From 6e4eb625538283629b3fa67128ef828b9ecc5bea Mon Sep 17 00:00:00 2001
From: jeremy bayse <jeremy.bayse@gmail.com>
Date: Tue, 14 Apr 2026 19:51:06 +0200
Subject: [PATCH] fix: bypass tenant scope in AttemptController::destroy - null
 quiz title caused 500 when admin deletes attempt

---
 app/Http/Controllers/AttemptController.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/AttemptController.php b/app/Http/Controllers/AttemptController.php
index 27bcef6..9bc8d59 100644
--- a/app/Http/Controllers/AttemptController.php
+++ b/app/Http/Controllers/AttemptController.php
@@ -19,7 +19,9 @@ class AttemptController extends Controller
         $this->authorizeAdmin();
 
         $candidateName = $attempt->candidate->user->name;
-        $quizTitle = $attempt->quiz->title;
+        // Bypass tenant scope: admin may delete attempts for cross-tenant quizzes
+        $quiz = Quiz::withoutGlobalScopes()->find($attempt->quiz_id);
+        $quizTitle = $quiz?->title ?? "Quiz #{$attempt->quiz_id}";
 
         DB::transaction(function () use ($attempt, $candidateName, $quizTitle) {
             // Log the action