crewli/api/app/Policies/EventPolicy.php

<?php

declare(strict_types=1);

namespace App\Policies;

use App\Models\Event;
use App\Models\Organisation;
use App\Models\User;

final class EventPolicy
{
    public function viewAny(User $user, Organisation $organisation): bool
    {
        return $user->hasRole('super_admin')
            || $organisation->users()->where('user_id', $user->id)->exists();
    }

    public function view(User $user, Event $event, ?Organisation $organisation = null): bool
    {
        if ($organisation && $event->organisation_id !== $organisation->id) {
            return false;
        }

        return $user->hasRole('super_admin')
            || $event->organisation->users()->where('user_id', $user->id)->exists();
    }

    public function create(User $user, Organisation $organisation): bool
    {
        if ($user->hasRole('super_admin')) {
            return true;
        }

        return $organisation->users()
            ->where('user_id', $user->id)
            ->wherePivot('role', 'org_admin')
            ->exists();
    }

    public function update(User $user, Event $event, ?Organisation $organisation = null): bool
    {
        if ($organisation && $event->organisation_id !== $organisation->id) {
            return false;
        }

        if ($user->hasRole('super_admin')) {
            return true;
        }

        // org_admin at organisation level
        $isOrgAdmin = $event->organisation->users()
            ->where('user_id', $user->id)
            ->wherePivot('role', 'org_admin')
            ->exists();

        if ($isOrgAdmin) {
            return true;
        }

        // event_manager at event level
        return $event->users()
            ->where('user_id', $user->id)
            ->wherePivot('role', 'event_manager')
            ->exists();
    }
}