withoutGlobalScopes() ->find($submissionId); if ($submission === null) { return false; } // Submitter has access (authenticated session at submit time). if ($submission->submitted_by_user_id === $user->id) { return true; } // super_admin app-wide bypass (Spatie HasRoles, global role). if ($user->hasRole('super_admin')) { return true; } // Org admins of the submission's organisation. Pivot-table check // matching the codebase's canonical pattern (see e.g. // FormSubmissionActionFailurePolicy::canAccess). Spatie teams is // disabled in config/permission.php, so org-scoping lives in the // user_organisation pivot's `role` column, not Spatie. $organisation = Organisation::query() ->withoutGlobalScopes() ->find($submission->organisation_id); if (! $organisation instanceof Organisation) { return false; } return $organisation->users() ->where('user_id', $user->id) ->wherePivot('role', 'org_admin') ->exists(); }, );