bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71d2b4294d9b30a61c8de306c32e8f618885c2e7
crewli/api/app/Http/Resources/FormBuilder/FormSubmissionResource.php
bert.hausmans 4b7e66b83f feat(form-builder): API resources with FieldAccessService filtering 
Phase 4 of S2b. Nine resources that shape the universal form builder
responses. FieldAccessService::filterVisibleFields gates every field
array — the primary defence tested by FormResourceSecurityTest (§22.9).

- FormSchemaResource: includes fields_count, submissions_count,
  has_submissions, is_locked (derived from edit_lock_*), public_form_url
  when public_token is set, and filtered fields collection.
- FormSchemaSummaryResource: lean list-endpoint variant.
- FormFieldResource: effective_label / help_text / options resolved via
  FormLocaleResolver + translations JSON, plus TAG_PICKER available_tags
  filtered by validation_rules.tag_categories.
- FormSubmissionResource: values keyed by field slug with FieldAccessService
  filtering, section_statuses, active delegations, review_info,
  submitted_in_locale, submission_duration_seconds.
- FormSubmissionSummaryResource: lean list variant.
- FormTemplateResource, FormFieldLibraryResource.
- PublicFormSchemaResource: strictly limited per §10 — only
  is_portal_visible=true AND is_admin_only=false fields, no PII hints,
  no role_restrictions, no submissions_count.
- FormSchemaWebhookResource: url/secret never returned; only url_host +
  has_secret boolean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 21:13:40 +02:00

88 lines
3.7 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Resources\FormBuilder;
use App\Models\FormBuilder\FormSubmission;
use App\Services\FormBuilder\FieldAccessService;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
/**
* @mixin FormSubmission
*/
final class FormSubmissionResource extends JsonResource
{
/**
* @return array<string, mixed>
*/
public function toArray(Request $request): array
{
$this->resource->loadMissing(['values.field', 'sectionStatuses', 'delegations']);
$fieldAccess = app(FieldAccessService::class);
$fields = $this->values->map(fn ($v) => $v->field)->filter();
$visibleFieldIds = $fieldAccess
->filterVisibleFields($request->user(), $fields, $this->resource)
->pluck('id')
->all();
$values = [];
foreach ($this->values as $value) {
if ($value->field === null) {
continue;
}
if (! in_array($value->field->id, $visibleFieldIds, true)) {
continue;
}
$values[$value->field->slug] = [
'value' => $value->value,
'value_anonymised' => (bool) $value->value_anonymised,
];
}
return [
'id' => $this->id,
'form_schema_id' => $this->form_schema_id,
'subject_type' => $this->subject_type,
'subject_id' => $this->subject_id,
'submitted_by_user_id' => $this->submitted_by_user_id,
'public_submitter_name' => $this->public_submitter_name,
'public_submitter_email' => $this->public_submitter_email,
'status' => $this->status instanceof \BackedEnum ? $this->status->value : $this->status,
'review_status' => $this->review_status instanceof \BackedEnum ? $this->review_status->value : $this->review_status,
'review_info' => $this->when($this->reviewed_at !== null, fn () => [
'reviewed_by_user_id' => $this->reviewed_by_user_id,
'reviewed_at' => optional($this->reviewed_at)->toIso8601String(),
'notes' => $this->review_notes,
]),
'submitted_at' => optional($this->submitted_at)->toIso8601String(),
'schema_version_at_submit' => $this->schema_version_at_submit,
'submitted_in_locale' => $this->submitted_in_locale,
'opened_at' => optional($this->opened_at)->toIso8601String(),
'first_interacted_at' => optional($this->first_interacted_at)->toIso8601String(),
'submission_duration_seconds' => $this->submission_duration_seconds,
'is_test' => (bool) $this->is_test,
'values' => $values,
'section_statuses' => $this->sectionStatuses->map(fn ($s) => [
'form_schema_section_id' => $s->form_schema_section_id,
'status' => $s->status,
'submitted_at' => optional($s->submitted_at)->toIso8601String(),
'reviewed_at' => optional($s->reviewed_at)->toIso8601String(),
])->all(),
'delegations' => $this->delegations
->filter(fn ($d) => $d->revoked_at === null)
->map(fn ($d) => [
'id' => $d->id,
'delegated_to_user_id' => $d->delegated_to_user_id,
'delegated_by_user_id' => $d->delegated_by_user_id,
'granted_at' => optional($d->granted_at)->toIso8601String(),
'message' => $d->message,
])->values()->all(),
'created_at' => optional($this->created_at)->toIso8601String(),
'updated_at' => optional($this->updated_at)->toIso8601String(),
];
}
}
Reference in New Issue View Git Blame Copy Permalink