0 ? $id : null; } public static function isTenantScopedToken(): bool { return (self::$tokenTenantId ?? 0) > 0; } /** * Require both tenant-scope and token-tenant access for a resource. */ public static function requireResourceAccess(string $resource, int $resourceId): void { if (!TenantScopeService::canAccess($resource, $resourceId, self::userId())) { ApiResponse::notFound(); } self::requireTokenTenantAccess($resource, $resourceId); } public static function requireTokenTenantAccess(string $resource, int $resourceId): void { if (!self::isTenantScopedToken()) { return; } $tenantId = (int) (self::$tokenTenantId ?? 0); if ($tenantId <= 0) { ApiResponse::forbidden(); } if (!TenantScopeService::resourceBelongsToTenant($resource, $resourceId, $tenantId)) { ApiResponse::notFound(); } } /** * Check if the current user can self-manage API tokens. */ public static function canSelfManageTokens(): bool { return self::hasPermission(\MintyPHP\Service\Access\PermissionService::USERS_SELF_UPDATE) || self::hasPermission(\MintyPHP\Service\Access\PermissionService::API_TOKENS_MANAGE); } public static function requireSelfManageTokens(): void { if (!self::canSelfManageTokens()) { ApiResponse::forbidden('api_tokens_self_manage_forbidden'); } } }