$this->authorizeAdminSettingsView($context), self::ABILITY_ADMIN_SETTINGS_UPDATE, self::ABILITY_ADMIN_SETTINGS_BRANDING_UPDATE, self::ABILITY_ADMIN_SETTINGS_TOKENS_REVOKE, self::ABILITY_ADMIN_SETTINGS_USER_LIFECYCLE_RUN => $this->authorizeSettingsUpdatePermission($context), default => AuthorizationDecision::deny(500, 'authorization_ability_not_supported'), }; } private function authorizeAdminSettingsView(array $context): AuthorizationDecision { $actorUserId = $this->actorUserId($context); if (!$this->hasPermission($actorUserId, PermissionService::SETTINGS_VIEW)) { return AuthorizationDecision::deny(403, 'forbidden'); } return AuthorizationDecision::allow([ 'capabilities' => [ 'can_view_page' => true, 'can_update_settings' => $this->hasPermission($actorUserId, PermissionService::SETTINGS_UPDATE), ], ]); } private function authorizeSettingsUpdatePermission(array $context): AuthorizationDecision { $actorUserId = $this->actorUserId($context); if (!$this->hasPermission($actorUserId, PermissionService::SETTINGS_UPDATE)) { return AuthorizationDecision::deny(403, 'forbidden'); } return AuthorizationDecision::allow(); } }