Files
breadcrumb-the-shire/pages
fs 1974aba6c2 refactor(roles-edit): migrate to actionEditContext (step 4)
Third pilot of the cluster rollout — first action that exercises
forbiddenStrategy:'deny' in production. The CONTEXT-stage vorspiel
collapses into one declarative actionEditContext call; the SUBMIT
branch keeps its explicit Guard::deny() (Two-Level-Authorize).

Confirms the analyst hypothesis: actionEditContext with
forbiddenStrategy:'deny' is enough — no helper extension needed.
Helper file stays 0-diff. The 'deny' path was built in step 1 and
verified by testAuthorizeAndExtractCapabilitiesUsesGuardDenyStrategy,
but only now proven against a real production caller.

Three drift decisions from steps 2/3 reproduced:
* notFoundFlashScopeKey: 'role_not_found' to preserve the existing
  Flash dedup-scope-key.
* t() consistency: both Flash::success('Role updated', …) calls now
  flow through t() — German users see fully translated messages.
* Defensive scope consumption: $canManageAllRoles reads
  $tenantScope['scope'] === 'all'. Roles are global, so
  $tenantScope['ids'] is intentionally not consumed; an inline
  comment documents that.

Roles-specific: PermissionService-warmup absence is preserved (Roles
don't need it — Departments/Tenants do, but cross-cluster consistency
is not a goal here, behavioral identity is).

ActionContextCsrfPairingContractTest now covers three callers
(departments-edit, tenants-edit, roles-edit) and stays green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 10:40:48 +02:00
..
2026-03-04 15:56:58 +01:00