fix: limit view-transcript permission

Author: keenthekeen

app/Models/User.php

@@ -5,6 +5,7 @@
 use App\Helper;
 use Carbon\Carbon;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Foundation\Auth\User as Authenticatable;
@@ -89,6 +90,10 @@ public function participants(): \Illuminate\Database\Eloquent\Relations\HasMany
         return $this->hasMany(ProjectParticipant::class);
     }
 
+    public function rolesArray(): Attribute {
+        return Attribute::make(get: fn() => explode(',', $this->roles));
+    }
+
     /**
      * @return Collection<ProjectParticipant>
      */

app/Providers/AuthServiceProvider.php

@@ -32,15 +32,15 @@ public function boot()
         $this->registerPolicies();
 
         Gate::define('admin-action', function (User $user) {
-            return in_array('admin', explode(',', $user->roles));
+            return in_array('admin', $user->roles_array);
         });
         Gate::define('faculty-action', function (User $user) {
             // Role: Associate/Assistant Dean for Student Affairs
-            return in_array('faculty', explode(',', $user->roles));
+            return in_array('faculty', $user->roles_array);
         });
         Gate::define('download-action', function (User $user) {
-            // Role: Student Affairs supporting staff
-            return in_array('download', explode(',', $user->roles));
+            // Role: Student Affairs officers and authorized students -> download documents
+            return in_array('download', $user->roles_array);
         });
         Gate::define('update-document', function (User $user, Document $document) {
             return is_null($document->id) OR ($document->user_id === $user->id) OR $user->can('admin-action');
@@ -53,13 +53,13 @@ public function boot()
                     AND $project->created_at->diffInMonths(now()) < 15 // Created in the last 15 months
                 )) ? Response::allow() : Response::deny('You are not authorized to update this project.');
         });
-        Gate::define('create-activity', function (User $user) {
-            $userRoles = explode(',', $user->roles);
 
-            return in_array('faculty', $userRoles) or in_array('activity', $userRoles);
+        // For Associate/Assistant Dean for Student Affairs and Student Affairs officers
+        Gate::define('create-activity', function (User $user) {
+            return in_array('faculty', $user->roles_array) or in_array('activity', $user->roles_array);
         });
         Gate::define('view-transcript', function (User $user) {
-            return in_array('view_transcript', explode(',', $user->roles)) or $user->can('create-activity') or $user->can('admin-action');
+            return in_array('view_transcript', $user->roles_array) or $user->can('create-activity');
         });
 
         // API permissions