feat(form-builder): retry/resolve/dismiss API endpoints + dual-route auth (WS-6)

Two route groups: /api/v1/admin/form-failures (super_admin platform) and /api/v1/organisations/{organisation}/form-failures (org_admin scoped). Same controller, policy authorises via FK chain (RFC V3). Cross-tenant access returns 404 not 403 to prevent enumeration. Resolve takes optional note; Dismiss requires DismissalReasonType enum with conditional note (mandatory for 'other'). Both via FormRequest validation with explicit i18n message keys. Implementation note: Laravel implicit model binding for nested-namespace ULID models doesn't pick up reliably across nested route groups. Using manual resolveFailure() helper that loads withoutGlobalScopes() (so cross-tenant access still reaches the policy, which translates denied → 404 per V3). Policy explicitly checks soft-delete via deleted_at since withoutGlobalScopes bypasses SoftDeletes too. Policy registered explicitly in AppServiceProvider — auto-discovery doesn't reliably resolve App\Models\FormBuilder\* → App\Policies\FormBuilder\*. NOT: admin UI (session 3). Not: public form routes (no API contract notification needed). Refs: RFC-WS-6.md §3 (Q5), §4 (V2, V3) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 15:34:23 +02:00
parent 84d57c5bbc
commit d0e17f2824
9 changed files with 509 additions and 3 deletions
--- a/api/app/Policies/FormBuilder/FormSubmissionActionFailurePolicy.php
+++ b/api/app/Policies/FormBuilder/FormSubmissionActionFailurePolicy.php
@@ -54,11 +54,19 @@ final class FormSubmissionActionFailurePolicy

    private function canAccess(User $user, FormSubmissionActionFailure $failure): bool
    {
-        $failure->loadMissing('submission');
-        $submission = $failure->submission;
+        // Load the submission without global scopes so cross-tenant
+        // resolution works for super_admin and so the policy itself
+        // does the tenant gating (RFC V3 — single source of truth for
+        // tenant resolution, not OrganisationScope).
+        $submission = \App\Models\FormBuilder\FormSubmission::query()
+            ->withoutGlobalScopes()
+            ->find($failure->form_submission_id);
        if ($submission === null) {
            return false; // parent submission deleted
        }
+        if ($submission->deleted_at !== null) {
+            return false; // soft-deleted parent — treat as gone
+        }

        $orgId = (string) $submission->organisation_id;
        if ($orgId === '') {
@@ -71,7 +79,9 @@ final class FormSubmissionActionFailurePolicy

        // Tenant scope: user must be an org_admin in the failure's
        // organisation. RFC V3 — IDOR-class FK-chain enforcement.
-        $organisation = $submission->organisation;
+        $organisation = \App\Models\Organisation::query()
+            ->withoutGlobalScopes()
+            ->find($orgId);
        if (! $organisation instanceof Organisation) {
            return false;
        }