From cff665b9568e88c2c9a314bfd5bcdc030b3f6e97 Mon Sep 17 00:00:00 2001
From: smarcet <smarcet@gmail.com>
Date: Wed, 8 Apr 2026 12:54:12 -0300
Subject: [PATCH 1/2] fix(scopes): add new specific scopes for sponsor extra
 questions endpoints chore(utils): add new helper trait to perform endpoint
 migrations

---
 .gitignore                                    |   1 +
 .../OAuth2SummitSponsorApiController.php      |  11 +-
 app/Security/SummitScopes.php                 |   3 +
 app/Swagger/Security/SponsorOAuth2Schema.php  |   2 +
 .../config/APIEndpointsMigrationHelper.php    | 228 ++++++++++++++++++
 .../config/Version20260408143000.php          | 108 +++++++++
 database/seeders/ApiEndpointsSeeder.php       |  16 +-
 database/seeders/ApiScopesSeeder.php          |  11 +
 routes/api_v1.php                             |   2 +-
 9 files changed, 377 insertions(+), 5 deletions(-)
 create mode 100644 database/migrations/config/APIEndpointsMigrationHelper.php
 create mode 100644 database/migrations/config/Version20260408143000.php

diff --git a/.gitignore b/.gitignore
index 7a9bebdf6..e90b4d509 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ public/apc.php
 .claude/
 .nvmrc
 .codegraph
+docs/
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
index e99e12ba5..ccff868ad 100644
--- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
+++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
@@ -3205,7 +3205,7 @@ public function deleteSocialNetwork($summit_id, $sponsor_id, $social_network_id)
         });
     }
 
-    // Extra Questions
+    // Sponsor Extra Questions
 
     #[OA\Get(
         path: "/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions",
@@ -3219,6 +3219,7 @@ public function deleteSocialNetwork($summit_id, $sponsor_id, $social_network_id)
                 IGroup::Administrators,
                 IGroup::SummitAdministrators,
                 IGroup::Sponsors,
+                IGroup::SponsorExternalUsers,
             ]
         ],
         security: [
@@ -3226,6 +3227,7 @@ public function deleteSocialNetwork($summit_id, $sponsor_id, $social_network_id)
                 'summit_sponsor_oauth2' => [
                     SummitScopes::ReadSummitData,
                     SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3365,6 +3367,7 @@ function ($page, $per_page, $filter, $order, $applyExtraFilters) {
                 'summit_sponsor_oauth2' => [
                     SummitScopes::ReadSummitData,
                     SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3510,6 +3513,7 @@ public function addExtraQuestion($summit_id, $sponsor_id)
                 'summit_sponsor_oauth2' => [
                     SummitScopes::ReadSummitData,
                     SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3600,6 +3604,7 @@ public function getExtraQuestion($summit_id, $sponsor_id, $extra_question_id)
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3695,6 +3700,7 @@ public function updateExtraQuestion($summit_id, $sponsor_id, $extra_question_id)
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3780,6 +3786,7 @@ public function deleteExtraQuestion($summit_id, $sponsor_id, $extra_question_id)
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3879,6 +3886,7 @@ function ($payload, $summit, $sponsor_id,  $question_id) {
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
@@ -3987,6 +3995,7 @@ function ($value_id, $payload, $summit, $sponsor_id,  $extra_question_id) {
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
diff --git a/app/Security/SummitScopes.php b/app/Security/SummitScopes.php
index 75a71ab7d..04b4d21be 100644
--- a/app/Security/SummitScopes.php
+++ b/app/Security/SummitScopes.php
@@ -124,5 +124,8 @@ final class SummitScopes
 
     const WriteSummitsConfirmExternalOrders = SCOPE_BASE_REALM.'/summits/confirm-external-orders';
     const ReadSummitsConfirmExternalOrders = SCOPE_BASE_REALM.'/summits/read-external-orders';
+
+    const WriteSponsorExtraQuestions = SCOPE_BASE_REALM.'/summits/sponsors/extra-questions/write';
+    const ReadSponsorExtraQuestions = SCOPE_BASE_REALM.'/summits/sponsors/extra-questions/read';
 }
 
diff --git a/app/Swagger/Security/SponsorOAuth2Schema.php b/app/Swagger/Security/SponsorOAuth2Schema.php
index 81f880857..5dbf82407 100644
--- a/app/Swagger/Security/SponsorOAuth2Schema.php
+++ b/app/Swagger/Security/SponsorOAuth2Schema.php
@@ -17,6 +17,8 @@
                     SummitScopes::ReadSummitData => 'Read Summit Sponsor Data',
                     SummitScopes::ReadAllSummitData => 'Read All Summit Sponsor Data',
                     SummitScopes::WriteSummitData => 'Write Summit Sponsor Data',
+                    SummitScopes::ReadSponsorExtraQuestions => 'Read Summit Sponsor Extra Questions Data',
+                    SummitScopes::WriteSponsorExtraQuestions => 'Write Summit Sponsor Extra Questions Data',
                 ],
             ),
         ],
diff --git a/database/migrations/config/APIEndpointsMigrationHelper.php b/database/migrations/config/APIEndpointsMigrationHelper.php
new file mode 100644
index 000000000..44ef76e7b
--- /dev/null
+++ b/database/migrations/config/APIEndpointsMigrationHelper.php
@@ -0,0 +1,228 @@
+<?php namespace Database\Migrations\Config;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+/**
+ * Reusable SQL template helpers for config entity manager migrations.
+ *
+ * Provides idempotent INSERT and DELETE templates for api_endpoints, api_scopes,
+ * endpoint_api_scopes, and endpoint_api_authz_groups tables.
+ *
+ * Usage:
+ *   final class VersionXXX extends AbstractMigration
+ *   {
+ *       use APIEndpointsMigrationHelper;
+ *
+ *       public function up(Schema $schema): void
+ *       {
+ *           $this->addSql($this->insertApiScope('summits', $scopeName, $desc, $desc));
+ *           $this->addSql($this->insertEndpointScope('summits', $endpointName, $scopeName));
+ *           $this->addSql($this->insertEndpointAuthzGroup('summits', $endpointName, $groupSlug));
+ *       }
+ *   }
+ */
+trait APIEndpointsMigrationHelper
+{
+    /**
+     * Generate idempotent INSERT for api_endpoints table.
+     *
+     * @param string $apiName       API identifier (e.g., 'summits')
+     * @param string $endpointName  Endpoint identifier (e.g., 'get-sponsor-extra-questions')
+     * @param string $route         Route pattern (e.g., '/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions')
+     * @param string $httpMethod    HTTP method as serialized PHP array (e.g., 'a:1:{i:0;s:3:"GET";}')
+     * @param bool   $active        Whether the endpoint is active (default: true)
+     * @param bool   $allowCors     Whether to allow CORS (default: false)
+     * @param bool   $allowCredentials Whether to allow credentials (default: false)
+     * @return string SQL INSERT statement
+     */
+    protected function insertEndpoint(
+        string $apiName,
+        string $endpointName,
+        string $route,
+        string $httpMethod,
+        bool $active = true,
+        bool $allowCors = false,
+        bool $allowCredentials = false
+    ): string {
+        $activeInt = $active ? 1 : 0;
+        $corsInt = $allowCors ? 1 : 0;
+        $credentialsInt = $allowCredentials ? 1 : 0;
+
+        return <<<SQL
+INSERT INTO api_endpoints (api_id, name, route, http_method, active, allow_cors, allow_credentials, created_at, updated_at)
+SELECT a.id, '{$endpointName}', '{$route}', '{$httpMethod}', {$activeInt}, {$corsInt}, {$credentialsInt}, NOW(), NOW()
+FROM apis a
+WHERE a.name = '{$apiName}'
+  AND NOT EXISTS (SELECT 1 FROM api_endpoints e WHERE e.api_id = a.id AND e.name = '{$endpointName}');
+SQL;
+    }
+
+    /**
+     * Generate DELETE for api_endpoints table.
+     *
+     * @param string $apiName      API identifier
+     * @param string $endpointName Endpoint identifier to delete
+     * @return string SQL DELETE statement
+     */
+    protected function deleteEndpoint(string $apiName, string $endpointName): string
+    {
+        return <<<SQL
+DELETE e FROM api_endpoints e
+INNER JOIN apis a ON a.id = e.api_id
+WHERE a.name = '{$apiName}'
+  AND e.name = '{$endpointName}';
+SQL;
+    }
+
+    /**
+     * Generate idempotent INSERT for api_scopes table.
+     *
+     * @param string $apiName       API identifier (e.g., 'summits', 'resource-server')
+     * @param string $scopeName     Full scope URI (e.g., 'https://example.com/summits/read')
+     * @param string $shortDesc     Short description for the scope
+     * @param string $desc          Full description for the scope
+     * @param bool   $active        Whether the scope is active (default: true)
+     * @param bool   $default       Whether the scope is default (default: false)
+     * @param bool   $system        Whether the scope is a system scope (default: false)
+     * @return string SQL INSERT statement
+     */
+    protected function insertApiScope(
+        string $apiName,
+        string $scopeName,
+        string $shortDesc,
+        string $desc,
+        bool $active = true,
+        bool $default = false,
+        bool $system = false
+    ): string {
+        $activeInt = $active ? 1 : 0;
+        $defaultInt = $default ? 1 : 0;
+        $systemInt = $system ? 1 : 0;
+
+        return <<<SQL
+INSERT INTO api_scopes (api_id, name, short_description, description, active, `default`, `system`, created_at, updated_at)
+SELECT a.id, '{$scopeName}', '{$shortDesc}', '{$desc}', {$activeInt}, {$defaultInt}, {$systemInt}, NOW(), NOW()
+FROM apis a
+WHERE a.name = '{$apiName}'
+  AND NOT EXISTS (SELECT 1 FROM api_scopes s WHERE s.api_id = a.id AND s.name = '{$scopeName}');
+SQL;
+    }
+
+    /**
+     * Generate idempotent INSERT for endpoint_api_scopes table.
+     *
+     * Links an endpoint to a scope by their names.
+     *
+     * @param string $apiName       API identifier (e.g., 'summits')
+     * @param string $endpointName  Endpoint identifier (e.g., 'get-sponsor-extra-questions')
+     * @param string $scopeName     Full scope URI
+     * @return string SQL INSERT statement
+     */
+    protected function insertEndpointScope(string $apiName, string $endpointName, string $scopeName): string
+    {
+        return <<<SQL
+INSERT INTO endpoint_api_scopes (api_endpoint_id, scope_id, created_at, updated_at)
+SELECT e.id, s.id, NOW(), NOW()
+FROM api_endpoints e
+INNER JOIN apis a ON a.id = e.api_id
+INNER JOIN api_scopes s ON s.api_id = a.id
+WHERE a.name = '{$apiName}'
+  AND e.name = '{$endpointName}'
+  AND s.name = '{$scopeName}'
+  AND NOT EXISTS (
+      SELECT 1 FROM endpoint_api_scopes eas
+      WHERE eas.api_endpoint_id = e.id AND eas.scope_id = s.id
+  );
+SQL;
+    }
+
+    /**
+     * Generate idempotent INSERT for endpoint_api_authz_groups table.
+     *
+     * Links an endpoint to an authorization group by slug.
+     *
+     * @param string $apiName       API identifier (e.g., 'summits')
+     * @param string $endpointName  Endpoint identifier
+     * @param string $groupSlug     Group slug (e.g., 'sponsors-external-users')
+     * @return string SQL INSERT statement
+     */
+    protected function insertEndpointAuthzGroup(string $apiName, string $endpointName, string $groupSlug): string
+    {
+        return <<<SQL
+INSERT INTO endpoint_api_authz_groups (api_endpoint_id, group_slug, created_at, updated_at)
+SELECT e.id, '{$groupSlug}', NOW(), NOW()
+FROM api_endpoints e
+INNER JOIN apis a ON a.id = e.api_id
+WHERE a.name = '{$apiName}'
+  AND e.name = '{$endpointName}'
+  AND NOT EXISTS (
+      SELECT 1 FROM endpoint_api_authz_groups eag
+      WHERE eag.api_endpoint_id = e.id AND eag.group_slug = '{$groupSlug}'
+  );
+SQL;
+    }
+
+    /**
+     * Generate DELETE for endpoint_api_authz_groups table.
+     *
+     * @param string $apiName       API identifier
+     * @param string $endpointName  Endpoint identifier
+     * @param string $groupSlug     Group slug to remove
+     * @return string SQL DELETE statement
+     */
+    protected function deleteEndpointAuthzGroup(string $apiName, string $endpointName, string $groupSlug): string
+    {
+        return <<<SQL
+DELETE eag FROM endpoint_api_authz_groups eag
+INNER JOIN api_endpoints e ON e.id = eag.api_endpoint_id
+INNER JOIN apis a ON a.id = e.api_id
+WHERE a.name = '{$apiName}'
+  AND e.name = '{$endpointName}'
+  AND eag.group_slug = '{$groupSlug}';
+SQL;
+    }
+
+    /**
+     * Generate DELETE for endpoint_api_scopes table (all associations for given scopes).
+     *
+     * @param array $scopes List of scope URIs to remove associations for
+     * @return string SQL DELETE statement
+     */
+    protected function deleteScopesEndpoints(array $scopes): string
+    {
+        $scopeList = "'" . implode("', '", $scopes) . "'";
+        return <<<SQL
+DELETE eas FROM endpoint_api_scopes eas
+INNER JOIN api_scopes s ON s.id = eas.scope_id
+WHERE s.name IN ({$scopeList});
+SQL;
+    }
+
+    /**
+     * Generate DELETE for api_scopes table.
+     *
+     * @param string $apiName API identifier
+     * @param array  $scopes  List of scope URIs to delete
+     * @return string SQL DELETE statement
+     */
+    protected function deleteApiScopes(string $apiName, array $scopes): string
+    {
+        $scopeList = "'" . implode("', '", $scopes) . "'";
+        return <<<SQL
+DELETE s FROM api_scopes s
+INNER JOIN apis a ON a.id = s.api_id
+WHERE a.name = '{$apiName}'
+  AND s.name IN ({$scopeList});
+SQL;
+    }
+}
diff --git a/database/migrations/config/Version20260408143000.php b/database/migrations/config/Version20260408143000.php
new file mode 100644
index 000000000..b8d60074b
--- /dev/null
+++ b/database/migrations/config/Version20260408143000.php
@@ -0,0 +1,108 @@
+<?php namespace Database\Migrations\Config;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Doctrine\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use App\Security\SummitScopes;
+use App\Models\Foundation\Main\IGroup;
+
+/**
+ * Migration to add sponsor extra-questions OAuth2 scopes and endpoint bindings.
+ *
+ * This migration replicates seeder changes from ApiScopesSeeder and ApiEndpointsSeeder,
+ * allowing existing environments to receive the new scopes/bindings without re-running
+ * the full seeder suite.
+ *
+ * Adds:
+ * - 2 api_scopes rows (ReadSponsorExtraQuestions, WriteSponsorExtraQuestions)
+ * - 9 endpoint_api_scopes associations across sponsor-extra-questions endpoints
+ * - 1 endpoint_api_authz_groups row (sponsors-external-users on get-sponsor-extra-questions)
+ *
+ * All INSERTs are idempotent via WHERE NOT EXISTS. down() is local-dev only; do not
+ * run on environments where additional endpoints may have been bound to these scopes.
+ *
+ * IMPORTANT: This migration MUST be committed alongside the SummitScopes.php edit that
+ * introduces ReadSponsorExtraQuestions and WriteSponsorExtraQuestions constants.
+ */
+final class Version20260408143000 extends AbstractMigration
+{
+    use APIEndpointsMigrationHelper;
+
+    private const API_NAME = 'summits';
+
+    public function getDescription(): string
+    {
+        return 'Add sponsor extra-questions scopes and endpoint bindings';
+    }
+
+    /**
+     * @param Schema $schema
+     */
+    public function up(Schema $schema): void
+    {
+        // Resolve class constants at runtime for env-specific scope URIs
+        $readScope = SummitScopes::ReadSponsorExtraQuestions;
+        $writeScope = SummitScopes::WriteSponsorExtraQuestions;
+        $externalGroupSlug = IGroup::SponsorExternalUsers;
+
+        // 1. Insert api_scopes
+        $this->addSql($this->insertApiScope(
+            self::API_NAME,
+            $readScope,
+            'Read Summit Sponsor Extra Questions Data',
+            'Read Summit Sponsor Extra Questions Data'
+        ));
+        $this->addSql($this->insertApiScope(
+            self::API_NAME,
+            $writeScope,
+            'Write Summit Sponsor Extra Questions Data',
+            'Write Summit Sponsor Extra Questions Data'
+        ));
+
+        // 2. Insert endpoint_api_scopes associations
+        $associations = [
+            ['get-sponsor-extra-questions',           $readScope],
+            ['add-sponsor-extra-question',            $writeScope],
+            ['get-sponsor-extra-question',            $readScope],
+            ['update-sponsor-extra-question',         $writeScope],
+            ['delete-sponsor-extra-question',         $writeScope],
+            ['get-sponsor-extra-questions-metadata',  $readScope],
+            ['add-sponsor-extra-question-value',      $writeScope],
+            ['update-sponsor-extra-question-value',   $writeScope],
+            ['delete-sponsor-extra-question-value',   $writeScope],
+        ];
+
+        foreach ($associations as [$endpointName, $scopeName]) {
+            $this->addSql($this->insertEndpointScope(self::API_NAME, $endpointName, $scopeName));
+        }
+
+        // 3. Insert endpoint_api_authz_groups
+        $this->addSql($this->insertEndpointAuthzGroup(self::API_NAME, 'get-sponsor-extra-questions', $externalGroupSlug));
+    }
+
+    /**
+     * @param Schema $schema
+     */
+    public function down(Schema $schema): void
+    {
+        $readScope = SummitScopes::ReadSponsorExtraQuestions;
+        $writeScope = SummitScopes::WriteSponsorExtraQuestions;
+        $externalGroupSlug = IGroup::SponsorExternalUsers;
+
+        // Reverse order: authz groups → endpoint scopes → api scopes
+        $this->addSql($this->deleteEndpointAuthzGroup(self::API_NAME, 'get-sponsor-extra-questions', $externalGroupSlug));
+        $this->addSql($this->deleteScopesEndpoints([$readScope, $writeScope]));
+        $this->addSql($this->deleteApiScopes(self::API_NAME, [$readScope, $writeScope]));
+    }
+}
diff --git a/database/seeders/ApiEndpointsSeeder.php b/database/seeders/ApiEndpointsSeeder.php
index feb38babe..78e1f35f9 100644
--- a/database/seeders/ApiEndpointsSeeder.php
+++ b/database/seeders/ApiEndpointsSeeder.php
@@ -2506,13 +2506,15 @@ private function seedSummitEndpoints()
                 'http_method' => 'GET',
                 'scopes' => [
                     SummitScopes::ReadSummitData,
-                    SummitScopes::ReadAllSummitData
+                    SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
                     IGroup::Administrators,
                     IGroup::SummitAdministrators,
                     IGroup::Sponsors,
+                    IGroup::SponsorExternalUsers,
                 ]
             ],
             [
@@ -2521,6 +2523,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'POST',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2536,7 +2539,8 @@ private function seedSummitEndpoints()
                 'http_method' => 'GET',
                 'scopes' => [
                     SummitScopes::ReadSummitData,
-                    SummitScopes::ReadAllSummitData
+                    SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2552,6 +2556,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'PUT',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2567,6 +2572,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'DELETE',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2582,7 +2588,8 @@ private function seedSummitEndpoints()
                 'http_method' => 'GET',
                 'scopes' => [
                     SummitScopes::ReadSummitData,
-                    SummitScopes::ReadAllSummitData
+                    SummitScopes::ReadAllSummitData,
+                    SummitScopes::ReadSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2598,6 +2605,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'POST',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2613,6 +2621,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'PUT',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
@@ -2628,6 +2637,7 @@ private function seedSummitEndpoints()
                 'http_method' => 'DELETE',
                 'scopes' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ],
                 'authz_groups' => [
                     IGroup::SuperAdmins,
diff --git a/database/seeders/ApiScopesSeeder.php b/database/seeders/ApiScopesSeeder.php
index d6638f6b7..6941e8956 100644
--- a/database/seeders/ApiScopesSeeder.php
+++ b/database/seeders/ApiScopesSeeder.php
@@ -393,7 +393,18 @@ private function seedSummitScopes()
                 'name' => SummitScopes::WriteAttendeeNotesData,
                 'short_description' => 'Write Attendee Notes Data',
                 'description' => 'Grants write access for Attendee Notes Data',
+            ],
+            [
+                'name' => SummitScopes::ReadSponsorExtraQuestions,
+                'short_description' => 'Read Summit Sponsor Extra Questions Data',
+                'description' => 'Read Summit Sponsor Extra Questions Data',
+            ],
+            [
+                'name' => SummitScopes::WriteSponsorExtraQuestions,
+                'short_description' => 'Write Summit Sponsor Extra Questions Data',
+                'description' => 'Write Summit Sponsor Extra Questions Data',
             ]
+
         ];
 
         foreach ($scopes as $scope_info) {
diff --git a/routes/api_v1.php b/routes/api_v1.php
index 6c9d66b20..fa9ba05e7 100644
--- a/routes/api_v1.php
+++ b/routes/api_v1.php
@@ -1297,7 +1297,7 @@
                     });
                 });
 
-                // extra questions
+                // sponsor extra questions
                 Route::group(['prefix' => 'extra-questions'], function () {
                     Route::get('', ['middleware' => 'auth.user', 'uses' => 'OAuth2SummitSponsorApiController@getExtraQuestions']);
                     Route::post('', ['middleware' => 'auth.user', 'uses' => 'OAuth2SummitSponsorApiController@addExtraQuestion']);

From 5424bd5b5420d5d8f43732f345d3fc7fedc1cd84 Mon Sep 17 00:00:00 2001
From: smarcet <smarcet@gmail.com>
Date: Wed, 8 Apr 2026 13:50:37 -0300
Subject: [PATCH 2/2] chore: pr review

---
 .../OAuth2SummitSponsorApiController.php      |  3 ++-
 .../config/APIEndpointsMigrationHelper.php    | 22 ++++++++++++-------
 .../config/Version20260408143000.php          |  2 +-
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
index ccff868ad..5ae4be982 100644
--- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
+++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitSponsorApiController.php
@@ -3209,7 +3209,7 @@ public function deleteSocialNetwork($summit_id, $sponsor_id, $social_network_id)
 
     #[OA\Get(
         path: "/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions",
-        description: "required-groups " . IGroup::SuperAdmins . ", " . IGroup::Administrators . ", " . IGroup::SummitAdministrators . ", " . IGroup::Sponsors,
+        description: "required-groups " . IGroup::SuperAdmins . ", " . IGroup::Administrators . ", " . IGroup::SummitAdministrators . ", " . IGroup::Sponsors . ", " . IGroup::SponsorExternalUsers,
         summary: 'Read Sponsor Extra Questions',
         operationId: 'getSponsorExtraQuestions',
         tags: ['Sponsors'],
@@ -3424,6 +3424,7 @@ public function getMetadata($summit_id)
             [
                 'summit_sponsor_oauth2' => [
                     SummitScopes::WriteSummitData,
+                    SummitScopes::WriteSponsorExtraQuestions,
                 ]
             ]
         ],
diff --git a/database/migrations/config/APIEndpointsMigrationHelper.php b/database/migrations/config/APIEndpointsMigrationHelper.php
index 44ef76e7b..3ded89412 100644
--- a/database/migrations/config/APIEndpointsMigrationHelper.php
+++ b/database/migrations/config/APIEndpointsMigrationHelper.php
@@ -39,10 +39,10 @@ trait APIEndpointsMigrationHelper
      * @param string $apiName       API identifier (e.g., 'summits')
      * @param string $endpointName  Endpoint identifier (e.g., 'get-sponsor-extra-questions')
      * @param string $route         Route pattern (e.g., '/api/v1/summits/{id}/sponsors/{sponsor_id}/extra-questions')
-     * @param string $httpMethod    HTTP method as serialized PHP array (e.g., 'a:1:{i:0;s:3:"GET";}')
+     * @param string $httpMethod    Plain HTTP method string (e.g., 'GET', 'POST', 'PUT', 'DELETE')
      * @param bool   $active        Whether the endpoint is active (default: true)
-     * @param bool   $allowCors     Whether to allow CORS (default: false)
-     * @param bool   $allowCredentials Whether to allow credentials (default: false)
+     * @param bool   $allowCors     Whether to allow CORS (default: true, matches seedApiEndpoints behavior)
+     * @param bool   $allowCredentials Whether to allow credentials (default: true, matches seedApiEndpoints behavior)
      * @return string SQL INSERT statement
      */
     protected function insertEndpoint(
@@ -51,8 +51,8 @@ protected function insertEndpoint(
         string $route,
         string $httpMethod,
         bool $active = true,
-        bool $allowCors = false,
-        bool $allowCredentials = false
+        bool $allowCors = true,
+        bool $allowCredentials = true
     ): string {
         $activeInt = $active ? 1 : 0;
         $corsInt = $allowCors ? 1 : 0;
@@ -195,16 +195,22 @@ protected function deleteEndpointAuthzGroup(string $apiName, string $endpointNam
     /**
      * Generate DELETE for endpoint_api_scopes table (all associations for given scopes).
      *
-     * @param array $scopes List of scope URIs to remove associations for
+     * Constrained by API to prevent removing associations for other APIs that may
+     * reuse the same scope URI (api_scopes.name has no global uniqueness constraint).
+     *
+     * @param string $apiName API identifier (e.g., 'summits')
+     * @param array  $scopes  List of scope URIs to remove associations for
      * @return string SQL DELETE statement
      */
-    protected function deleteScopesEndpoints(array $scopes): string
+    protected function deleteScopesEndpoints(string $apiName, array $scopes): string
     {
         $scopeList = "'" . implode("', '", $scopes) . "'";
         return <<<SQL
 DELETE eas FROM endpoint_api_scopes eas
 INNER JOIN api_scopes s ON s.id = eas.scope_id
-WHERE s.name IN ({$scopeList});
+INNER JOIN apis a ON a.id = s.api_id
+WHERE a.name = '{$apiName}'
+  AND s.name IN ({$scopeList});
 SQL;
     }
 
diff --git a/database/migrations/config/Version20260408143000.php b/database/migrations/config/Version20260408143000.php
index b8d60074b..f343762db 100644
--- a/database/migrations/config/Version20260408143000.php
+++ b/database/migrations/config/Version20260408143000.php
@@ -102,7 +102,7 @@ public function down(Schema $schema): void
 
         // Reverse order: authz groups → endpoint scopes → api scopes
         $this->addSql($this->deleteEndpointAuthzGroup(self::API_NAME, 'get-sponsor-extra-questions', $externalGroupSlug));
-        $this->addSql($this->deleteScopesEndpoints([$readScope, $writeScope]));
+        $this->addSql($this->deleteScopesEndpoints(self::API_NAME, [$readScope, $writeScope]));
         $this->addSql($this->deleteApiScopes(self::API_NAME, [$readScope, $writeScope]));
     }
 }