refactor(form-builder): consolidate subject-type allow-list into purpose registry

Q6 of ARCH-CONSOLIDATION-ADDENDUM-2026-04-24: the allowed `form_submissions.subject_type` values are now derived from `PurposeRegistry::allSubjectTypes()` instead of the parallel `config/form_subjects.php` file. - CreateFormSubmissionRequest validates `subject_type` against the registry via constructor-injected PurposeRegistry. - FormSubmissionController and FormValueService resolve the subject FQCN through `Relation::getMorphedModel()` — the morph-map is the single source of truth for alias → model mapping. - `config/form_subjects.php` is deleted. `MorphMapAlignmentTest` keeps the registry and morph-map aligned going forward. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 14:35:48 +02:00
parent b9343f6eec
commit ab67ed46ca
4 changed files with 13 additions and 61 deletions
--- a/api/app/Http/Controllers/Api/V1/FormBuilder/FormSubmissionController.php
+++ b/api/app/Http/Controllers/Api/V1/FormBuilder/FormSubmissionController.php
@@ -14,6 +14,7 @@ use App\Models\FormBuilder\FormSubmission;
 use App\Models\Organisation;
 use App\Services\FormBuilder\FormSubmissionService;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
 use Illuminate\Support\Facades\Gate;
@@ -103,9 +104,8 @@ final class FormSubmissionController extends Controller
        if ($type === '' || $id === '') {
            return null;
        }
-        $map = (array) config('form_subjects');
-        $class = $map[$type]['model'] ?? null;
-        if ($class === null) {
+        $class = Relation::getMorphedModel($type);
+        if ($class === null || ! class_exists($class)) {
            return null;
        }

--- a/api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php
@@ -4,11 +4,18 @@ declare(strict_types=1);

 namespace App\Http\Requests\Api\V1\FormBuilder;

+use App\FormBuilder\Purposes\PurposeRegistry;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;

 final class CreateFormSubmissionRequest extends FormRequest
 {
+    public function __construct(
+        private readonly PurposeRegistry $purposeRegistry,
+    ) {
+        parent::__construct();
+    }
+
    public function authorize(): bool
    {
        return true;
@@ -19,10 +26,8 @@ final class CreateFormSubmissionRequest extends FormRequest
     */
    public function rules(): array
    {
-        $allowedSubjects = array_keys((array) config('form_subjects', []));
-
        return [
-            'subject_type' => ['nullable', Rule::in($allowedSubjects)],
+            'subject_type' => ['nullable', Rule::in($this->purposeRegistry->allSubjectTypes())],
            'subject_id' => ['nullable', 'string', 'max:30', 'required_with:subject_type'],
            'idempotency_key' => ['nullable', 'string', 'max:30'],
            'is_test' => ['boolean'],
--- a/api/app/Services/FormBuilder/FormValueService.php
+++ b/api/app/Services/FormBuilder/FormValueService.php
@@ -340,9 +340,8 @@ final class FormValueService
        }

        if ($subjectType === $entity) {
-            $map = config('form_subjects');
-            $model = $map[$entity]['model'] ?? null;
-            if ($model === null) {
+            $model = \Illuminate\Database\Eloquent\Relations\Relation::getMorphedModel($entity);
+            if ($model === null || ! class_exists($model)) {
                return null;
            }

--- a/api/config/form_subjects.php
+++ b/api/config/form_subjects.php
@@ -1,52 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/*
-|--------------------------------------------------------------------------
-| Subject Type Registry
-|--------------------------------------------------------------------------
-|
-| Authoritative list of subject_type values permitted on form_submissions.
-| Must match morph-map keys registered in AppServiceProvider.
-|
-| 'permission_check' format: '<PolicyClass>@<method>' — invoked to authorise
-| access to a submission for this subject. Omit when policy doesn't exist yet.
-|
-*/
-
-return [
-
-    'person' => [
-        'model' => \App\Models\Person::class,
-        'display_attribute' => 'name',
-        'permission_check' => \App\Policies\PersonPolicy::class.'@view',
-    ],
-
-    'user' => [
-        'model' => \App\Models\User::class,
-        'display_attribute' => 'name',
-        // TODO: add permission_check when UserPolicy is built (S2)
-    ],
-
-    'company' => [
-        'model' => \App\Models\Company::class,
-        'display_attribute' => 'name',
-        'permission_check' => \App\Policies\CompanyPolicy::class.'@view',
-    ],
-
-    'organisation' => [
-        'model' => \App\Models\Organisation::class,
-        'display_attribute' => 'name',
-        'permission_check' => \App\Policies\OrganisationPolicy::class.'@view',
-    ],
-
-    'event' => [
-        'model' => \App\Models\Event::class,
-        'display_attribute' => 'name',
-        'permission_check' => \App\Policies\EventPolicy::class.'@view',
-    ],
-
-    // 'artist' entry added when artist module lands
-
-];