File: /home/xedaptot/ai.naniguide.com/app/Policies/SendingIdentityPolicy.php
<?php
namespace App\Policies;
use App\Model\SendingIdentity;
use App\Model\User;
use Illuminate\Auth\Access\HandlesAuthorization;
/**
* Policy for SendingIdentity (replaces legacy SendingDomainPolicy).
*
* Customer-side permissions still gate on the original "sending_domain"
* RBAC keys + `getPermission('sending_domain_*')` ability strings. The
* policy now operates on SendingIdentity rows; `customer_id` field has
* the same meaning (owner of the identity).
*
* **Important** — read/update/delete should NOT additionally gate on the
* plan's primary server capability. Customers manage identities they own
* across all 3 modes (LOCAL_DKIM, VENDOR_SYNC, MANUAL); whether the
* identity is *usable* through the current plan's server is a separate
* question handled at runtime by `SendingIdentity::isAllowedBy()` (the
* UI greys those rows out, but they remain owned and editable).
*/
class SendingIdentityPolicy
{
use HandlesAuthorization;
public function read(User $user, SendingIdentity $item, $role)
{
return match ($role) {
'admin' => $user->admin->getPermission('sending_domain_read') !== 'no',
'customer' => $this->customerHasAccess($user)
&& $this->customerOwns($user, $item),
default => false,
};
}
public function readAll(User $user, SendingIdentity $item, $role)
{
return match ($role) {
'admin' => $user->admin->getPermission('sending_domain_read') === 'all',
// Customers never see other customers' identities — list is auto-scoped.
'customer' => false,
default => false,
};
}
public function create(User $user, $role)
{
return match ($role) {
'admin' => true,
'customer' => (bool) $user->hasPermission('sending_domain.full_access'),
default => false,
};
}
// No `update` method — sending domains cannot be edited. The `value`
// is bound to the locally-generated DKIM keypair and the customer's
// DNS records; renaming would silently break verification + signing.
// To change: delete and re-add.
public function delete(User $user, SendingIdentity $item, $role)
{
return match ($role) {
'admin' => in_array(
$user->admin->getPermission('sending_domain_delete'),
['all', 'own'],
true,
),
'customer' => $user->hasPermission('sending_domain.full_access')
&& $this->customerOwns($user, $item),
default => false,
};
}
// ------------------------------------------------------------------
private function customerHasAccess(User $user): bool
{
return $user->hasPermission('sending_domain.full_access')
|| $user->hasPermission('sending_domain.read_only');
}
private function customerOwns(User $user, SendingIdentity $item): bool
{
return $user->customer && $user->customer->id === $item->customer_id;
}
}