all(); Guard::requireLogin(); $currentUserId = (int) ($session['user']['id'] ?? 0); $authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class); // Authorization is checked generically (can user delete ANY permission?) before loading the entity. // Context-aware policies (departments, tenants, users) load the entity first to pass target_id. // Both patterns are valid; context-aware is preferred for new code. $decision = $authorizationService->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_DELETE, [ 'actor_user_id' => $currentUserId, ]); if (!$decision->isAllowed()) { if (Request::wantsJson()) { http_response_code($decision->status()); Router::json(['error' => $decision->error()]); return; } Guard::deny(); } $id = (int) ($id ?? 0); if ($id <= 0) { Router::redirect('admin/permissions'); return; } $roleIds = app(\MintyPHP\Repository\Access\RolePermissionRepository::class)->listRoleIdsByPermissionId($id); $affectedUserIds = app(\MintyPHP\Repository\Access\UserRoleRepository::class)->listUserIdsByRoleIds($roleIds); $result = app(PermissionService::class)->deleteById($id); if (!($result['ok'] ?? false)) { $error = (string) ($result['error'] ?? 'not_found'); $status = $result['status'] ?? 500; if (Request::wantsJson()) { http_response_code($status); Router::json(['error' => $error]); return; } if ($error === 'system_permission_protected') { Flash::error('System permission can not be deleted', 'admin/permissions', 'permission_system_protected'); } else { Flash::error('Permission not found', 'admin/permissions', 'permission_not_found'); } Router::redirect('admin/permissions'); return; } if ($affectedUserIds) { app(\MintyPHP\Repository\User\UserWriteRepository::class)->bumpAuthzVersionByUserIds($affectedUserIds); } if (Request::wantsJson()) { http_response_code(204); Router::json([]); return; } Flash::success('Permission deleted', 'admin/permissions', 'permission_deleted'); Router::redirect('admin/permissions');