From 94205164edd739c5ee86206f4bf76a96edb1b004 Mon Sep 17 00:00:00 2001 From: "bert.hausmans" Date: Fri, 8 May 2026 03:00:40 +0200 Subject: [PATCH] =?UTF-8?q?docs(backlog):=20TECH-CHANNEL-AUTH-ORG-ADMIN=20?= =?UTF-8?q?=E2=80=94=20extend=20submission.{id}=20channel=20auth=20to=20or?= =?UTF-8?q?g=20admins?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit WS-6 v1.3-delta D2 ships the broadcast channel auth callback in routes/channels.php with submitter-only scope. Org-admin access is deferred because the codebase has no vetted Spatie Permission helper for organisation-scoped role checks; guessing the API would risk incorrect authorisation without test coverage. Tracking entry under "Technische schuld", referenced from the inline TODO in routes/channels.php and the v1.3-delta D2 PR description. Co-Authored-By: Claude Opus 4.7 --- dev-docs/BACKLOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/dev-docs/BACKLOG.md b/dev-docs/BACKLOG.md index 00506071..526fa9df 100644 --- a/dev-docs/BACKLOG.md +++ b/dev-docs/BACKLOG.md @@ -1003,6 +1003,22 @@ ARCH-discussie en RFC. --- +### TECH-CHANNEL-AUTH-ORG-ADMIN — Extend `submission.{id}` private channel auth to organisation admins + +**Aanleiding:** WS-6 v1.3-delta D2 wires the broadcast event `FormSubmissionIdentityMatchResolved` (RFC-WS-6 §Q1 v1.3 addition 2) on the `submission.{id}` private channel. The auth callback in `routes/channels.php` currently authorises only the submitter (`submitted_by_user_id === user.id`). Org-admin access was deferred because the codebase does not yet have a vetted Spatie Permission helper for organisation-scoped role checks (e.g. `hasRoleInOrganisation('organizer_admin', $orgId)`); guessing the API would risk authorising too broadly or too narrowly without test coverage. Phase A audit confirmed no precedent for this check pattern in `app/`. + +**Wat:** +- Audit Spatie Permission usage across the codebase to identify (or design) the canonical "is X a role-holder in organisation Y" helper. Likely candidates: extension method on `User`, query scope on `Organisation::users()` pivot, or a dedicated Policy method. +- Extend `routes/channels.php`'s `submission.{submissionId}` callback to additionally authorise organisation admins of the submission's organisation. Replace the inline TODO with the resolved helper. +- Add channel authorization tests covering the four cases: submitter (allow), org admin (allow), other org user (deny), anonymous (deny). +- Update RFC-WS-6 §Q1 v1.3 addition 2 reference if the auth contract changes shape; otherwise leave RFC alone. + +**Prioriteit:** Medium — frontend Echo subscription is also out of WS-6 scope, so the channel has no live subscribers yet. When the frontend follow-up ships, org admins are expected to see live updates on submissions in their orgs — that is when this work blocks the user-facing feature. + +**Refs:** `api/routes/channels.php` (TODO marker in submission channel callback), RFC-WS-6 §Q1 v1.3 addition 2, ARCH-BINDINGS §11 (admin failures UI — analogous tenant scope via FK chain). + +--- + ### ~~TECH-02 — scopeForFestival helper op Event model~~ ✅ OPGELOST ---