feat(form-builder): add FormSubmissionActionFailurePolicy with FK-chain auth (WS-6)

Tenant scope verified via failure.submission.organisation_id, NOT route binding. Cross-tenant access returns false (controllers in sessions 2/3 will translate to 404 to prevent enumeration). Five abilities: viewAny, view, retry, resolve, dismiss. Laravel 12 auto-discovers App\Policies\FormBuilder\FormSubmissionActionFailurePolicy for App\Models\FormBuilder\FormSubmissionActionFailure — no explicit registration needed (pattern matches the existing FormSubmissionPolicy). IDOR-class security tests included with explicit RFC V3 cross-reference in the test class docblock. Refs: RFC-WS-6.md §4 (V3), ARCH-FORM-BUILDER.md §22.9 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 00:03:21 +02:00
parent 7a747382a0
commit 78a8016e01
2 changed files with 226 additions and 0 deletions
--- a/api/app/Policies/FormBuilder/FormSubmissionActionFailurePolicy.php
+++ b/api/app/Policies/FormBuilder/FormSubmissionActionFailurePolicy.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormSubmissionActionFailure;
+use App\Models\Organisation;
+use App\Models\User;
+
+/**
+ * RFC-WS-6 §4 (V3) — IDOR-class FK-chain enforcement.
+ *
+ * The `form_submission_action_failures` table has no `organisation_id`
+ * column by design. Tenant scope flows via
+ * failure.submission.organisation_id. Cross-tenant access returns
+ * `false` here; controllers (sessions 2/3) translate to 404 to prevent
+ * resource-existence enumeration.
+ */
+final class FormSubmissionActionFailurePolicy
+{
+    public function viewAny(User $user): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+
+        // Org admin in any organisation. Controllers in sessions 2/3
+        // restrict the result set per role.
+        return $user->organisations()
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+    }
+
+    public function view(User $user, FormSubmissionActionFailure $failure): bool
+    {
+        return $this->canAccess($user, $failure);
+    }
+
+    public function retry(User $user, FormSubmissionActionFailure $failure): bool
+    {
+        return $this->canAccess($user, $failure);
+    }
+
+    public function resolve(User $user, FormSubmissionActionFailure $failure): bool
+    {
+        return $this->canAccess($user, $failure);
+    }
+
+    public function dismiss(User $user, FormSubmissionActionFailure $failure): bool
+    {
+        return $this->canAccess($user, $failure);
+    }
+
+    private function canAccess(User $user, FormSubmissionActionFailure $failure): bool
+    {
+        $failure->loadMissing('submission');
+        $submission = $failure->submission;
+        if ($submission === null) {
+            return false; // parent submission deleted
+        }
+
+        $orgId = (string) $submission->organisation_id;
+        if ($orgId === '') {
+            return false;
+        }
+
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+
+        // Tenant scope: user must be an org_admin in the failure's
+        // organisation. RFC V3 — IDOR-class FK-chain enforcement.
+        $organisation = $submission->organisation;
+        if (! $organisation instanceof Organisation) {
+            return false;
+        }
+
+        return $organisation->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+    }
+}