ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
timebank-cc-public/app/Traits/ProfilePermissionTrait.php
Ronald Huynen 2547717edb Initial commit
2026-03-23 21:37:59 +01:00

155 lines
4.3 KiB
PHP
Raw Permalink Blame History

<?php
namespace App\Traits;
use Illuminate\Support\Facades\Auth;
use Spatie\Permission\Models\Role;
trait ProfilePermissionTrait
{
/**
* Determines if the currently authenticated user has permission to manage profiles.
*
* @return bool
*/
protected function getCanManageProfiles()
{
$user = Auth::guard('web')->user();
$activeType = session('activeProfileType');
$activeId = session('activeProfileId');
if (!$user || !$activeType || !$activeId) {
return false;
}
$typeMap = [
'App\Models\Admin' => ['prefix' => 'Admin', 'suffix' => 'admin'],
'App\Models\Bank' => ['prefix' => 'Bank', 'suffix' => 'bank-manager'],
'App\Models\Organization' => ['prefix' => 'Organization', 'suffix' => 'organization-manager'],
];
if (!isset($typeMap[$activeType])) {
return false;
}
$roleName = "{$typeMap[$activeType]['prefix']}\\{$activeId}\\{$typeMap[$activeType]['suffix']}";
if (!$user->hasRole($roleName)) {
return false;
}
$role = Role::where('name', $roleName)->first();
if (!$role) {
return false;
}
return $role->permissions->where('name', 'manage profiles')->count() > 0;
}
/**
* Determines if the active profile can view incomplete profiles.
*
* Only Admin and Bank profiles can view incomplete profiles.
* This is a simple profile type check, independent of permission system.
*
* @return bool
*/
protected function canViewIncompleteProfiles()
{
if (!function_exists('getActiveProfile')) {
return false;
}
$activeProfile = getActiveProfile();
if (!$activeProfile) {
return false;
}
$activeProfileClass = get_class($activeProfile);
// Only Admin and Bank profiles can view incomplete profiles
return in_array($activeProfileClass, [
'App\Models\Admin',
'App\Models\Bank',
]);
}
/**
* Determines if the currently authenticated user can create payments as the active profile.
*
* Users with the coordinator role (organization-coordinator / bank-coordinator) have
* full access to the profile EXCEPT payment execution. Only manager roles can pay.
*
* @return bool
*/
protected function getCanCreatePayments()
{
$user = Auth::guard('web')->user();
$activeType = session('activeProfileType');
$activeId = session('activeProfileId');
// User profiles can always pay (no elevated profile restriction)
if ($activeType === 'App\Models\User') {
return true;
}
if (!$user || !$activeType || !$activeId) {
return false;
}
$managerRoleMap = [
'App\Models\Organization' => "Organization\\{$activeId}\\organization-manager",
'App\Models\Bank' => "Bank\\{$activeId}\\bank-manager",
];
if (!isset($managerRoleMap[$activeType])) {
return false;
}
return $user->hasRole($managerRoleMap[$activeType]);
}
/**
* Determines if the currently authenticated user has permission to manage accounts.
*
* @return bool
*/
protected function getCanManageAccounts()
{
$user = Auth::guard('web')->user();
$activeType = session('activeProfileType');
$activeId = session('activeProfileId');
if (!$user || !$activeType || !$activeId) {
return false;
}
$typeMap = [
'App\Models\Admin' => ['prefix' => 'Admin', 'suffix' => 'admin'],
'App\Models\Bank' => ['prefix' => 'Bank', 'suffix' => 'bank-manager'],
'App\Models\Organization' => ['prefix' => 'Organization', 'suffix' => 'organization-manager'],
];
if (!isset($typeMap[$activeType])) {
return false;
}
$roleName = "{$typeMap[$activeType]['prefix']}\\{$activeId}\\{$typeMap[$activeType]['suffix']}";
if (!$user->hasRole($roleName)) {
return false;
}
$role = Role::where('name', $roleName)->first();
if (!$role) {
return false;
}
return $role->permissions->where('name', 'manage accounts')->count() > 0;
}
}
Reference in New Issue View Git Blame Copy Permalink