bert.hausmans
78a8016e01
Tenant scope verified via failure.submission.organisation_id, NOT route binding. Cross-tenant access returns false (controllers in sessions 2/3 will translate to 404 to prevent enumeration). Five abilities: viewAny, view, retry, resolve, dismiss. Laravel 12 auto-discovers App\Policies\FormBuilder\FormSubmissionActionFailurePolicy for App\Models\FormBuilder\FormSubmissionActionFailure — no explicit registration needed (pattern matches the existing FormSubmissionPolicy). IDOR-class security tests included with explicit RFC V3 cross-reference in the test class docblock. Refs: RFC-WS-6.md §4 (V3), ARCH-FORM-BUILDER.md §22.9 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.4 KiB
2.4 KiB