From 479a7e35d1fdc3c12af94b39b42032d5b0957fed Mon Sep 17 00:00:00 2001
From: jeremy bayse <jeremy.bayse@gmail.com>
Date: Tue, 14 Apr 2026 19:24:29 +0200
Subject: [PATCH] fix: bypass tenant scope in AttemptController::show -
 candidates (no tenant_id) were getting 404 on quiz start

---
 app/Http/Controllers/AttemptController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/AttemptController.php b/app/Http/Controllers/AttemptController.php
index 27bcef6..bfae613 100644
--- a/app/Http/Controllers/AttemptController.php
+++ b/app/Http/Controllers/AttemptController.php
@@ -48,8 +48,12 @@ class AttemptController extends Controller
             abort(403);
         }
     }
-    public function show(Quiz $quiz)
+    public function show(int $quizId)
     {
+        // Bypass tenant global scope: candidates have no tenant_id
+        // but should still access their assigned quizzes
+        $quiz = Quiz::withoutGlobalScopes()->findOrFail($quizId);
+
         $candidate = auth()->user()->candidate;
 
         if (!$candidate) {