'api_audit.view', self::ABILITY_API_AUDIT_PURGE => 'audit.api.purge', self::ABILITY_SYSTEM_AUDIT_VIEW => 'system_audit.view', self::ABILITY_SYSTEM_AUDIT_PURGE => 'system_audit.purge', self::ABILITY_IMPORTS_AUDIT_VIEW => 'imports.audit.view', self::ABILITY_IMPORTS_AUDIT_PURGE => 'audit.imports.purge', self::ABILITY_USER_LIFECYCLE_VIEW => 'user_lifecycle_audit.view', self::ABILITY_USER_LIFECYCLE_RESTORE => 'users.lifecycle_restore', ]; public function __construct( private readonly PermissionService $permissionService ) { } public function supports(string $ability): bool { return isset(self::ABILITY_PERMISSION_MAP[$ability]); } public function authorize(string $ability, array $context = []): AuthorizationDecision { $actorUserId = (int) ($context['actor_user_id'] ?? 0); if ($actorUserId <= 0) { return AuthorizationDecision::deny(403, 'forbidden'); } $permissionKey = self::ABILITY_PERMISSION_MAP[$ability] ?? null; if ($permissionKey === null) { return AuthorizationDecision::deny(403, 'forbidden'); } if (!$this->permissionService->userHas($actorUserId, $permissionKey)) { return AuthorizationDecision::deny(403, 'forbidden'); } return AuthorizationDecision::allow(); } }