File: /home/xedaptot/ai.naniguide.com/app/Policies/MailListPolicy.php
<?php
namespace App\Policies;
use Illuminate\Auth\Access\HandlesAuthorization;
use App\Model\User;
use App\Model\MailList;
/**
* MailListPolicy — ownership + RBAC only.
*
* Plan-state checks (list quota, import/export entitlements, subscriber quotas)
* belong to App\Services\Plans\Policies\ListPlanPolicy and are called separately
* by controllers.
*/
class MailListPolicy
{
use HandlesAuthorization;
public function list(User $user)
{
// RBAC check
if (!$user->hasPermission('list.full_access') && !$user->hasPermission('list.read_only')) {
return false;
}
return true;
}
public function read(User $user, MailList $item)
{
// RBAC check
if (!$user->hasPermission('list.full_access') && !$user->hasPermission('list.read_only')) {
return false;
}
$customer = $user->customer;
return $item->customer_id == $customer->id;
}
public function create(User $user)
{
return $user->hasPermission('list.full_access');
}
public function update(User $user, MailList $item)
{
// RBAC check
if (!$user->hasPermission('list.full_access')) {
return false;
}
$customer = $user->customer;
return $item->customer_id == $customer->id;
}
public function delete(User $user, MailList $item)
{
// RBAC check
if (!$user->hasPermission('list.full_access')) {
return false;
}
$customer = $user->customer;
return $item->customer_id == $customer->id;
}
public function addMoreSubscribers(User $user, MailList $mailList, $numberOfSubscribers = 1)
{
// Ownership + RBAC only. Subscriber quota is checked by ListPlanPolicy.
if (!$user->hasPermission('list.full_access')) {
return false;
}
return $user->customer->id == $mailList->customer_id;
}
public function import(User $user, MailList $item)
{
// Ownership + RBAC only. Entitlement gate is in ListPlanPolicy.
if (!$user->hasPermission('list.full_access')) {
return false;
}
return $item->customer_id == $user->customer->id;
}
public function export(User $user, MailList $item)
{
// Ownership + RBAC only. Entitlement gate is in ListPlanPolicy.
if (!$user->hasPermission('list.full_access')) {
return false;
}
return $item->customer_id == $user->customer->id;
}
}