TenantAtlas/apps/platform/app/Policies/TenantReviewPolicy.php

<?php

declare(strict_types=1);

namespace App\Policies;

use App\Models\ManagedEnvironment;
use App\Models\TenantReview;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;
use Illuminate\Auth\Access\HandlesAuthorization;
use Illuminate\Auth\Access\Response;

class TenantReviewPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user): bool
    {
        $tenant = ManagedEnvironment::current();

        if (! $tenant instanceof ManagedEnvironment || ! $user->canAccessTenant($tenant)) {
            return false;
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_VIEW);
    }

    public function view(User $user, TenantReview $review): Response|bool
    {
        $tenant = $this->authorizedTenantOrNull($user, $review);

        if (! $tenant instanceof ManagedEnvironment) {
            return Response::denyAsNotFound();
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_VIEW)
            ? true
            : Response::deny();
    }

    public function create(User $user): bool
    {
        $tenant = ManagedEnvironment::current();

        if (! $tenant instanceof ManagedEnvironment || ! $user->canAccessTenant($tenant)) {
            return false;
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_MANAGE);
    }

    public function refresh(User $user, TenantReview $review): Response|bool
    {
        return $this->authorizeManageAction($user, $review);
    }

    public function publish(User $user, TenantReview $review): Response|bool
    {
        return $this->authorizeManageAction($user, $review);
    }

    public function archive(User $user, TenantReview $review): Response|bool
    {
        return $this->authorizeManageAction($user, $review);
    }

    public function export(User $user, TenantReview $review): Response|bool
    {
        return $this->authorizeManageAction($user, $review);
    }

    public function createNextReview(User $user, TenantReview $review): Response|bool
    {
        return $this->authorizeManageAction($user, $review);
    }

    private function authorizeManageAction(User $user, TenantReview $review): Response|bool
    {
        $tenant = $this->authorizedTenantOrNull($user, $review);

        if (! $tenant instanceof ManagedEnvironment) {
            return Response::denyAsNotFound();
        }

        return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_MANAGE)
            ? true
            : Response::deny();
    }

    private function authorizedTenantOrNull(User $user, TenantReview $review): ?ManagedEnvironment
    {
        $tenant = $review->tenant;

        if (! $tenant instanceof ManagedEnvironment) {
            return null;
        }

        if (! $user->canAccessTenant($tenant)) {
            return null;
        }

        if ((int) $review->workspace_id !== (int) $tenant->workspace_id) {
            return null;
        }

        return $tenant;
    }
}