fix(helpdesk): tighten debitor lookup permission and use Router::json

Require ABILITY_HANDOVERS_CREATE instead of generic ABILITY_ACCESS.
Replace manual header + echo with Router::json() for consistency.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-15 21:29:31 +02:00
parent f878d8909d
commit 2600e62a73

View File

@@ -2,18 +2,18 @@
use MintyPHP\Module\Helpdesk\HelpdeskAuthorizationPolicy; use MintyPHP\Module\Helpdesk\HelpdeskAuthorizationPolicy;
use MintyPHP\Module\Helpdesk\Service\DebitorSearchService; use MintyPHP\Module\Helpdesk\Service\DebitorSearchService;
use MintyPHP\Router;
use MintyPHP\Support\Guard; use MintyPHP\Support\Guard;
Guard::requireLogin(); Guard::requireLogin();
Guard::requireAbilityOrForbidden(HelpdeskAuthorizationPolicy::ABILITY_ACCESS); Guard::requireAbilityOrForbidden(HelpdeskAuthorizationPolicy::ABILITY_HANDOVERS_CREATE);
gridRequireGetRequest(); gridRequireGetRequest();
$request = requestInput(); $request = requestInput();
$query = trim((string) $request->query('q', '')); $query = trim((string) $request->query('q', ''));
if ($query === '' || mb_strlen($query) < 2) { if ($query === '' || mb_strlen($query) < 2) {
header('Content-Type: application/json; charset=utf-8'); Router::json([]);
echo '[]';
return; return;
} }
@@ -42,5 +42,4 @@ if (($result['status'] ?? '') === 'success') {
} }
} }
header('Content-Type: application/json; charset=utf-8'); Router::json($items);
echo json_encode($items, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);