$this->authorizeUsersCreateCustomFields($actorUserId), self::ABILITY_API_TOKENS_SELF_MANAGE => $this->authorizeApiTokensSelfManage($actorUserId), self::ABILITY_ADDRESS_BOOK_VIEW => $this->allowIfHas($actorUserId, PermissionService::ADDRESS_BOOK_VIEW), self::ABILITY_ADMIN_USER_LIFECYCLE_AUDIT_VIEW => $this->allowIfHas($actorUserId, PermissionService::USER_LIFECYCLE_AUDIT_VIEW), self::ABILITY_ADMIN_USERS_LIFECYCLE_RESTORE => $this->allowIfHas($actorUserId, PermissionService::USERS_LIFECYCLE_RESTORE), self::ABILITY_ADMIN_API_AUDIT_VIEW => $this->allowIfHas($actorUserId, PermissionService::API_AUDIT_VIEW), self::ABILITY_ADMIN_SYSTEM_AUDIT_VIEW => $this->allowIfHas($actorUserId, PermissionService::SYSTEM_AUDIT_VIEW), self::ABILITY_ADMIN_SYSTEM_AUDIT_PURGE => $this->allowIfHas($actorUserId, PermissionService::SYSTEM_AUDIT_PURGE), self::ABILITY_ADMIN_DOCS_VIEW => $this->allowIfHas($actorUserId, PermissionService::DOCS_VIEW), self::ABILITY_ADMIN_IMPORTS_AUDIT_VIEW => $this->allowIfHas($actorUserId, PermissionService::IMPORTS_AUDIT_VIEW), self::ABILITY_ADMIN_IMPORTS_VIEW => $this->allowIfHas($actorUserId, PermissionService::IMPORTS_VIEW), self::ABILITY_ADMIN_JOBS_RUN_NOW => $this->allowIfHas($actorUserId, PermissionService::JOBS_RUN_NOW), self::ABILITY_ADMIN_JOBS_VIEW => $this->allowIfHas($actorUserId, PermissionService::JOBS_VIEW), self::ABILITY_ADMIN_JOBS_MANAGE => $this->allowIfHas($actorUserId, PermissionService::JOBS_MANAGE), self::ABILITY_ADMIN_MAIL_LOG_VIEW => $this->allowIfHas($actorUserId, PermissionService::MAIL_LOG_VIEW), self::ABILITY_ADMIN_STATS_VIEW => $this->allowIfHas($actorUserId, PermissionService::STATS_VIEW), self::ABILITY_ADMIN_API_DOCS_VIEW => $this->allowIfHas($actorUserId, PermissionService::API_DOCS_VIEW), self::ABILITY_ADMIN_IMPORTS_TYPE_USERS => $this->allowIfHas($actorUserId, PermissionService::USERS_IMPORT), self::ABILITY_ADMIN_IMPORTS_TYPE_DEPARTMENTS => $this->allowIfHas($actorUserId, PermissionService::DEPARTMENTS_IMPORT), self::ABILITY_ADMIN_USERS_ASSIGNMENTS_MANAGE => $this->allowIfHas($actorUserId, PermissionService::USERS_UPDATE_ASSIGNMENTS), self::ABILITY_API_PERMISSIONS_VIEW => $this->allowIfHas($actorUserId, PermissionService::PERMISSIONS_VIEW), self::ABILITY_API_SETTINGS_VIEW => $this->allowIfHas($actorUserId, PermissionService::SETTINGS_VIEW), self::ABILITY_API_SETTINGS_UPDATE => $this->allowIfHas($actorUserId, PermissionService::SETTINGS_UPDATE), self::ABILITY_API_ROLES_VIEW => $this->allowIfHas($actorUserId, PermissionService::ROLES_VIEW), self::ABILITY_API_ROLES_CREATE => $this->allowIfHas($actorUserId, PermissionService::ROLES_CREATE), self::ABILITY_API_ROLES_UPDATE => $this->allowIfHas($actorUserId, PermissionService::ROLES_UPDATE), self::ABILITY_API_ROLES_DELETE => $this->allowIfHas($actorUserId, PermissionService::ROLES_DELETE), self::ABILITY_API_DEPARTMENTS_VIEW => $this->allowIfHas($actorUserId, PermissionService::DEPARTMENTS_VIEW), self::ABILITY_API_DEPARTMENTS_CREATE => $this->allowIfHas($actorUserId, PermissionService::DEPARTMENTS_CREATE), self::ABILITY_API_DEPARTMENTS_UPDATE => $this->allowIfHas($actorUserId, PermissionService::DEPARTMENTS_UPDATE), self::ABILITY_API_DEPARTMENTS_DELETE => $this->allowIfHas($actorUserId, PermissionService::DEPARTMENTS_DELETE), self::ABILITY_API_TENANTS_VIEW => $this->allowIfHas($actorUserId, PermissionService::TENANTS_VIEW), self::ABILITY_API_TENANTS_CREATE => $this->allowIfHas($actorUserId, PermissionService::TENANTS_CREATE), self::ABILITY_API_TENANTS_UPDATE => $this->allowIfHas($actorUserId, PermissionService::TENANTS_UPDATE), self::ABILITY_API_TENANTS_DELETE => $this->allowIfHas($actorUserId, PermissionService::TENANTS_DELETE), self::ABILITY_API_ME_SELF_UPDATE => $this->allowIfHas($actorUserId, PermissionService::USERS_SELF_UPDATE), default => AuthorizationDecision::deny(500, 'authorization_ability_not_supported'), }; } private function authorizeUsersCreateCustomFields(int $actorUserId): AuthorizationDecision { if (!$this->permissionGateway->userHas($actorUserId, PermissionService::CUSTOM_FIELDS_EDIT_VALUES)) { return AuthorizationDecision::deny(403, 'forbidden'); } if (!$this->permissionGateway->userHas($actorUserId, PermissionService::USERS_UPDATE_ASSIGNMENTS)) { return AuthorizationDecision::deny(403, 'forbidden'); } return AuthorizationDecision::allow(); } private function authorizeApiTokensSelfManage(int $actorUserId): AuthorizationDecision { if ($this->permissionGateway->userHas($actorUserId, PermissionService::USERS_SELF_UPDATE)) { return AuthorizationDecision::allow(); } if ($this->permissionGateway->userHas($actorUserId, PermissionService::API_TOKENS_MANAGE)) { return AuthorizationDecision::allow(); } return AuthorizationDecision::deny(403, 'forbidden'); } private function allowIfHas(int $actorUserId, string $permissionKey): AuthorizationDecision { if (!$this->permissionGateway->userHas($actorUserId, $permissionKey)) { return AuthorizationDecision::deny(403, 'forbidden'); } return AuthorizationDecision::allow(); } }