);
+
+                $photoPath = 'profile-photos/'.Str::uuid().'.'.$extension;
+                Storage::disk($photoDisk)->put($photoPath, $decoded['data'], 'public');
+                $user->profile_photo_path = $photoPath;
+            }
+
+            if ($previousPhotoPath !== null) {
+                Storage::disk($photoDisk)->delete($previousPhotoPath);
+            }
+        }
+
+        $emailToVerify = null;
+        $email = $request->getEmail();
+        if ($email !== null && $email !== Str::lower($user->email)) {
+            $emailToVerify = $email;
+            $user->pending_email = $email;
+        }
+
+        if ($request->getName() !== null) {
+            $user->name = $request->getName();
+        }
+
+        if ($request->getTimezone() !== null) {
+            $user->timezone = $request->getTimezone();
+        }
+
+        if ($request->getWeekStart() !== null) {
+            $user->week_start = $request->getWeekStart();
+        }
+
+        $user->save();
+
+        if ($emailToVerify !== null) {
+            Mail::to($emailToVerify)->send(new VerifyUpdatedEmailMail($user, $emailToVerify));
+        }
+
+        return new UserResource($user);
+    }
+
+    /**
+     * Reset the pending email for a user.
+     *
+     * This endpoint is independent of the organization.
+     *
+     * @operationId resetUserPendingEmail
+     *
+     * @throws AuthorizationException Thrown when the authenticated user does not match the user whose email is pending verification.
+     */
+    public function resetPendingEmail(User $user): JsonResponse
+    {
+        if ($user->getKey() !== $this->user()->getKey()) {
+            throw new AuthorizationException;
+        }
+
+        $user->pending_email = null;
+        $user->save();
+
+        return response()->json(null, 204);
+    }
+
+    /**
+     * Resend the pending email update verification email.
+     *
+     * This endpoint is independent of the organization.
+     *
+     * @operationId resendUserEmailVerification
+     *
+     * @throws AuthorizationException Thrown when the authenticated user does not match the user whose email is pending verification.
+     * @throws UserResendEmailVerificationNoPendingEmailApiException Thrown when the user does not have a pending email to verify.
+     */
+    public function resendEmailVerification(User $user): JsonResponse
+    {
+        if ($user->getKey() !== $this->user()->getKey()) {
+            throw new AuthorizationException;
+        }
+
+        if ($user->pending_email === null) {
+            throw new UserResendEmailVerificationNoPendingEmailApiException;
+        }
+
+        Mail::to($user->pending_email)
+            ->queue(new VerifyUpdatedEmailMail($user, $user->pending_email));
+
+        return response()->json(null, 204);
+    }
+
+    /**
+     * Handles the deletion of a user.
+     *
+     * This endpoint is independent of the organization.
+     *
+     * @operationId deleteUser
+     *
+     * @param  User  $user  The user instance to be deleted.
+     * @param  DeletionService  $deletionService  The service responsible for performing the user deletion.
+     * @return JsonResponse A JSON response with a 204 No Content status upon successful deletion.
+     *
+     * @throws AuthorizationException Thrown when the authenticated user does not match the user to be deleted.
+     * @throws CanNotDeleteUserWhoIsOwnerOfOrganizationWithMultipleMembers Thrown when the user to be deleted is the owner of an organization with multiple members.
+     */
+    public function destroy(User $user, DeletionService $deletionService): JsonResponse
+    {
+        if ($user->getKey() !== $this->user()->getKey()) {
+            throw new AuthorizationException;
+        }
+
+        $deletionService->deleteUser($user);
+
+        return response()->json(null, 204);
+    }
 }

app/Http/Controllers/Api/V1/UserMembershipController.php

@@ -14,7 +14,7 @@ class UserMembershipController extends Controller
     /**
      * Get the memberships of the current user
      *
-     * This endpoint is independent of organization.
+     * This endpoint is independent of the organization.
      *
      * @operationId getMyMemberships
      *

app/Http/Controllers/Api/V1/UserTimeEntryController.php

@@ -17,7 +17,7 @@ class UserTimeEntryController extends Controller
     /**
      * Get the active time entry of the current user
      *
-     * This endpoint is independent of organization.
+     * This endpoint is independent of the organization.
      *
      * @operationId getMyActiveTimeEntry
      */

app/Http/Controllers/Controller.php

@@ -43,7 +43,10 @@ class Controller extends BaseController
         /** @var Member|null $member */
         $member = Member::query()->whereBelongsTo($organization, 'organization')->whereBelongsTo($user, 'user')->first();
         if ($member === null) {
-            Log::error('This function should only be called in authenticated context after checking the user is a member of the organization');
+            Log::error('This function should only be called in authenticated context after checking the user is a member of the organization', [
+                'user' => $user->getKey(),
+                'organization' => $organization->getKey(),
+            ]);
             throw new AuthorizationException;
         }
 
@@ -56,7 +59,7 @@ class Controller extends BaseController
     protected function currentOrganization(): Organization
     {
         $user = $this->user();
-        $organization = $user->currentTeam;
+        $organization = $user->currentOrganization;
         if ($organization === null) {
             $organization = $user->organizations()->first();
         }

app/Http/Controllers/Web/Controller.php

@@ -4,4 +4,21 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Web;
 
-abstract class Controller extends \App\Http\Controllers\Controller {}
+use App\Models\Organization;
+use App\Service\PermissionStore;
+use Illuminate\Auth\Access\AuthorizationException;
+
+abstract class Controller extends \App\Http\Controllers\Controller
+{
+    public function __construct(
+        protected PermissionStore $permissionStore,
+    ) {}
+
+    /**
+     * @throws AuthorizationException
+     */
+    protected function hasPermission(Organization $organization, string $permission): bool
+    {
+        return $this->permissionStore->has($organization, $permission);
+    }
+}

app/Http/Controllers/Web/DashboardController.php

@@ -4,30 +4,13 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Web;
 
-use App\Enums\Role;
-use App\Service\DashboardService;
-use App\Service\PermissionStore;
-use Illuminate\Auth\Access\AuthorizationException;
 use Inertia\Inertia;
 use Inertia\Response;
 
 class DashboardController extends Controller
 {
-    /**
-     * @throws AuthorizationException
-     */
-    public function dashboard(DashboardService $dashboardService, PermissionStore $permissionStore): Response
+    public function dashboard(): Response
     {
-        $user = $this->user();
-        $organization = $this->currentOrganization();
-
-        $latestTeamActivity = null;
-        if ($permissionStore->has($organization, 'time-entries:view:all')) {
-            $latestTeamActivity = $dashboardService->latestTeamActivity($organization);
-        }
-
-        $showBillableRate = $this->member($organization)->role !== Role::Employee->value || $organization->employees_can_see_billable_rates;
-
         return Inertia::render('Dashboard');
     }
 }

app/Http/Controllers/Web/OrganizationController.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use App\Models\Organization;
+use Brick\Money\Currency;
+use Brick\Money\ISOCurrencyProvider;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Str;
+use Inertia\Inertia;
+use Inertia\Response;
+
+class OrganizationController extends Controller
+{
+    /**
+     * Show the team creation screen.
+     */
+    public function create(Request $request): Response
+    {
+        return Inertia::render('Teams/Create');
+    }
+
+    /**
+     * Show the organizatio details screen.
+     *
+     * @param  string  $organizationId  The organization ID
+     */
+    public function show(string $organizationId): Response|RedirectResponse
+    {
+        $organization = Str::isUuid($organizationId) ? Organization::find($organizationId) : null;
+        if ($organization === null) {
+            return redirect()->route('dashboard');
+        }
+        if (! $this->hasPermission($organization, 'organizations:view')) {
+            return redirect()->route('dashboard');
+        }
+
+        $owner = $organization->owner;
+
+        return Inertia::render('Teams/Show', [
+            'team' => [
+                'id' => $organization->getKey(),
+                'name' => $organization->name,
+                'currency' => $organization->currency,
+                'owner' => [
+                    'id' => $owner->getKey(),
+                    'name' => $owner->name,
+                    'profile_photo_url' => $owner->profile_photo_url,
+                ],
+            ],
+            'currencies' => array_map(function (Currency $currency): string {
+                return $currency->getName();
+            }, ISOCurrencyProvider::getInstance()->getAvailableCurrencies()),
+            'permissions' => [
+                'canDeleteTeam' => $this->hasPermission($organization, 'organizations:delete'),
+                'canUpdateTeam' => $this->hasPermission($organization, 'organizations:update'),
+            ],
+        ]);
+    }
+}

app/Http/Controllers/Web/OrganizationInvitationController.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use App\Enums\Role;
+use App\Models\OrganizationInvitation;
+use App\Models\User;
+use App\Service\MemberService;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Support\Facades\Auth;
+use RuntimeException;
+
+class OrganizationInvitationController extends Controller
+{
+    public function accept(OrganizationInvitation $invitation, MemberService $memberService): RedirectResponse
+    {
+        $email = strtolower($invitation->email);
+        $role = Role::tryFrom($invitation->role);
+        if ($role === null || $role === Role::Owner || $role === Role::Placeholder) {
+            throw new RuntimeException('Invalid role');
+        }
+
+        $organization = $invitation->organization;
+        $invitee = User::query()
+            ->where('email', $email)
+            ->where('is_placeholder', '=', false)
+            ->first();
+
+        // No account yet — finish on registration.
+        if ($invitee === null) {
+            if ($invitation->accepted_at === null) {
+                $invitation->accepted_at = now();
+                $invitation->save();
+            }
+
+            return redirect(route('register'))
+                ->with('bannerText', __('Please create an account to finish joining the :organization organization.', [
+                    'organization' => $organization->name,
+                ]))
+                ->with('bannerStyle', 'info');
+        }
+
+        $alreadyMember = $memberService->isEmailAlreadyMember($organization, $email);
+        if (! $alreadyMember) {
+            $memberService->addMember($invitee, $organization, $role);
+            $invitation->delete();
+        }
+
+        // Logged out — banner on /login.
+        if (! Auth::check()) {
+            return redirect(route('login'))
+                ->with('bannerText', __('Great! You have accepted the invitation to join the :organization organization. Please log in to access it.', [
+                    'organization' => $organization->name,
+                ]))
+                ->with('bannerStyle', 'success');
+        }
+
+        // Logged in — banner on /dashboard.
+        if ($alreadyMember) {
+            return redirect(route('dashboard'))
+                ->with('bannerText', __('You are already a member of the :organization organization.', [
+                    'organization' => $organization->name,
+                ]))
+                ->with('bannerStyle', 'danger');
+        }
+
+        return redirect(route('dashboard'))
+            ->with('bannerText', __('Great! You have accepted the invitation to join the :organization organization.', [
+                'organization' => $organization->name,
+            ]))
+            ->with('bannerStyle', 'success');
+    }
+}

app/Http/Controllers/Web/UserController.php

@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use App\Models\User;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Str;
+
+class UserController extends Controller
+{
+    public function verifyEmailChange(Request $request, User $user): RedirectResponse
+    {
+        if ($request->user()?->getAuthIdentifier() !== $user->getKey()) {
+            abort(403);
+        }
+
+        $email = $request->query('email');
+        if (! is_string($email)) {
+            abort(403);
+        }
+
+        $email = Str::lower($email);
+
+        if ($user->pending_email !== $email) {
+            abort(403);
+        }
+
+        $emailAlreadyInUse = User::query()
+            ->where('email', '=', $email)
+            ->where('is_placeholder', '=', false)
+            ->whereKeyNot($user->getKey())
+            ->exists();
+
+        if ($emailAlreadyInUse) {
+            return redirect(route('dashboard'))
+                ->with('bannerStyle', 'danger')
+                ->with('bannerText', __('The email address is already in use.'));
+        }
+
+        $user->email = $email;
+        $user->pending_email = null;
+        $user->email_verified_at = Carbon::now();
+        $user->save();
+
+        return redirect(route('dashboard'))
+            ->with('bannerStyle', 'success')
+            ->with('bannerText', __('Your email address has been updated successfully.'));
+    }
+}

app/Http/Controllers/Web/UserProfileController.php

@@ -0,0 +1,142 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use App\Enums\Weekday;
+use App\Service\Dto\UserAgentDto;
+use App\Service\TimezoneService;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\DB;
+use Inertia\Inertia;
+use Inertia\Response;
+use Laravel\Fortify\Actions\DisableTwoFactorAuthentication;
+use Laravel\Fortify\Features;
+
+class UserProfileController extends Controller
+{
+    /**
+     * Validate the two-factor authentication state for the request.
+     */
+    protected function validateTwoFactorAuthenticationState(Request $request): void
+    {
+        if (! Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm')) {
+            return;
+        }
+
+        $currentTime = time();
+
+        // Notate totally disabled state in session...
+        if ($this->twoFactorAuthenticationDisabled($request)) {
+            $request->session()->put('two_factor_empty_at', $currentTime);
+        }
+
+        // If was previously totally disabled this session but is now confirming, notate time...
+        if ($this->hasJustBegunConfirmingTwoFactorAuthentication($request)) {
+            $request->session()->put('two_factor_confirming_at', $currentTime);
+        }
+
+        // If the profile is reloaded and is not confirmed but was previously in confirming state, disable...
+        if ($this->neverFinishedConfirmingTwoFactorAuthentication($request, $currentTime)) {
+            app(DisableTwoFactorAuthentication::class)(Auth::user());
+
+            $request->session()->put('two_factor_empty_at', $currentTime);
+            $request->session()->remove('two_factor_confirming_at');
+        }
+    }
+
+    /**
+     * Determine if two-factor authentication is totally disabled.
+     *
+     * @return bool
+     */
+    protected function twoFactorAuthenticationDisabled(Request $request)
+    {
+        return is_null($request->user()->two_factor_secret) &&
+            is_null($request->user()->two_factor_confirmed_at);
+    }
+
+    /**
+     * Determine if two-factor authentication is just now being confirmed within the last request cycle.
+     *
+     * @return bool
+     */
+    protected function hasJustBegunConfirmingTwoFactorAuthentication(Request $request)
+    {
+        return ! is_null($request->user()->two_factor_secret) &&
+            is_null($request->user()->two_factor_confirmed_at) &&
+            $request->session()->has('two_factor_empty_at') &&
+            is_null($request->session()->get('two_factor_confirming_at'));
+    }
+
+    /**
+     * Determine if two-factor authentication was never totally confirmed once confirmation started.
+     *
+     * @return bool
+     */
+    protected function neverFinishedConfirmingTwoFactorAuthentication(Request $request, int $currentTime)
+    {
+        return ! array_key_exists('code', $request->session()->getOldInput()) &&
+            is_null($request->user()->two_factor_confirmed_at) &&
+            $request->session()->get('two_factor_confirming_at', 0) !== $currentTime;
+    }
+
+    /**
+     * Show the general profile settings screen.
+     */
+    public function show(Request $request): Response
+    {
+        $this->validateTwoFactorAuthenticationState($request);
+
+        return Inertia::render('Profile/Show', [
+            'timezones' => app(TimezoneService::class)->getSelectOptions(),
+            'weekdays' => Weekday::toSelectArray(),
+            'confirmsTwoFactorAuthentication' => Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm'),
+            'sessions' => $this->sessions($request),
+        ]);
+    }
+
+    /**
+     * Get the current sessions.
+     *
+     * @return array<int, object{agent: array{is_desktop: bool, platform: string|null, browser: string|null}, ip_address: string, is_current_device: bool, last_active: string}&\stdClass>
+     */
+    public function sessions(Request $request): array
+    {
+        if (config('session.driver') !== 'database') {
+            return [];
+        }
+
+        return collect(
+            DB::connection(config('session.connection'))->table(config('session.table', 'sessions'))
+                ->where('user_id', $request->user()->getAuthIdentifier())
+                ->orderBy('last_activity', 'desc')
+                ->get()
+        )->map(function (object $session) use ($request): object {
+            $agent = $this->createAgent(is_string($session->user_agent) ? $session->user_agent : '');
+
+            return (object) [
+                'agent' => [
+                    'is_desktop' => $agent->isDesktop(),
+                    'platform' => $agent->platform(),
+                    'browser' => $agent->browser(),
+                ],
+                'ip_address' => is_string($session->ip_address) ? $session->ip_address : '',
+                'is_current_device' => $session->id === $request->session()->getId(),
+                'last_active' => Carbon::createFromTimestamp($session->last_activity)->diffForHumans(),
+            ];
+        })->all();
+    }
+
+    /**
+     * Create a new agent instance from the given session.
+     */
+    protected function createAgent(string $userAgent): UserAgentDto
+    {
+        return tap(new UserAgentDto, fn ($agent) => $agent->setUserAgent($userAgent));
+    }
+}

app/Http/Kernel.php

@@ -4,9 +4,37 @@ declare(strict_types=1);
 
 namespace App\Http;
 
+use App\Http\Middleware\Authenticate;
 use App\Http\Middleware\CheckOrganizationBlocked;
+use App\Http\Middleware\EncryptCookies;
+use App\Http\Middleware\EnsureEmailIsVerified;
+use App\Http\Middleware\ForceHttps;
 use App\Http\Middleware\ForceJsonResponse;
+use App\Http\Middleware\HandleInertiaRequests;
+use App\Http\Middleware\PreventRequestsDuringMaintenance;
+use App\Http\Middleware\RedirectIfAuthenticated;
+use App\Http\Middleware\ShareInertiaData;
+use App\Http\Middleware\TrimStrings;
+use App\Http\Middleware\TrustProxies;
+use App\Http\Middleware\ValidateSignature;
+use App\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
+use Illuminate\Auth\Middleware\Authorize;
+use Illuminate\Auth\Middleware\RequirePassword;
+use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
+use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
+use Illuminate\Foundation\Http\Middleware\HandlePrecognitiveRequests;
+use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
+use Illuminate\Http\Middleware\AddLinkHeadersForPreloadedAssets;
+use Illuminate\Http\Middleware\HandleCors;
+use Illuminate\Http\Middleware\SetCacheHeaders;
+use Illuminate\Routing\Middleware\SubstituteBindings;
+use Illuminate\Routing\Middleware\ThrottleRequests;
+use Illuminate\Session\Middleware\AuthenticateSession;
+use Illuminate\Session\Middleware\StartSession;
+use Illuminate\View\Middleware\ShareErrorsFromSession;
+use Laravel\Passport\Http\Middleware\CreateFreshApiToken;
 
 class Kernel extends HttpKernel
 {
@@ -18,13 +46,13 @@ class Kernel extends HttpKernel
      * @var array<int, class-string|string>
      */
     protected $middleware = [
-        \App\Http\Middleware\ForceHttps::class,
-        \App\Http\Middleware\TrustProxies::class,
-        \Illuminate\Http\Middleware\HandleCors::class,
-        \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
-        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
-        \App\Http\Middleware\TrimStrings::class,
-        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
+        ForceHttps::class,
+        TrustProxies::class,
+        HandleCors::class,
+        PreventRequestsDuringMaintenance::class,
+        ValidatePostSize::class,
+        TrimStrings::class,
+        ConvertEmptyStringsToNull::class,
     ];
 
     /**
@@ -34,21 +62,21 @@ class Kernel extends HttpKernel
      */
     protected $middlewareGroups = [
         'web' => [
-            \App\Http\Middleware\EncryptCookies::class,
-            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
-            \Illuminate\Session\Middleware\StartSession::class,
-            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
-            \App\Http\Middleware\VerifyCsrfToken::class,
-            \Illuminate\Routing\Middleware\SubstituteBindings::class,
-            \App\Http\Middleware\HandleInertiaRequests::class,
-            \App\Http\Middleware\ShareInertiaData::class,
-            \Illuminate\Http\Middleware\AddLinkHeadersForPreloadedAssets::class,
-            \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
+            EncryptCookies::class,
+            AddQueuedCookiesToResponse::class,
+            StartSession::class,
+            ShareErrorsFromSession::class,
+            VerifyCsrfToken::class,
+            SubstituteBindings::class,
+            HandleInertiaRequests::class,
+            ShareInertiaData::class,
+            AddLinkHeadersForPreloadedAssets::class,
+            CreateFreshApiToken::class,
         ],
 
         'api' => [
-            \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
-            \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            ThrottleRequests::class.':api',
+            SubstituteBindings::class,
             ForceJsonResponse::class,
         ],
 
@@ -64,17 +92,17 @@ class Kernel extends HttpKernel
      * @var array<string, class-string|string>
      */
     protected $middlewareAliases = [
-        'auth' => \App\Http\Middleware\Authenticate::class,
-        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
-        'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
-        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
-        'can' => \Illuminate\Auth\Middleware\Authorize::class,
-        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
-        'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
-        'precognitive' => \Illuminate\Foundation\Http\Middleware\HandlePrecognitiveRequests::class,
-        'signed' => \App\Http\Middleware\ValidateSignature::class,
-        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
-        'verified' => \App\Http\Middleware\EnsureEmailIsVerified::class,
+        'auth' => Authenticate::class,
+        'auth.basic' => AuthenticateWithBasicAuth::class,
+        'auth.session' => AuthenticateSession::class,
+        'cache.headers' => SetCacheHeaders::class,
+        'can' => Authorize::class,
+        'guest' => RedirectIfAuthenticated::class,
+        'password.confirm' => RequirePassword::class,
+        'precognitive' => HandlePrecognitiveRequests::class,
+        'signed' => ValidateSignature::class,
+        'throttle' => ThrottleRequests::class,
+        'verified' => EnsureEmailIsVerified::class,
         'check-organization-blocked' => CheckOrganizationBlocked::class,
     ];
 }

app/Http/Middleware/EnsureEmailIsVerified.php

@@ -5,7 +5,6 @@ declare(strict_types=1);
 namespace App\Http\Middleware;
 
 use Closure;
-use Illuminate\Contracts\Auth\MustVerifyEmail;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\URL;
@@ -20,8 +19,7 @@ class EnsureEmailIsVerified
     {
         if (! app()->isLocal()) {
             if ($request->user() === null ||
-                ($request->user() instanceof MustVerifyEmail &&
-                    ! $request->user()->hasVerifiedEmail())) {
+                (! $request->user()->hasVerifiedEmail())) {
                 return $request->expectsJson()
                     ? abort(403, 'Your email address is not verified.')
                     : Redirect::guest(URL::route($redirectToRoute ?: 'verification.notice'));

app/Http/Middleware/ForceHttps.php

@@ -14,7 +14,7 @@ class ForceHttps
     /**
      * Handle an incoming request.
      *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     * @param  Closure(Request): (Response)  $next
      */
     public function handle(Request $request, Closure $next, string ...$guards): Response
     {

app/Http/Middleware/ForceJsonResponse.php

@@ -13,7 +13,7 @@ class ForceJsonResponse
     /**
      * Handle an incoming request.
      *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     * @param  Closure(Request): (Response)  $next
      */
     public function handle(Request $request, Closure $next, string ...$guards): Response
     {

app/Http/Middleware/HandleInertiaRequests.php

@@ -40,15 +40,19 @@ class HandleInertiaRequests extends Middleware
     public function share(Request $request): array
     {
         $hasBilling = Module::has('Billing') && Module::isEnabled('Billing');
+        $hasInvoicing = Module::has('Invoicing') && Module::isEnabled('Invoicing');
+        $hasServices = Module::has('Services') && Module::isEnabled('Services');
 
         /** @var BillingContract $billing */
         $billing = app(BillingContract::class);
 
-        $currentOrganization = $request->user()?->currentTeam;
+        $currentOrganization = $request->user()?->currentOrganization;
 
         return array_merge(parent::share($request), [
             'has_billing_extension' => $hasBilling,
-            'billing' => $billing !== null && $currentOrganization !== null ? [
+            'has_invoicing_extension' => $hasInvoicing,
+            'has_services_extension' => $hasServices,
+            'billing' => $currentOrganization !== null ? [
                 'has_subscription' => $billing->hasSubscription($currentOrganization),
                 'has_trial' => $billing->hasTrial($currentOrganization),
                 'trial_until' => $billing->getTrialUntil($currentOrganization)?->toIso8601ZuluString(),
@@ -56,6 +60,8 @@ class HandleInertiaRequests extends Middleware
             ] : null,
             'flash' => [
                 'message' => fn () => $request->session()->get('message'),
+                'bannerText' => fn () => $request->session()->get('bannerText'),
+                'bannerStyle' => fn () => $request->session()->get('bannerStyle'),
             ],
         ]);
     }

app/Http/Middleware/RedirectIfAuthenticated.php

@@ -15,7 +15,7 @@ class RedirectIfAuthenticated
     /**
      * Handle an incoming request.
      *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     * @param  Closure(Request): (Response)  $next
      */
     public function handle(Request $request, Closure $next, string ...$guards): Response
     {

app/Http/Middleware/ShareInertiaData.php

@@ -9,12 +9,10 @@ use App\Models\User;
 use App\Service\PermissionStore;
 use Closure;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Session;
 use Illuminate\Support\MessageBag;
 use Inertia\Inertia;
 use Laravel\Fortify\Features;
-use Laravel\Jetstream\Jetstream;
 use Symfony\Component\HttpFoundation\Response;
 
 class ShareInertiaData
@@ -26,29 +24,9 @@ class ShareInertiaData
     {
         /** @var PermissionStore $permissions */
         $permissions = app(PermissionStore::class);
-        Inertia::share(array_filter([
-            'jetstream' => function () use ($request) {
-                /** @var User|null $user */
-                $user = $request->user();
-
-                return [
-                    'canCreateTeams' => $user !== null &&
-                        Jetstream::userHasTeamFeatures($user) &&
-                        Gate::forUser($user)->check('create', Jetstream::newTeamModel()),
-                    'canManageTwoFactorAuthentication' => Features::canManageTwoFactorAuthentication(),
-                    'canUpdatePassword' => Features::enabled(Features::updatePasswords()),
-                    'canUpdateProfileInformation' => Features::canUpdateProfileInformation(),
-                    'hasEmailVerification' => Features::enabled(Features::emailVerification()),
-                    'flash' => $request->session()->get('flash', []),
-                    'hasAccountDeletionFeatures' => Jetstream::hasAccountDeletionFeatures(),
-                    'hasApiFeatures' => Jetstream::hasApiFeatures(),
-                    'hasTeamFeatures' => Jetstream::hasTeamFeatures(),
-                    'hasTermsAndPrivacyPolicyFeature' => Jetstream::hasTermsAndPrivacyPolicyFeature(),
-                    'managesProfilePhotos' => Jetstream::managesProfilePhotos(),
-                ];
-            },
+        Inertia::share([
             'auth' => [
-                'permissions' => $request->user() !== null && $request->user()->currentTeam !== null ? $permissions->getPermissions($request->user()->currentTeam) : [],
+                'permissions' => $request->user() !== null && $request->user()->currentOrganization !== null ? $permissions->getPermissions($request->user()->currentOrganization) : [],
                 'user' => function () use ($request): array {
                     /** @var User|null $user */
                     $user = $request->user();
@@ -57,6 +35,8 @@ class ShareInertiaData
                         return [];
                     }
 
+                    $currentOrganization = $user->currentOrganization;
+
                     return array_merge([
                         'id' => $user->id,
                         'name' => $user->name,
@@ -69,12 +49,12 @@ class ShareInertiaData
                         'profile_photo_url' => $user->profile_photo_url,
                         'two_factor_enabled' => Features::enabled(Features::twoFactorAuthentication())
                             && ! is_null($user->two_factor_secret),
-                        'current_team' => $user->currentTeam !== null ? [
-                            'id' => $user->currentTeam->id,
-                            'user_id' => $user->currentTeam->user_id,
-                            'name' => $user->currentTeam->name,
-                            'personal_team' => $user->currentTeam->personal_team,
-                            'currency' => $user->currentTeam->currency,
+                        'current_team' => $currentOrganization !== null ? [
+                            'id' => $currentOrganization->id,
+                            'user_id' => $currentOrganization->user_id,
+                            'name' => $currentOrganization->name,
+                            'personal_team' => $currentOrganization->personal_team,
+                            'currency' => $currentOrganization->currency,
                         ] : null,
                     ], array_filter([
                         'all_teams' => $user->organizations->map(function (Organization $organization): array {
@@ -101,7 +81,7 @@ class ShareInertiaData
                     return [$key => $bag->messages()];
                 })->all();
             },
-        ]));
+        ]);
 
         return $next($request);
     }