patrickrobrecht
diff --git a/‎app/Enums/Ability.php
Lines changed: 69 additions & 2 deletions b/‎app/Enums/Ability.php
Lines changed: 69 additions & 2 deletions
diff --git a/‎app/Enums/AbilityGroup.php
Lines changed: 29 additions & 9 deletions b/‎app/Enums/AbilityGroup.php
Lines changed: 29 additions & 9 deletions
diff --git a/‎app/Http/Controllers/ApiDocumentationController.php
Lines changed: 2 additions & 2 deletions b/‎app/Http/Controllers/ApiDocumentationController.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/Http/Requests/PersonalAccessTokenRequest.php
Lines changed: 16 additions & 14 deletions b/‎app/Http/Requests/PersonalAccessTokenRequest.php
Lines changed: 16 additions & 14 deletions
diff --git a/‎app/Http/Requests/Traits/ValidatesAbilities.php
Lines changed: 80 additions & 0 deletions b/‎app/Http/Requests/Traits/ValidatesAbilities.php
Lines changed: 80 additions & 0 deletions
diff --git a/‎app/Http/Requests/UserRoleRequest.php
Lines changed: 8 additions & 12 deletions b/‎app/Http/Requests/UserRoleRequest.php
Lines changed: 8 additions & 12 deletions
diff --git a/‎app/Policies/PersonalAccessTokenPolicy.php
Lines changed: 5 additions & 0 deletions b/‎app/Policies/PersonalAccessTokenPolicy.php
Lines changed: 5 additions & 0 deletions
@@ -77,8 +77,72 @@ enum Ability: string
     case ViewAccount = 'users.view_account';
     case ViewAbilities = 'users.view_account.abilities';
     case EditAccount = 'users.edit_account';
+
+    case ViewApiDocumentation = 'api.docs.view';
     case ManagePersonalAccessTokens = 'personal_access_tokens.manage_own';
 
+    public function dependsOnAbility(): ?self
+    {
+        return match ($this) {
+            self::CreateEvents,
+            self::EditEvents,
+            self::ViewPrivateEvents,
+            self::ViewResponsibilitiesOfEvents,
+            self::ManageBookingOptionsOfEvent => self::ViewEvents,
+
+            self::ExportBookingsOfEvent,
+            self::EditBookingsOfEvent,
+            self::DeleteAndRestoreBookingsOfEvent,
+            self::EditBookingComment,
+            self::ViewPaymentStatus => self::ViewBookingsOfEvent,
+            self::EditPaymentStatus => self::ViewPaymentStatus,
+
+            self::ExportGroupsOfEvent => self::ManageGroupsOfEvent,
+
+            self::CreateEventSeries,
+            self::EditEventSeries,
+            self::ViewPrivateEventSeries,
+            self::ViewResponsibilitiesOfEventSeries => self::ViewEventSeries,
+
+            // Basic data
+            self::CreateOrganizations,
+            self::EditOrganizations => self::ViewOrganizations,
+
+            self::CreateLocations,
+            self::EditLocations => self::ViewLocations,
+
+            // Documents
+            self::ViewCommentsOnDocuments,
+            self::ChangeApprovalStatusOfDocuments => self::ViewDocuments,
+            self::CommentOnDocuments => self::ViewCommentsOnDocuments,
+
+            self::AddDocumentsToEvents,
+            self::EditDocumentsOfEvents,
+            self::DeleteDocumentsOfEvents => self::ViewDocumentsOfEvents,
+
+            self::AddDocumentsToEventSeries,
+            self::EditDocumentsOfEventSeries,
+            self::DeleteDocumentsOfEventSeries => self::ViewDocumentsOfEventSeries,
+
+            self::AddDocumentsToOrganizations,
+            self::EditDocumentsOfOrganizations,
+            self::DeleteDocumentsOfOrganizations => self::ViewDocumentsOfOrganizations,
+
+            // Users and abilities
+            self::CreateUsers,
+            self::EditUsers => self::ViewUsers,
+
+            self::CreateUserRoles,
+            self::EditUserRoles => self::ViewUserRoles,
+
+            self::EditAccount => self::ViewAccount,
+
+            self::ManagePersonalAccessTokens => self::ViewApiDocumentation,
+
+            default => null,
+        };
+    }
+
     public function getAbilityGroup(): AbilityGroup
     {
         return match ($this) {
@@ -140,8 +204,9 @@ public function getAbilityGroup(): AbilityGroup
             self::EditUserRoles => AbilityGroup::UserRoles,
             self::ViewAccount,
             self::ViewAbilities,
-            self::EditAccount,
-            self::ManagePersonalAccessTokens => AbilityGroup::OwnAccount,
+            self::EditAccount => AbilityGroup::OwnAccount,
+            self::ViewApiDocumentation,
+            self::ManagePersonalAccessTokens => AbilityGroup::ApiAccess,
         };
     }
 
@@ -216,7 +281,9 @@ public function getTranslatedName(): string
             self::ViewAccount => __('View own account'),
             self::ViewAbilities => __('View abilities'),
             self::EditAccount => __('Edit own account'),
+
             self::ManagePersonalAccessTokens => __('Manage personal access tokens'),
+            self::ViewApiDocumentation => __('View API documentation'),
         };
     }
 
 
@@ -22,13 +22,15 @@ enum AbilityGroup
     case Users;
     case UserRoles;
     case OwnAccount;
+    case ApiAccess;
 
     /**
-     * @return Ability[]
+     * @param list<Ability> $abilities
+     * @return list<Ability>
      */
-    public function getAbilities(): array
+    public function filterAbilities(array $abilities): array
     {
-        return array_filter(Ability::cases(), fn (Ability $ability) => $ability->getAbilityGroup() === $this);
+        return array_filter($abilities, fn (Ability $ability) => $ability->getAbilityGroup() === $this);
     }
 
     /**
@@ -52,15 +54,16 @@ public function getParent(): ?self
 
             self::Users,
             self::UserRoles,
-            self::OwnAccount => self::UsersAndAbilities,
+            self::OwnAccount,
+            self::ApiAccess => self::UsersAndAbilities,
 
             default => null,
         };
     }
 
-    public function getIcon(): array|string
+    public function getIcon(): string
     {
-        return match ($this) {
+        return 'fa fa-fw ' . match ($this) {
             self::Events => 'fa-calendar-days',
             self::Bookings => 'fa-file-contract',
             self::Groups => 'fa-people-group',
@@ -80,6 +83,7 @@ public function getIcon(): array|string
             self::Users => 'fa-users',
             self::UserRoles => 'fa-user-group',
             self::OwnAccount => 'fa-user-circle',
+            self::ApiAccess => 'fa-file-code',
         };
     }
 
@@ -105,19 +109,35 @@ public function getTranslatedName(): string
             self::Users => __('Users'),
             self::UserRoles => __('User roles'),
             self::OwnAccount => __('Own account'),
+            self::ApiAccess => __('Access to the REST API'),
         };
     }
 
-    public function hasChildren(): bool
+    /**
+     * Checks whether one of the child groups contains at least one of the given abilities.
+     *
+     * @param Ability[] $abilities
+     */
+    public function hasChildrenWithAbilities(array $abilities): bool
     {
-        return count($this->getChildren()) > 0;
+        foreach ($this->getChildren() as $childGroup) {
+            if (count($childGroup->filterAbilities($abilities)) > 0) {
+                return true;
+            }
+
+            if ($childGroup->hasChildrenWithAbilities($abilities)) {
+                return true;
+            }
+        }
+
+        return false;
     }
 
     /**
      * @return self[]
      */
     public static function casesAtRootLevel(): array
     {
-        return array_filter(self::cases(), fn (self $abilityGroup) => $abilityGroup->getParent() === null);
+        return array_filter(self::cases(), static fn (self $abilityGroup) => $abilityGroup->getParent() === null);
     }
 }
@@ -13,14 +13,14 @@ class ApiDocumentationController extends Controller
 {
     public function index(): View
     {
-        $this->authorize('create', PersonalAccessToken::class);
+        $this->authorize('viewDocumentation', PersonalAccessToken::class);
 
         return view('docs.docs');
     }
 
     public function spec(): Response
     {
-        $this->authorize('create', PersonalAccessToken::class);
+        $this->authorize('viewDocumentation', PersonalAccessToken::class);
 
         return response()->make(self::getYamlFileContents(), SymfonyResponse::HTTP_OK, [
             'Content-Type: text/yaml',
 
@@ -3,21 +3,26 @@
 namespace App\Http\Requests;
 
 use App\Enums\Ability;
+use App\Http\Requests\Traits\ValidatesAbilities;
+use App\Models\PersonalAccessToken;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+use Stringable;
 
+/**
+ * @property-read ?PersonalAccessToken $personal_access_token
+ */
 class PersonalAccessTokenRequest extends FormRequest
 {
-    protected function prepareForValidation(): void
+    use ValidatesAbilities;
+
+    protected function getSelectableAbilities(): array
     {
-        $this->merge([
-            'abilities' => $this->input('abilities', []), // Force array!
-        ]);
+        return Ability::apiCases();
     }
 
     /**
-     * Get the validation rules that apply to the request.
-     *
-     * @return array<string, mixed>
+     * @return array<string, array<int, string|Stringable>>
      */
     public function rules(): array
     {
@@ -26,18 +31,15 @@ public function rules(): array
                 'required',
                 'string',
                 'max:255',
+                Rule::unique('personal_access_tokens', 'name')
+                    ->where('tokenable_id', $this->user()->id)
+                    ->ignore($this->personal_access_token->id ?? null),
             ],
             'expires_at' => [
                 'nullable',
                 'date_format:Y-m-d\TH:i',
             ],
-            'abilities' => [
-                'sometimes',
-                'array',
-            ],
-            'abilities.*' => [
-                Ability::rule(),
-            ],
+            ...$this->rulesForAbilities(),
         ];
     }
 }
@@ -0,0 +1,80 @@
+<?php
+
+namespace App\Http\Requests\Traits;
+
+use App\Enums\Ability;
+use Illuminate\Foundation\Http\FormRequest;
+use Stringable;
+
+/**
+ * @mixin FormRequest
+ */
+trait ValidatesAbilities
+{
+    /**
+     * @return list<Ability>
+     */
+    abstract protected function getSelectableAbilities(): array;
+
+    protected function prepareForValidation(): void
+    {
+        $this->prepareAbilitiesForValidation();
+    }
+
+    protected function prepareAbilitiesForValidation(): void
+    {
+        $abilities = $this->input('abilities', []);
+
+        foreach ($abilities as $value) {
+            $ability = Ability::tryFrom($value);
+            if ($ability) {
+                $dependentAbility = $ability->dependsOnAbility();
+                if (
+                    $dependentAbility
+                    // dependent ability is not selected yet
+                    && !in_array($dependentAbility->value, $abilities, true)
+                    // but is selectable
+                    && in_array($dependentAbility, $this->getSelectableAbilities(), true)
+                ) {
+                    $abilities[] = $dependentAbility->value;
+                }
+            }
+        }
+
+        $this->merge(['abilities' => $abilities]);
+    }
+
+    /**
+     * @return array<string, array<int, string|Stringable>>
+     */
+    protected function rulesForAbilities(): array
+    {
+        return [
+            'abilities' => [
+                'sometimes',
+                'array',
+            ],
+            'abilities.*' => [
+                Ability::rule($this->getSelectableAbilities()),
+            ],
+        ];
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    public function attributes(): array
+    {
+        return $this->attributesForAbilities();
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    protected function attributesForAbilities(): array
+    {
+        return [
+            'abilities.*' => __('validation.attributes.abilities'),
+        ];
+    }
+}
@@ -3,24 +3,26 @@
 namespace App\Http\Requests;
 
 use App\Enums\Ability;
+use App\Http\Requests\Traits\ValidatesAbilities;
 use App\Models\UserRole;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;
+use Stringable;
 
 /**
  * @property-read ?UserRole $user_role
  */
 class UserRoleRequest extends FormRequest
 {
-    protected function prepareForValidation(): void
+    use ValidatesAbilities;
+
+    protected function getSelectableAbilities(): array
     {
-        $this->merge([
-            'abilities' => $this->input('abilities', []), // Force array!
-        ]);
+        return Ability::cases();
     }
 
     /**
-     * Get the validation rules that apply to the request.
+     * @return array<string, array<int, string|Stringable>>
      */
     public function rules(): array
     {
@@ -32,13 +34,7 @@ public function rules(): array
                 Rule::unique('user_roles', 'name')
                     ->ignore($this->user_role->id ?? null),
             ],
-            'abilities' => [
-                'sometimes',
-                'array',
-            ],
-            'abilities.*' => [
-                Ability::rule(),
-            ],
+            ...$this->rulesForAbilities(),
         ];
     }
 }
@@ -37,6 +37,11 @@ public function view(User $user, PersonalAccessToken $personalAccessToken): Resp
         return $this->update($user, $personalAccessToken);
     }
 
+    public function viewDocumentation(User $user): Response
+    {
+        return $this->requireAbility($user, Ability::ViewApiDocumentation);
+    }
+
     /**
      * Determine whether the user can create models.
      */
Original file line number	Diff line number	Diff line change
`@@ -13,14 +13,14 @@ class ApiDocumentationController extends Controller`
`13`	`13`	`{`
`14`	`14`	`public function index(): View`
`15`	`15`	`{`
`16`		`- $this->authorize('create', PersonalAccessToken::class);`
	`16`	`+ $this->authorize('viewDocumentation', PersonalAccessToken::class);`
`17`	`17`
`18`	`18`	`return view('docs.docs');`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`public function spec(): Response`
`22`	`22`	`{`
`23`		`- $this->authorize('create', PersonalAccessToken::class);`
	`23`	`+ $this->authorize('viewDocumentation', PersonalAccessToken::class);`
`24`	`24`
`25`	`25`	`return response()->make(self::getYamlFileContents(), SymfonyResponse::HTTP_OK, [`
`26`	`26`	`'Content-Type: text/yaml',`