HEX
Server: LiteSpeed
System: Linux s1049.use1.mysecurecloudhost.com 4.18.0-477.27.2.lve.el8.x86_64 #1 SMP Wed Oct 11 12:32:56 UTC 2023 x86_64
User: xedaptot (3356)
PHP: 8.3.31
Disabled: NONE
Upload Files
File: /home/xedaptot/ai.naniguide.com/app/Policies/CampaignPolicy.php
<?php

namespace App\Policies;

use Illuminate\Auth\Access\HandlesAuthorization;
use App\Model\User;
use App\Model\Campaign;
use Illuminate\Auth\Access\Response;

/**
 * CampaignPolicy — ownership + RBAC only.
 *
 * Plan-state checks (quotas, entitlements) belong to
 * App\Services\Plans\Policies\CampaignPlanPolicy and are called separately
 * by controllers. Do not mix here.
 */
class CampaignPolicy
{
    use HandlesAuthorization;

    public function list(User $user)
    {
        if (!$user->hasPermission('campaign.full_access') && !$user->hasPermission('campaign.read_only')) {
            return Response::deny('User does not have READ/LIST permission');
        }

        return Response::allow();
    }

    public function read(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access') && !$user->hasPermission('campaign.read_only')) {
            return false;
        }

        $can = $item->customer_id == $user->customer->id;

        return $can;
    }

    public function create(User $user)
    {
        // RBAC check only. Plan quota check is done by CampaignPlanPolicy
        // at the controller boundary.
        return $user->hasPermission('campaign.full_access');
    }

    public function overview(User $user, Campaign $item)
    {
        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function update(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id
            && (in_array($item->status, [
                Campaign::STATUS_NEW,
                Campaign::STATUS_SCHEDULED,
                Campaign::STATUS_DONE,
                Campaign::STATUS_QUEUED,
                Campaign::STATUS_SENDING,
            ]) || $item->isError() || $item->isPaused());
    }

    public function delete(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        // Deletable in any lifecycle status (including error/paused)
        return $item->customer_id == $customer->id;
    }

    public function chooseWinner(User $user, Campaign $item)
    {
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id
            && $item->hasAbTest()
            && ($item->isAwaitingWinner() || $item->isSending());
    }

    public function pause(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id && in_array($item->status, [
            Campaign::STATUS_QUEUED,
            Campaign::STATUS_SENDING,
            Campaign::STATUS_SCHEDULED,
            Campaign::STATUS_AWAITING_WINNER,
            Campaign::STATUS_SENDING_WINNER,
        ]);
    }

    public function run(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id && in_array($item->status, [
            Campaign::STATUS_NEW,
        ]);
    }

    public function resume(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id
            && ($item->isError() || $item->isPaused() || $item->status === Campaign::STATUS_SCHEDULED);
    }

    public function sort(User $user, Campaign $item)
    {
        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function copy(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function preview(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access') && !$user->hasPermission('campaign.read_only')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function image(User $user, Campaign $item)
    {
        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function resend(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        if ($item->customer_id != $customer->id) {
            return false;
        }

        // A/B test campaigns can be resent regardless of status
        if ($item->hasAbTest()) {
            return $item->status !== Campaign::STATUS_NEW;
        }

        return $item->isDone() || $item->isPaused() || $item->isError() || $item->isAwaitingWinner();
    }

    public function send_test_email(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id;
    }

    public function resendHighPriority(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;

        // is admin or log as customer from admin
        $can = ((null !== \Session::get('orig_user_uid') && \Auth::user()->customer) || $user->admin);

        // same as resume policy
        $can = $can && $item->customer_id == $customer->id
            && ($item->isError() || $item->isPaused() || $item->status === Campaign::STATUS_SCHEDULED);

        return $can;
    }

    public function archive(User $user, Campaign $item)
    {
        // RBAC check
        if (!$user->hasPermission('campaign.full_access')) {
            return false;
        }

        $customer = $user->customer;
        return $item->customer_id == $customer->id
            && $item->status !== Campaign::STATUS_NEW;
    }
}