bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
378b6fe970b29bcb5791f5bb17e32c1c6bad4cb0
crewli/api/app/Policies/FormBuilder/FormFieldPolicy.php
bert.hausmans ab84850089 feat(form-builder): policies and form requests with scoped exists rules 
Phase 3 of S2b. Six policies and fifteen form requests for the universal
form builder. Every exists: rule is scoped to the route's organisation
or form_schema to close the A01-5..18 findings from SECURITY_AUDIT.md.

Policies (api/app/Policies/FormBuilder/):
- FormSchemaPolicy, FormFieldPolicy, FormFieldLibraryPolicy,
  FormTemplatePolicy, FormSubmissionPolicy, FormSchemaWebhookPolicy.
- FormSubmissionPolicy honours subject-self (user / person.user_id
  match / submitted_by_user_id) and active delegations, per §18.3.
- No `return true` placeholders — each method checks org membership and
  role via Spatie's hasRole().

Form Requests (api/app/Http/Requests/Api/V1/FormBuilder/):
- Schema: Store/UpdateFormSchemaRequest, RotatePublicTokenRequest.
- Fields: Store/UpdateFormFieldRequest, ReorderFormFieldsRequest (field
  ids scoped to the route schema), InsertLibraryFieldRequest (library
  scoped to the route organisation).
- Templates: Store/UpdateFormTemplateRequest.
- Field library: Store/UpdateFormFieldLibraryRequest.
- Submissions: CreateFormSubmissionRequest, UpsertFormValuesRequest
  (slug allow-list derived from schema), SubmitFormSubmissionRequest,
  ReviewFormSubmissionRequest, DelegateFormSubmissionRequest (delegatee
  scoped to organisation pivot).
- Webhooks: Store/UpdateFormSchemaWebhookRequest.
- Public: PublicSubmissionRequest (captcha_token collected here,
  enforcement in controller per config('form_builder.captcha')).

All enum validation routes through the existing PHP enums from S1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 21:08:49 +02:00

43 lines
1.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Policies\FormBuilder;
use App\Models\FormBuilder\FormField;
use App\Models\FormBuilder\FormSchema;
use App\Models\User;
final class FormFieldPolicy
{
public function view(User $user, FormField $field): bool
{
return app(FormSchemaPolicy::class)->view($user, $field->schema);
}
public function create(User $user, FormSchema $schema): bool
{
return app(FormSchemaPolicy::class)->update($user, $schema);
}
public function update(User $user, FormField $field): bool
{
return app(FormSchemaPolicy::class)->update($user, $field->schema);
}
public function delete(User $user, FormField $field): bool
{
return app(FormSchemaPolicy::class)->update($user, $field->schema);
}
public function reorder(User $user, FormSchema $schema): bool
{
return app(FormSchemaPolicy::class)->update($user, $schema);
}
public function insertFromLibrary(User $user, FormSchema $schema): bool
{
return app(FormSchemaPolicy::class)->update($user, $schema);
}
}
Reference in New Issue View Git Blame Copy Permalink