TenantAtlas/apps/platform/app/Policies/EntraGroupPolicy.php

<?php

namespace App\Policies;

use App\Models\EntraGroup;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Support\OperateHub\OperateHubShell;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\HandlesAuthorization;
use Illuminate\Auth\Access\Response;

class EntraGroupPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user): bool
    {
        $tenant = $this->resolvedTenant();

        if (! $tenant) {
            return false;
        }

        return $user->canAccessTenant($tenant);
    }

    public function view(User $user, EntraGroup $group): Response|bool
    {
        $tenant = $this->resolvedTenant();

        if (! $tenant) {
            return Response::denyAsNotFound();
        }

        if (! $user->canAccessTenant($tenant)) {
            return Response::denyAsNotFound();
        }

        if ((int) $group->managed_environment_id !== (int) $tenant->getKey()) {
            return Response::denyAsNotFound();
        }

        return true;
    }

    private function resolvedTenant(): ?ManagedEnvironment
    {
        if (Filament::getCurrentPanel()?->getId() === 'admin') {
            $tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());

            return $tenant instanceof ManagedEnvironment ? $tenant : null;
        }

        $tenant = ManagedEnvironment::current();

        return $tenant instanceof ManagedEnvironment ? $tenant : null;
    }
}