fix(helpdesk): tighten debitor lookup permission and use Router::json

Require ABILITY_HANDOVERS_CREATE instead of generic ABILITY_ACCESS.
Replace manual header + echo with Router::json() for consistency.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-15 21:29:31 +02:00
parent f878d8909d
commit 2600e62a73

View File

@@ -2,18 +2,18 @@
use MintyPHP\Module\Helpdesk\HelpdeskAuthorizationPolicy;
use MintyPHP\Module\Helpdesk\Service\DebitorSearchService;
use MintyPHP\Router;
use MintyPHP\Support\Guard;
Guard::requireLogin();
Guard::requireAbilityOrForbidden(HelpdeskAuthorizationPolicy::ABILITY_ACCESS);
Guard::requireAbilityOrForbidden(HelpdeskAuthorizationPolicy::ABILITY_HANDOVERS_CREATE);
gridRequireGetRequest();
$request = requestInput();
$query = trim((string) $request->query('q', ''));
if ($query === '' || mb_strlen($query) < 2) {
header('Content-Type: application/json; charset=utf-8');
echo '[]';
Router::json([]);
return;
}
@@ -42,5 +42,4 @@ if (($result['status'] ?? '') === 'success') {
}
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($items, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
Router::json($items);