60 lines
1.4 KiB
PHP
60 lines
1.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Support\Rbac;
|
|
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Models\User;
|
|
|
|
/**
|
|
* DTO representing the access context for a tenant-scoped UI action.
|
|
*
|
|
* Captures the current user, tenant, membership status, and capability check result
|
|
* for use by the UiEnforcement helper.
|
|
*/
|
|
final readonly class TenantAccessContext
|
|
{
|
|
public function __construct(
|
|
public ?User $user,
|
|
public ?ManagedEnvironment $tenant,
|
|
public bool $isMember,
|
|
public bool $hasCapability,
|
|
public ?string $denialReason = null,
|
|
) {}
|
|
|
|
/**
|
|
* Non-members should receive 404 (deny-as-not-found).
|
|
*/
|
|
public function shouldDenyAsNotFound(): bool
|
|
{
|
|
return ! $this->isMember;
|
|
}
|
|
|
|
public function isContextMissing(): bool
|
|
{
|
|
return in_array($this->denialReason, [
|
|
'context_missing',
|
|
'workspace_missing',
|
|
'environment_missing',
|
|
'tenant_missing',
|
|
], true);
|
|
}
|
|
|
|
/**
|
|
* Members without capability should receive 403 (forbidden).
|
|
*/
|
|
public function shouldDenyAsForbidden(): bool
|
|
{
|
|
return $this->isMember && ! $this->hasCapability;
|
|
}
|
|
|
|
/**
|
|
* User is authorized to perform the action.
|
|
*/
|
|
public function isAuthorized(): bool
|
|
{
|
|
return $this->isMember && $this->hasCapability;
|
|
}
|
|
}
|