app/Concerns/AuthorizesPermissions.php

<?php

namespace App\Concerns;

use App\Enums\WorkspaceUserRole;

trait AuthorizesPermissions
{
    /**
     * Authorize the current user has the given permission.
     *
     * Owner: always passes.
     * Worker: always fails (abort 404).
     * Manager: checks the permissions JSON column on workspace_user pivot.
     * Unknown permission keys default to false.
     */
    protected function authorizePermission(string $permission): void
    {
        $workspaceUser = auth()->user()->currentWorkspaceUser();

        if ($workspaceUser->role->is(WorkspaceUserRole::Owner)) {
            return;
        }

        if ($workspaceUser->role->is(WorkspaceUserRole::Worker)) {
            abort(404);
        }

        // Manager: check JSON permissions column
        if (! ($workspaceUser->permissions[$permission] ?? false)) {
            abort(404);
        }
    }
}
feat: complete Epic 1 — team management & permission system - Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration - Story 1.2: Team page with member list, invitation system with queued email - Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging - Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal) - Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping - Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching - 83 new/modified files, 182 tests passing with zero regressions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 00:12:50 +00:00			`<?php`

			`namespace App\Concerns;`

			`use App\Enums\WorkspaceUserRole;`

			`trait AuthorizesPermissions`
			`{`
			`/**`
			`* Authorize the current user has the given permission.`
			`*`
			`* Owner: always passes.`
			`* Worker: always fails (abort 404).`
			`* Manager: checks the permissions JSON column on workspace_user pivot.`
			`* Unknown permission keys default to false.`
			`*/`
			`protected function authorizePermission(string $permission): void`
			`{`
			`$workspaceUser = auth()->user()->currentWorkspaceUser();`

			`if ($workspaceUser->role->is(WorkspaceUserRole::Owner)) {`
			`return;`
			`}`

			`if ($workspaceUser->role->is(WorkspaceUserRole::Worker)) {`
			`abort(404);`
			`}`

			`// Manager: check JSON permissions column`
			`if (! ($workspaceUser->permissions[$permission] ?? false)) {`
			`abort(404);`
			`}`
			`}`
			`}`