Kevin Adametz
69411b4c87
- ProofPdfService: Veroeffentlichungsnachweis 3 Credits pauschal, einmal pro
PM (Zweitdownload kostenfrei); ProofPdfRenderer erzeugt das PDF on-demand
aus vorhandenen PM-Daten (kein externer Renderer); GET-Download-Endpoint
/admin/me/press-releases/{id}/nachweis hinter downloadProof-Policy + Kauf-Gate
- ExtraPmPurchaseService: tier-gestaffelter Nachkauf (19/15/12/10/8) aus der
Wallet; verbucht als bezahlter SinglePurchase(ExtraPm) und greift damit in
die bestehende Kontingent-/Slot-Mechanik. InsufficientCreditsException
liefert das Mini-Checkout-Signal (required/available/shortfall)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
104 lines
3 KiB
PHP
104 lines
3 KiB
PHP
<?php
|
||
|
||
namespace App\Policies;
|
||
|
||
use App\Enums\PressReleaseStatus;
|
||
use App\Models\PressRelease;
|
||
use App\Models\User;
|
||
|
||
class PressReleasePolicy
|
||
{
|
||
public function before(User $user): ?bool
|
||
{
|
||
return $user->is_super_admin ? true : null;
|
||
}
|
||
|
||
public function viewAny(User $user): bool
|
||
{
|
||
return $user->canAccessCustomer();
|
||
}
|
||
|
||
public function view(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
if ($user->canAccessAdmin()) {
|
||
return true;
|
||
}
|
||
|
||
return $this->canManage($user, $pressRelease);
|
||
}
|
||
|
||
public function create(User $user): bool
|
||
{
|
||
return $user->canAccessCustomer();
|
||
}
|
||
|
||
public function update(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
if (! $this->canManage($user, $pressRelease) && ! $user->canAccessAdmin()) {
|
||
return false;
|
||
}
|
||
|
||
return in_array(
|
||
$pressRelease->status,
|
||
[PressReleaseStatus::Draft, PressReleaseStatus::Rejected, PressReleaseStatus::Review],
|
||
true,
|
||
) || $user->canAccessAdmin();
|
||
}
|
||
|
||
public function submitForReview(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $this->canManage($user, $pressRelease)
|
||
&& in_array($pressRelease->status, [PressReleaseStatus::Draft, PressReleaseStatus::Rejected], true);
|
||
}
|
||
|
||
public function delete(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
if ($user->canAccessAdmin()) {
|
||
return true;
|
||
}
|
||
|
||
return $this->canManage($user, $pressRelease)
|
||
&& $pressRelease->status !== PressReleaseStatus::Published;
|
||
}
|
||
|
||
public function restore(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $user->canAccessAdmin();
|
||
}
|
||
|
||
public function forceDelete(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $user->is_super_admin === true;
|
||
}
|
||
|
||
public function publish(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $user->canAccessAdmin() && $user->can('press-releases:publish');
|
||
}
|
||
|
||
/**
|
||
* Veröffentlichungsnachweis darf laden, wer die PM verwalten darf (Autor
|
||
* oder Firmenmitglied) bzw. ein Admin. Ob der Nachweis bereits gekauft
|
||
* wurde, prüft der ProofPdfService separat.
|
||
*/
|
||
public function downloadProof(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $user->canAccessAdmin() || $this->canManage($user, $pressRelease);
|
||
}
|
||
|
||
/**
|
||
* Zugriff auf eine PM hat der Autor ODER ein Mitglied der zugeordneten
|
||
* Firma (Owner/Team-Mitglied). So sehen/bearbeiten Firmenkontakte – inkl.
|
||
* der per Magic-Link lazy angelegten Accounts – die PMs ihrer Firma.
|
||
*/
|
||
private function canManage(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $this->isAuthor($user, $pressRelease)
|
||
|| $user->canAccessCompany($pressRelease->company_id);
|
||
}
|
||
|
||
private function isAuthor(User $user, PressRelease $pressRelease): bool
|
||
{
|
||
return $pressRelease->user_id === $user->id;
|
||
}
|
||
}
|