bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
615a114f33fa3ef22108bbc165e21152ece3eed7
crewli/api/app/Policies/FormBuilder/FormSchemaWebhookPolicy.php
bert.hausmans ab84850089 feat(form-builder): policies and form requests with scoped exists rules 
Phase 3 of S2b. Six policies and fifteen form requests for the universal
form builder. Every exists: rule is scoped to the route's organisation
or form_schema to close the A01-5..18 findings from SECURITY_AUDIT.md.

Policies (api/app/Policies/FormBuilder/):
- FormSchemaPolicy, FormFieldPolicy, FormFieldLibraryPolicy,
  FormTemplatePolicy, FormSubmissionPolicy, FormSchemaWebhookPolicy.
- FormSubmissionPolicy honours subject-self (user / person.user_id
  match / submitted_by_user_id) and active delegations, per §18.3.
- No `return true` placeholders — each method checks org membership and
  role via Spatie's hasRole().

Form Requests (api/app/Http/Requests/Api/V1/FormBuilder/):
- Schema: Store/UpdateFormSchemaRequest, RotatePublicTokenRequest.
- Fields: Store/UpdateFormFieldRequest, ReorderFormFieldsRequest (field
  ids scoped to the route schema), InsertLibraryFieldRequest (library
  scoped to the route organisation).
- Templates: Store/UpdateFormTemplateRequest.
- Field library: Store/UpdateFormFieldLibraryRequest.
- Submissions: CreateFormSubmissionRequest, UpsertFormValuesRequest
  (slug allow-list derived from schema), SubmitFormSubmissionRequest,
  ReviewFormSubmissionRequest, DelegateFormSubmissionRequest (delegatee
  scoped to organisation pivot).
- Webhooks: Store/UpdateFormSchemaWebhookRequest.
- Public: PublicSubmissionRequest (captcha_token collected here,
  enforcement in controller per config('form_builder.captcha')).

All enum validation routes through the existing PHP enums from S1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 21:08:49 +02:00

38 lines
982 B
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Policies\FormBuilder;
use App\Models\FormBuilder\FormSchema;
use App\Models\FormBuilder\FormSchemaWebhook;
use App\Models\User;
final class FormSchemaWebhookPolicy
{
public function view(User $user, FormSchemaWebhook $webhook): bool
{
return app(FormSchemaPolicy::class)->view($user, $webhook->schema);
}
public function create(User $user, FormSchema $schema): bool
{
return app(FormSchemaPolicy::class)->update($user, $schema);
}
public function update(User $user, FormSchemaWebhook $webhook): bool
{
return app(FormSchemaPolicy::class)->update($user, $webhook->schema);
}
public function delete(User $user, FormSchemaWebhook $webhook): bool
{
return app(FormSchemaPolicy::class)->update($user, $webhook->schema);
}
public function test(User $user, FormSchemaWebhook $webhook): bool
{
return $this->update($user, $webhook);
}
}
Reference in New Issue View Git Blame Copy Permalink