Awards Domains Table Policy Reference
Source:
plugins/Awards/src/Policy/DomainsTablePolicy.phpExtends:App\Policy\BasePolicyType: Table-level Authorization Policy
Overview
The DomainsTablePolicy class provides table-level authorization for Domains data operations. It controls administrative access for listing, bulk operations, and organizational management of award domains.
Class Definition
namespace Awards\Policy;
use App\KMP\KmpIdentityInterface;
use App\Policy\BasePolicy;
class DomainsTablePolicy extends BasePolicy
Methods
scopeGridData()
Scopes queries for the Dataverse grid data endpoint, delegating to the standard index scope.
public function scopeGridData(KmpIdentityInterface $user, mixed $query): mixed
Parameters:
$user- The authenticated user identity$query- The query to scope
Returns: The scoped query (delegates to scopeIndex())
Purpose: Enables the DataverseGrid component to use the same authorization rules as the standard index view.
Inherited Methods from BasePolicy
The policy inherits all standard table operations through BasePolicy delegation:
| Method | Purpose |
|---|---|
canAdd() |
Authorize domain creation via permission checking |
canIndex() |
Authorize domain listing via permission checking |
canExport() |
Authorize domain export operations |
scopeIndex() |
Scope domain queries based on user permissions |
Authorization Architecture
Permission-Based Authorization
DomainsTablePolicy
│
▼
BasePolicy._hasPolicy()
│
▼
PermissionsLoader
│
▼
Permission Check (warrant-based)
All table operations are validated against administrative permissions through the centralized BasePolicy framework.
Administrative Access Control
Domain table operations require:
- Authenticated user identity
- Appropriate administrative permissions
- Valid warrant-based authority (where applicable)
Usage Examples
Controller Integration
// DomainsController index with authorization
public function index()
{
$this->Authorization->authorize($this->Domains);
$query = $this->Domains->find();
$domains = $this->paginate($query);
$this->set(compact('domains'));
}
Checking Table Permissions
// Check administrative access before bulk operations
if ($this->Authorization->can($this->Domains, 'index')) {
$domains = $this->Domains->find()->toArray();
}
DataverseGrid Integration
The scopeGridData() method enables DataverseGrid components to respect the same authorization rules:
// In controller using DataverseGridTrait
// GridData endpoint automatically calls scopeGridData()
public function gridData()
{
// Authorization scoping handled automatically
return $this->processGridData($this->Domains);
}
Integration Points
BasePolicy Integration
- Inherits
canAdd(),canIndex(),canExport()through delegation - Uses
_hasPolicy()for permission validation - Integrates with warrant-based authority checking
PermissionsLoader Integration
- Domain table permissions resolved through centralized permission loading
- Controller-action mapping to permission names
- Warrant validation for administrative authority
Awards Plugin Integration
- Coordinates with award system administration
- Manages domain configuration authorization
- Supports organizational hierarchy management
Security Considerations
- Administrative Access Required: All domain table operations require authenticated administrative identity
- Permission Validation: Operations validated against RBAC permissions
- Audit Integration: Table operations logged for compliance monitoring
- Referential Integrity: Domain operations respect award system relationships