feat: person identity matching with detection, confirmation and audit trail

Implements enterprise-grade identity resolution (detect → suggest → confirm) for Person ↔ User linking. Matches are detected automatically on person creation and user account creation, then surfaced to organisers for explicit confirmation or dismissal. No silent auto-linking. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:50:25 +02:00
parent 239fe57a11
commit 4b182b449a
20 changed files with 1463 additions and 2 deletions
--- a/api/app/Policies/PersonIdentityMatchPolicy.php
+++ b/api/app/Policies/PersonIdentityMatchPolicy.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies;
+
+use App\Models\Organisation;
+use App\Models\PersonIdentityMatch;
+use App\Models\User;
+
+final class PersonIdentityMatchPolicy
+{
+    public function viewAny(User $user, Organisation $organisation): bool
+    {
+        return $user->hasRole('super_admin')
+            || $organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    public function view(User $user, PersonIdentityMatch $match): bool
+    {
+        $match->loadMissing('person.event.organisation');
+        $person = $match->person;
+
+        return $user->hasRole('super_admin')
+            || $person->event->organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    public function confirm(User $user, PersonIdentityMatch $match): bool
+    {
+        return $this->canManageMatch($user, $match);
+    }
+
+    public function dismiss(User $user, PersonIdentityMatch $match): bool
+    {
+        return $this->canManageMatch($user, $match);
+    }
+
+    public function bulkConfirm(User $user, Organisation $organisation): bool
+    {
+        return $user->hasRole('super_admin')
+            || $organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    private function canManageMatch(User $user, PersonIdentityMatch $match): bool
+    {
+        $match->loadMissing('person.event.organisation');
+        $event = $match->person->event;
+
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+
+        $isOrgAdmin = $event->organisation->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+
+        if ($isOrgAdmin) {
+            return true;
+        }
+
+        return $event->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'event_manager')
+            ->exists();
+    }
+}