Implement handover protocols as a new entity in the helpdesk module, allowing users to create fillable protocol records from admin-defined software product schemas. Key additions: - DB migration (helpdesk_handovers table) with tenant scope - HandoverService with status workflow (draft/in_progress/completed/archived) - Three-tier permissions (view/create/manage) - Two-step creation wizard (Stripe-style assistant) - Grid.js list page with search and status filter - Edit/detail page with aside metadata and status controls - Reusable core autocomplete lookup component (app-lookup-field) - Debitor lookup data endpoint for autocomplete - Dynamic form rendering from schema snapshots - 11 PHPUnit tests for HandoverService - DE+EN i18n translations (48 keys each) Also includes: PHPStan fixes (dead code removal, stale baseline cleanup), software product edit title improvement, fieldset simplification, and Stripe-style hover for schema preview. Workflow: HD-HANDOVERS-001 (.agents/runs/HD-HANDOVERS-001/) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
73 lines
3.4 KiB
PHP
73 lines
3.4 KiB
PHP
<?php
|
|
|
|
namespace MintyPHP\Module\Helpdesk;
|
|
|
|
use MintyPHP\Service\Access\AuthorizationDecision;
|
|
use MintyPHP\Service\Access\AuthorizationPolicyInterface;
|
|
use MintyPHP\Service\Access\PermissionService;
|
|
|
|
final class HelpdeskAuthorizationPolicy implements AuthorizationPolicyInterface
|
|
{
|
|
public const ABILITY_ACCESS = 'helpdesk.access';
|
|
public const ABILITY_SETTINGS_MANAGE = 'helpdesk.settings.manage';
|
|
public const ABILITY_TEAM_WORKLOAD = 'helpdesk.team-workload.view';
|
|
public const ABILITY_RISK_RADAR = 'helpdesk.risk-radar.view';
|
|
public const ABILITY_SOFTWARE_PRODUCTS_MANAGE = 'helpdesk.software-products.manage';
|
|
public const ABILITY_HANDOVERS_VIEW = 'helpdesk.handovers.view';
|
|
public const ABILITY_HANDOVERS_CREATE = 'helpdesk.handovers.create';
|
|
public const ABILITY_HANDOVERS_MANAGE = 'helpdesk.handovers.manage';
|
|
|
|
public const PERMISSION_ACCESS = 'helpdesk.access';
|
|
public const PERMISSION_SETTINGS_MANAGE = 'helpdesk.settings.manage';
|
|
public const PERMISSION_TEAM_WORKLOAD = 'helpdesk.team-workload.view';
|
|
public const PERMISSION_RISK_RADAR = 'helpdesk.risk-radar.view';
|
|
/** @api Used in authorize() match for ability resolution */
|
|
public const PERMISSION_SOFTWARE_PRODUCTS_MANAGE = 'helpdesk.software-products.manage';
|
|
/** @api Used in authorize() match for ability resolution */
|
|
public const PERMISSION_HANDOVERS_VIEW = 'helpdesk.handovers.view';
|
|
/** @api Used in authorize() match for ability resolution */
|
|
public const PERMISSION_HANDOVERS_CREATE = 'helpdesk.handovers.create';
|
|
/** @api Used in authorize() match for ability resolution */
|
|
public const PERMISSION_HANDOVERS_MANAGE = 'helpdesk.handovers.manage';
|
|
|
|
public function __construct(
|
|
private readonly PermissionService $permissionService
|
|
) {
|
|
}
|
|
|
|
public function supports(string $ability): bool
|
|
{
|
|
return in_array($ability, [self::ABILITY_ACCESS, self::ABILITY_SETTINGS_MANAGE, self::ABILITY_TEAM_WORKLOAD, self::ABILITY_RISK_RADAR, self::ABILITY_SOFTWARE_PRODUCTS_MANAGE, self::ABILITY_HANDOVERS_VIEW, self::ABILITY_HANDOVERS_CREATE, self::ABILITY_HANDOVERS_MANAGE], true);
|
|
}
|
|
|
|
public function authorize(string $ability, array $context = []): AuthorizationDecision
|
|
{
|
|
$actorUserId = (int) ($context['actor_user_id'] ?? 0);
|
|
if ($actorUserId <= 0) {
|
|
return AuthorizationDecision::deny(403, 'forbidden');
|
|
}
|
|
|
|
$permissionKey = match ($ability) {
|
|
self::ABILITY_ACCESS => self::PERMISSION_ACCESS,
|
|
self::ABILITY_SETTINGS_MANAGE => self::PERMISSION_SETTINGS_MANAGE,
|
|
self::ABILITY_TEAM_WORKLOAD => self::PERMISSION_TEAM_WORKLOAD,
|
|
self::ABILITY_RISK_RADAR => self::PERMISSION_RISK_RADAR,
|
|
self::ABILITY_SOFTWARE_PRODUCTS_MANAGE => self::PERMISSION_SOFTWARE_PRODUCTS_MANAGE,
|
|
self::ABILITY_HANDOVERS_VIEW => self::PERMISSION_HANDOVERS_VIEW,
|
|
self::ABILITY_HANDOVERS_CREATE => self::PERMISSION_HANDOVERS_CREATE,
|
|
self::ABILITY_HANDOVERS_MANAGE => self::PERMISSION_HANDOVERS_MANAGE,
|
|
default => null,
|
|
};
|
|
|
|
if ($permissionKey === null) {
|
|
return AuthorizationDecision::deny(403, 'forbidden');
|
|
}
|
|
|
|
if (!$this->permissionService->userHas($actorUserId, $permissionKey)) {
|
|
return AuthorizationDecision::deny(403, 'forbidden');
|
|
}
|
|
|
|
return AuthorizationDecision::allow();
|
|
}
|
|
}
|