bert.hausmans
05e44a39ae
ArtistPolicy, ArtistEngagementPolicy, StagePolicy, PerformancePolicy, GenrePolicy. Role-based authorization mirroring PersonPolicy/ShiftPolicy pattern: super_admin bypass, org-membership check via wherePivotIn, event_manager fallback for event-level operations. Each policy carries a class-level docblock mapping the RFC §9 permission strings (events.view_program, events.manage_program, organisations.manage_artists, organisations.manage_settings) to the roles authorised, deferring permission-based authorisation to AUTH-PERMISSIONS-MIGRATION. ArtistPolicy.delete additionally guards on no-active-engagements (D27): blocks soft-delete while any engagement is not Cancelled, Rejected, or Declined. PerformancePolicy.move and StagePolicy.reorder reuse canManageProgram so the move endpoint and stage-reorder share the manage_program permission semantics. Auto-discovered by Laravel 11 (policies live at App\Policies\* matching top-level App\Models\* — no explicit Gate::policy registration needed). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.5 KiB
2.5 KiB