crewli/api/app/Policies/PerformancePolicy.php

<?php

declare(strict_types=1);

namespace App\Policies;

use App\Models\Event;
use App\Models\Performance;
use App\Models\User;

/**
 * Authorization model — role-based per existing codebase pattern.
 *
 * RFC v0.2 §9 permission mapping (deferred to AUTH-PERMISSIONS-MIGRATION
 * when fine-grained permissions are operationally required):
 *   events.view_program   — program_manager, production_assistant,
 *                           event_manager, org_admin, super_admin
 *   events.manage_program — program_manager, event_manager, org_admin,
 *                           super_admin (covers move / park / unpark)
 */
final class PerformancePolicy
{
    public function viewAny(User $user, Event $event): bool
    {
        return $this->canViewProgram($user, $event);
    }

    public function view(User $user, Performance $performance, Event $event): bool
    {
        if ($performance->event_id !== $event->id) {
            return false;
        }

        return $this->canViewProgram($user, $event);
    }

    public function create(User $user, Event $event): bool
    {
        return $this->canManageProgram($user, $event);
    }

    public function update(User $user, Performance $performance, Event $event): bool
    {
        if ($performance->event_id !== $event->id) {
            return false;
        }

        return $this->canManageProgram($user, $event);
    }

    public function delete(User $user, Performance $performance, Event $event): bool
    {
        if ($performance->event_id !== $event->id) {
            return false;
        }

        return $this->canManageProgram($user, $event);
    }

    public function move(User $user, Performance $performance, Event $event): bool
    {
        if ($performance->event_id !== $event->id) {
            return false;
        }

        return $this->canManageProgram($user, $event);
    }

    private function canViewProgram(User $user, Event $event): bool
    {
        if ($user->hasRole('super_admin')) {
            return true;
        }

        $isOrgMember = $event->organisation->users()
            ->where('user_id', $user->id)
            ->wherePivotIn('role', ['org_admin', 'program_manager', 'production_assistant'])
            ->exists();

        if ($isOrgMember) {
            return true;
        }

        return $event->users()
            ->where('user_id', $user->id)
            ->wherePivot('role', 'event_manager')
            ->exists();
    }

    private function canManageProgram(User $user, Event $event): bool
    {
        if ($user->hasRole('super_admin')) {
            return true;
        }

        $isOrgManager = $event->organisation->users()
            ->where('user_id', $user->id)
            ->wherePivotIn('role', ['org_admin', 'program_manager'])
            ->exists();

        if ($isOrgManager) {
            return true;
        }

        return $event->users()
            ->where('user_id', $user->id)
            ->wherePivot('role', 'event_manager')
            ->exists();
    }
}