diff --git a/pages/admin/permissions/edit($id).php b/pages/admin/permissions/edit($id).php index 0af8cb7..60a74a1 100644 --- a/pages/admin/permissions/edit($id).php +++ b/pages/admin/permissions/edit($id).php @@ -15,35 +15,52 @@ $returnTarget = requestResolveReturnTarget(); $closeTarget = requestResolveReturnTarget('admin/permissions'); $currentUserId = (int) ($session['user']['id'] ?? 0); -$authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class); - $id = (int) ($id ?? 0); $editTarget = requestPathWithReturnTarget("admin/permissions/edit/{$id}", $returnTarget); + +// Resolve the permission BEFORE the aggregator so the authorize-context can +// carry the real target_permission_id + target_is_system flag (matches today's +// order: lookup → CONTEXT authorize → Guard::deny()). The aggregator receives +// a trivial finder that returns the already-loaded model so its not-found +// branch fires only when find() returned null. $permission = $id > 0 ? app(\MintyPHP\Service\Access\PermissionService::class)->find($id) : null; -if (!$permission) { - Flash::error('Permission not found', $closeTarget, 'permission_not_found'); - Router::redirect($closeTarget); -} $isSystemPermission = (int) ($permission['is_system'] ?? 0) === 1; -$contextDecision = $authorizationService->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_CONTEXT, [ - 'actor_user_id' => $currentUserId, - 'target_permission_id' => $id, - 'target_is_system' => $isSystemPermission, + +$context = actionEditContext([ + 'finder' => static fn (string $_id): mixed => $permission, + 'rawId' => (string) $id, + 'notFoundFlashKey' => 'Permission not found', + 'notFoundRedirectPath' => $closeTarget, + 'notFoundFlashScopeKey' => 'permission_not_found', + 'abilityKey' => PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_CONTEXT, + 'context' => [ + 'actor_user_id' => $currentUserId, + 'target_permission_id' => $id, + 'target_is_system' => $isSystemPermission, + ], + 'viewAuthFlags' => ['can_update_permission', 'can_delete_permission'], + 'forbiddenStrategy' => 'deny', ]); -if (!$contextDecision->isAllowed()) { - Guard::deny(); -} -$capabilities = $contextDecision->attribute('capabilities', []); -$canUpdatePermission = is_array($capabilities) ? (bool) ($capabilities['can_update_permission'] ?? false) : false; -$canDeletePermission = is_array($capabilities) ? (bool) ($capabilities['can_delete_permission'] ?? false) : false; +$permission = is_array($context['model']) ? $context['model'] : $permission; +$capabilities = $context['capabilities']; +$tenantScope = $context['tenantScope']; +$viewAuth = $context['viewAuth']; +$canUpdatePermission = (bool) ($capabilities['can_update_permission'] ?? false); +$canDeletePermission = (bool) ($capabilities['can_delete_permission'] ?? false); +// Permissions-Edit konsumiert $tenantScope['ids'] bewusst NICHT — Permissions +// sind global, kein Filter-Szenario. $canManageAllPermissions bleibt als Hook +// fuer kuenftige Policy-Erweiterungen definiert. +$canManageAllPermissions = $tenantScope['scope'] === 'all'; + +$authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class); +$rolePermissionRepository = app(\MintyPHP\Repository\Access\RolePermissionRepository::class); +$userRoleRepository = app(\MintyPHP\Repository\Access\UserRoleRepository::class); +$userWriteRepository = app(\MintyPHP\Repository\User\UserWriteRepository::class); $errorBag = formErrors(); $errors = []; $form = $permission; $roles = app(RoleRepository::class)->listActive(); -$rolePermissionRepository = app(\MintyPHP\Repository\Access\RolePermissionRepository::class); -$userRoleRepository = app(\MintyPHP\Repository\Access\UserRoleRepository::class); -$userWriteRepository = app(\MintyPHP\Repository\User\UserWriteRepository::class); $selectedRoleIds = $rolePermissionRepository->listRoleIdsByPermissionId($id); $previousRoleIds = $selectedRoleIds; @@ -89,10 +106,10 @@ if ($request->isMethod('POST')) { if ($syncSucceeded) { $action = (string) $request->body('action', 'save'); if ($action === 'save_close') { - Flash::success('Permission updated', $closeTarget, 'permission_updated'); + Flash::success(t('Permission updated'), $closeTarget, 'permission_updated'); Router::redirect($closeTarget); } else { - Flash::success('Permission updated', $editTarget, 'permission_updated'); + Flash::success(t('Permission updated'), $editTarget, 'permission_updated'); Router::redirect($editTarget); } }