bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78a8016e01ed2e85ba11b28e2fe5e7cba63ceff6
crewli/api/app/Policies/FormBuilder/FormSubmissionActionFailurePolicy.php
bert.hausmans 78a8016e01 feat(form-builder): add FormSubmissionActionFailurePolicy with FK-chain auth (WS-6) 
Tenant scope verified via failure.submission.organisation_id, NOT route
binding. Cross-tenant access returns false (controllers in sessions 2/3
will translate to 404 to prevent enumeration). Five abilities:
viewAny, view, retry, resolve, dismiss.

Laravel 12 auto-discovers App\Policies\FormBuilder\FormSubmissionActionFailurePolicy
for App\Models\FormBuilder\FormSubmissionActionFailure — no explicit
registration needed (pattern matches the existing FormSubmissionPolicy).

IDOR-class security tests included with explicit RFC V3 cross-reference
in the test class docblock.

Refs: RFC-WS-6.md §4 (V3), ARCH-FORM-BUILDER.md §22.9

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 00:03:21 +02:00

85 lines
2.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Policies\FormBuilder;
use App\Models\FormBuilder\FormSubmissionActionFailure;
use App\Models\Organisation;
use App\Models\User;
/**
* RFC-WS-6 §4 (V3) — IDOR-class FK-chain enforcement.
*
* The `form_submission_action_failures` table has no `organisation_id`
* column by design. Tenant scope flows via
* failure.submission.organisation_id. Cross-tenant access returns
* `false` here; controllers (sessions 2/3) translate to 404 to prevent
* resource-existence enumeration.
*/
final class FormSubmissionActionFailurePolicy
{
public function viewAny(User $user): bool
{
if ($user->hasRole('super_admin')) {
return true;
}
// Org admin in any organisation. Controllers in sessions 2/3
// restrict the result set per role.
return $user->organisations()
->wherePivot('role', 'org_admin')
->exists();
}
public function view(User $user, FormSubmissionActionFailure $failure): bool
{
return $this->canAccess($user, $failure);
}
public function retry(User $user, FormSubmissionActionFailure $failure): bool
{
return $this->canAccess($user, $failure);
}
public function resolve(User $user, FormSubmissionActionFailure $failure): bool
{
return $this->canAccess($user, $failure);
}
public function dismiss(User $user, FormSubmissionActionFailure $failure): bool
{
return $this->canAccess($user, $failure);
}
private function canAccess(User $user, FormSubmissionActionFailure $failure): bool
{
$failure->loadMissing('submission');
$submission = $failure->submission;
if ($submission === null) {
return false; // parent submission deleted
}
$orgId = (string) $submission->organisation_id;
if ($orgId === '') {
return false;
}
if ($user->hasRole('super_admin')) {
return true;
}
// Tenant scope: user must be an org_admin in the failure's
// organisation. RFC V3 — IDOR-class FK-chain enforcement.
$organisation = $submission->organisation;
if (! $organisation instanceof Organisation) {
return false;
}
return $organisation->users()
->where('user_id', $user->id)
->wherePivot('role', 'org_admin')
->exists();
}
}
Reference in New Issue View Git Blame Copy Permalink