feat(timetable): add 5 artist-domain policies
ArtistPolicy, ArtistEngagementPolicy, StagePolicy, PerformancePolicy, GenrePolicy. Role-based authorization mirroring PersonPolicy/ShiftPolicy pattern: super_admin bypass, org-membership check via wherePivotIn, event_manager fallback for event-level operations. Each policy carries a class-level docblock mapping the RFC §9 permission strings (events.view_program, events.manage_program, organisations.manage_artists, organisations.manage_settings) to the roles authorised, deferring permission-based authorisation to AUTH-PERMISSIONS-MIGRATION. ArtistPolicy.delete additionally guards on no-active-engagements (D27): blocks soft-delete while any engagement is not Cancelled, Rejected, or Declined. PerformancePolicy.move and StagePolicy.reorder reuse canManageProgram so the move endpoint and stage-reorder share the manage_program permission semantics. Auto-discovered by Laravel 11 (policies live at App\Policies\* matching top-level App\Models\* — no explicit Gate::policy registration needed). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
59
api/app/Policies/GenrePolicy.php
Normal file
59
api/app/Policies/GenrePolicy.php
Normal file
@@ -0,0 +1,59 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Genre;
|
||||
use App\Models\Organisation;
|
||||
use App\Models\User;
|
||||
|
||||
/**
|
||||
* Authorization model — role-based per existing codebase pattern.
|
||||
*
|
||||
* RFC v0.2 §9 permission mapping (deferred to AUTH-PERMISSIONS-MIGRATION
|
||||
* when fine-grained permissions are operationally required):
|
||||
* organisations.manage_settings — org_admin, super_admin
|
||||
* (read-only access — any authenticated organisation member)
|
||||
*/
|
||||
final class GenrePolicy
|
||||
{
|
||||
public function viewAny(User $user, Organisation $organisation): bool
|
||||
{
|
||||
return $user->hasRole('super_admin')
|
||||
|| $organisation->users()->where('user_id', $user->id)->exists();
|
||||
}
|
||||
|
||||
public function view(User $user, Genre $genre): bool
|
||||
{
|
||||
return $user->hasRole('super_admin')
|
||||
|| $genre->organisation->users()->where('user_id', $user->id)->exists();
|
||||
}
|
||||
|
||||
public function create(User $user, Organisation $organisation): bool
|
||||
{
|
||||
return $this->canManageSettings($user, $organisation);
|
||||
}
|
||||
|
||||
public function update(User $user, Genre $genre): bool
|
||||
{
|
||||
return $this->canManageSettings($user, $genre->organisation);
|
||||
}
|
||||
|
||||
public function delete(User $user, Genre $genre): bool
|
||||
{
|
||||
return $this->canManageSettings($user, $genre->organisation);
|
||||
}
|
||||
|
||||
private function canManageSettings(User $user, Organisation $organisation): bool
|
||||
{
|
||||
if ($user->hasRole('super_admin')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return $organisation->users()
|
||||
->where('user_id', $user->id)
|
||||
->wherePivot('role', 'org_admin')
|
||||
->exists();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user