Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
0.00% covered (danger)
0.00%
0 / 20
0.00% covered (danger)
0.00%
0 / 1
 CRAP
0.00% covered (danger)
0.00%
0 / 1
CheckRoleplayAccess
0.00% covered (danger)
0.00%
0 / 20
0.00% covered (danger)
0.00%
0 / 1
 56
0.00% covered (danger)
0.00%
0 / 1
 handle
0.00% covered (danger)
0.00%
0 / 20
0.00% covered (danger)
0.00%
0 / 1
 56
1<?php
2
3namespace App\Http\Middleware;
4
5use App\Http\Models\Admin\Company;
6use Closure;
7use Illuminate\Http\Request;
8use Symfony\Component\HttpFoundation\Response;
9
10/**
11 * Gates access to RolePlay endpoints based on the user's company
12 * `roleplay_addon_access` setting.
13 *
14 * - `hidden`        → 403 on every request.
15 * - `view_only`     → GET is allowed, any write method is blocked.
16 * - `can_purchase`  → unrestricted (default).
17 *
18 * Users without a company are treated as `can_purchase` so that individual
19 * purchases continue to work unchanged.
20 */
21class CheckRoleplayAccess
22{
23    public function handle(Request $request, Closure $next): Response
24    {
25        $user = $request->user();
26        if (! $user || empty($user->company_id)) {
27            return $next($request);
28        }
29
30        // The User model eager-loads the `company` relation (protected $with),
31        // so reading it here avoids an extra query on every gated request.
32        $company = $user->company;
33        if (! $company) {
34            return $next($request);
35        }
36
37        $access = $company->roleplay_addon_access;
38
39        if ($access === Company::ROLEPLAY_ACCESS_HIDDEN) {
40            return response()->json([
41                'status' => 'error',
42                'message' => 'RolePlay access is disabled for your company.',
43            ], 403);
44        }
45
46        if ($access === Company::ROLEPLAY_ACCESS_VIEW_ONLY) {
47            $method = strtoupper($request->method());
48            if (! in_array($method, ['GET', 'HEAD', 'OPTIONS'], true)) {
49                return response()->json([
50                    'status' => 'error',
51                    'message' => 'RolePlay purchases are disabled for your company.',
52                ], 403);
53            }
54        }
55
56        return $next($request);
57    }
58}