Skip to content

[Security] Register and implement ProjectPolicy #49

Open
Open
[Security] Register and implement ProjectPolicy#49
@ibourgeois

Description

@ibourgeois
ibourgeois
opened on Apr 11, 2026

Problem

Project has no policy registered. Only IdeaPolicy is in AppServiceProvider. Any future project routes would have no authorization layer by default, and currently IdeaController::propose() reuses the update gate on Idea — there is no dedicated project authorization.

Required Changes

  • Create app/Policies/ProjectPolicy.php with owner-only access methods (viewAny, view, create, update, delete) comparing $project->user_id === $user->id
  • Register Project::class => ProjectPolicy::class in AppServiceProvider

Files

  • app/Policies/ProjectPolicy.php (new)
  • app/Providers/AppServiceProvider.php

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions