feat: add article ownership and status policies for authorization checks

aspirantzhang · aspirantzhang · commit 7c08ead03bc5 · 2025-03-12T15:23:27.000+08:00
diff --git a/contexts/ArticlePublishing/Domain/Policies/ArticleOwnershipPolicy.php b/contexts/ArticlePublishing/Domain/Policies/ArticleOwnershipPolicy.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Contexts\ArticlePublishing\Domain\Policies;
+
+use App\Exceptions\BizException;
+use Contexts\ArticlePublishing\Domain\Models\ArticleId;
+use Contexts\ArticlePublishing\Domain\Models\AuthorId;
+use Contexts\ArticlePublishing\Infrastructure\Repositories\ArticleRepository;
+use Contexts\Shared\Contracts\BaseAuthorizationPolicy;
+
+class ArticleOwnershipPolicy implements BaseAuthorizationPolicy
+{
+    public function __construct(
+        private ArticleId $articleId,
+        private AuthorId $authorId
+    ) {}
+
+    public function check(): void
+    {
+        $repository = app(ArticleRepository::class);
+        $article = $repository->getById($this->articleId);
+
+        if (! $article->isOwnedBy($this->authorId)) {
+            throw BizException::make('You are not the owner of this article')->code(403);
+        }
+    }
+}
diff --git a/contexts/ArticlePublishing/Domain/Policies/ArticleStatusPolicy.php b/contexts/ArticlePublishing/Domain/Policies/ArticleStatusPolicy.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Contexts\ArticlePublishing\Domain\Policies;
+
+use App\Exceptions\BizException;
+use Contexts\ArticlePublishing\Domain\Models\ArticleId;
+use Contexts\ArticlePublishing\Domain\Models\ArticleStatus;
+use Contexts\ArticlePublishing\Infrastructure\Repositories\ArticleRepository;
+use Contexts\Shared\Contracts\BaseAuthorizationPolicy;
+
+class ArticleStatusPolicy implements BaseAuthorizationPolicy
+{
+    public function __construct(
+        private ArticleId $articleId,
+        private ArticleRepository $repository,
+        private ArticleStatus $requiredStatus
+    ) {}
+
+    public function check(): void
+    {
+        $article = $this->repository->getById($this->articleId);
+
+        if (! $article->getStatus()->equals($this->requiredStatus)) {
+            throw BizException::make('Invalid article status: :status')
+                ->with('status', $article->getStatus()->getValue());
+        }
+    }
+}
diff --git a/contexts/ArticlePublishing/Domain/Policies/GlobalPermissionPolicy.php b/contexts/ArticlePublishing/Domain/Policies/GlobalPermissionPolicy.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Contexts\ArticlePublishing\Domain\Policies;
+
+use App\Exceptions\BizException;
+use Contexts\ArticlePublishing\Domain\Gateway\AuthorizationGateway;
+use Contexts\Shared\Contracts\BaseAuthorizationPolicy;
+
+class GlobalPermissionPolicy implements BaseAuthorizationPolicy
+{
+    public function __construct(private string $action) {}
+
+    public static function canPerform(string $action)
+    {
+        return new self($action);
+    }
+
+    public function check(): void
+    {
+        $authorizationGateway = app(AuthorizationGateway::class);
+
+        if (! $authorizationGateway->canPerformAction($this->action)) {
+            throw BizException::make('You are not authorized to perform this action')->code(403);
+        }
+    }
+}
