Allow to view events, event series and organizations they are responsible for and to view, create and update documents

Author: patrickrobrecht

app/Models/Traits/HasResponsibleUsers.php

@@ -35,8 +35,12 @@ abstract public function getAbilityToViewResponsibilities(): Ability;
     public function getResponsibleUsersVisibleForCurrentUser(): Collection
     {
         $currentUser = Auth::user();
-
-        if (isset($currentUser) && $currentUser->hasAbility($this->getAbilityToViewResponsibilities())) {
+        if (
+            isset($currentUser) && (
+                $currentUser->hasAbility($this->getAbilityToViewResponsibilities())
+                || $currentUser->isResponsibleFor($this)
+            )
+        ) {
             return $this->responsibleUsers;
         }
 

app/Models/User.php

@@ -16,6 +16,7 @@
 use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Relations\MorphToMany;
@@ -226,6 +227,13 @@ public function hasAbility(Ability $ability): bool
         return false;
     }
 
+    public function isResponsibleFor(Model $model): bool
+    {
+        return ($model->responsibleUsers ?? Collection::empty())
+            ->pluck('id')
+            ->contains($this->id);
+    }
+
     public function loadProfileData(): self
     {
         $this->load([

app/Policies/DocumentPolicy.php

@@ -28,12 +28,34 @@ public function viewAny(User $user, Event|EventSeries|Organization|null $referen
             return $this->deny();
         }
 
-        return match ($reference::class) {
-            Event::class => $this->requireAbility($user, Ability::ViewDocumentsOfEvents),
-            EventSeries::class => $this->requireAbility($user, Ability::ViewDocumentsOfEventSeries),
-            Organization::class => $this->requireAbility($user, Ability::ViewDocumentsOfOrganizations),
-            default => $this->deny(),
-        };
+        if ($user->hasAbility(Ability::ViewDocuments)) {
+            // ViewDocuments grants access to all documents.
+            return $this->allow();
+        }
+
+        return $this->requireAbilityOrResponsibleUser(
+            match ($reference::class) {
+                Event::class => $this->requireAbility($user, Ability::ViewDocumentsOfEvents),
+                EventSeries::class => $this->requireAbility($user, Ability::ViewDocumentsOfEventSeries),
+                Organization::class => $this->requireAbility($user, Ability::ViewDocumentsOfOrganizations),
+                default => $this->deny(),
+            },
+            $user,
+            $reference
+        );
+    }
+
+    private function requireAbilityOrResponsibleUser(
+        Response $abilityResponse,
+        User $user,
+        Event|EventSeries|Organization $reference
+    ): Response {
+        if ($abilityResponse->allowed()) {
+            return $abilityResponse;
+        }
+
+        // Responsible users can always access documents of their events, event series and organizations.
+        return $this->response($user->isResponsibleFor($reference));
     }
 
     /**
@@ -58,12 +80,16 @@ public function create(User $user, Event|EventSeries|Organization $reference): R
             return $this->deny();
         }
 
-        return match ($reference::class) {
-            Event::class => $this->requireAbility($user, Ability::AddDocumentsToEvents),
-            EventSeries::class => $this->requireAbility($user, Ability::AddDocumentsToEventSeries),
-            Organization::class => $this->requireAbility($user, Ability::AddDocumentsToOrganizations),
-            default => $this->deny(),
-        };
+        return $this->requireAbilityOrResponsibleUser(
+            match ($reference::class) {
+                Event::class => $this->requireAbility($user, Ability::AddDocumentsToEvents),
+                EventSeries::class => $this->requireAbility($user, Ability::AddDocumentsToEventSeries),
+                Organization::class => $this->requireAbility($user, Ability::AddDocumentsToOrganizations),
+                default => $this->deny(),
+            },
+            $user,
+            $reference
+        );
     }
 
     /**
@@ -75,12 +101,16 @@ public function update(User $user, Document $document): Response
             return $this->deny();
         }
 
-        return match ($document->reference::class) {
-            Event::class => $this->requireAbility($user, Ability::EditDocumentsOfEvents),
-            EventSeries::class => $this->requireAbility($user, Ability::EditDocumentsOfEventSeries),
-            Organization::class => $this->requireAbility($user, Ability::EditDocumentsOfOrganizations),
-            default => $this->deny(),
-        };
+        return $this->requireAbilityOrResponsibleUser(
+            match ($document->reference::class) {
+                Event::class => $this->requireAbility($user, Ability::EditDocumentsOfEvents),
+                EventSeries::class => $this->requireAbility($user, Ability::EditDocumentsOfEventSeries),
+                Organization::class => $this->requireAbility($user, Ability::EditDocumentsOfOrganizations),
+                default => $this->deny(),
+            },
+            $user,
+            $document->reference
+        );
     }
 
     /**

app/Policies/EventPolicy.php

@@ -31,8 +31,16 @@ public function view(?User $user, Event $event): Response
             return $this->allow();
         }
 
-        // Private events are only visible for logged-in users with the ability to view private events as well.
-        return $this->requireAbility($user, Ability::ViewPrivateEvents);
+        /**
+         * Private events are only visible for
+         * - logged-in users with the ability to view private events as well
+         * - and the responsible users.
+         */
+        return $this->requireAbilityOrCheck(
+            $user,
+            Ability::ViewPrivateEvents,
+            fn () => $this->response(isset($user) && $user->isResponsibleFor($event))
+        );
     }
 
     public function viewGroups(User $user, Event $event): Response
@@ -54,7 +62,10 @@ public function viewResponsibilities(?User $user, Event $event): Response
         return $this->requireAbilityOrCheck(
             $user,
             Ability::ViewResponsibilitiesOfEvents,
-            fn () => $this->response($event->hasPubliclyVisibleResponsibleUsers())
+            fn () => $this->response(
+                $event->hasPubliclyVisibleResponsibleUsers()
+                || (isset($user) && $user->isResponsibleFor($event))
+            )
         );
     }
 

app/Policies/EventSeriesPolicy.php

@@ -32,10 +32,15 @@ public function view(?User $user, EventSeries $eventSeries): Response
         }
 
         /**
-         * Private event series are only visible for logged-in users
-         * with the ability to view private event series as well.
+         * Private event series are only visible for
+         * - logged-in users with the ability to view private event series as well
+         * - and the responsible users.
          */
-        return $this->requireAbility($user, Ability::ViewPrivateEventSeries);
+        return $this->requireAbilityOrCheck(
+            $user,
+            Ability::ViewPrivateEventSeries,
+            fn () => $this->response(isset($user) && $user->isResponsibleFor($eventSeries))
+        );
     }
 
     public function viewResponsibilities(?User $user, EventSeries $eventSeries): Response
@@ -48,7 +53,10 @@ public function viewResponsibilities(?User $user, EventSeries $eventSeries): Res
         return $this->requireAbilityOrCheck(
             $user,
             Ability::ViewResponsibilitiesOfEventSeries,
-            fn () => $this->response($eventSeries->hasPubliclyVisibleResponsibleUsers())
+            fn () => $this->response(
+                $eventSeries->hasPubliclyVisibleResponsibleUsers()
+                || (isset($user) && $user->isResponsibleFor($eventSeries))
+            )
         );
     }
 

app/Policies/OrganizationPolicy.php

@@ -38,7 +38,10 @@ public function viewResponsibilities(?User $user, Organization $organization): R
         return $this->requireAbilityOrCheck(
             $user,
             Ability::ViewResponsibilitiesOfOrganizations,
-            fn () => $this->response($organization->hasPubliclyVisibleResponsibleUsers())
+            fn () => $this->response(
+                $organization->hasPubliclyVisibleResponsibleUsers()
+                || (isset($user) && $user->isResponsibleFor($organization))
+            )
         );
     }