Restrict document edit/delete to owners and close public registration

Adds DocumentPolicy gating update/delete to the creator (admins bypass via before()), invokes $this->authorize() in DocumentEditor mount/save/delete, applies can:update,document on the edit route, hides the edit button for non-owners, and removes the open /register routes so accounts must be provisioned via the admin panel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 10:22:18 +09:00
parent 01a11328ec
commit 692f4d5492
5 changed files with 45 additions and 9 deletions
@@ -6,7 +6,7 @@
                {{ $document->title }}
            </h1>

-            @auth
+            @can('update', $document)
                <a
                    href="{{ route('documents.edit', $document) }}"
                    class="inline-flex items-center justify-center px-3 sm:px-4 py-2 bg-indigo-600 text-white text-sm font-medium rounded-md hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 whitespace-nowrap"
@@ -16,7 +16,7 @@ class="inline-flex items-center justify-center px-3 sm:px-4 py-2 bg-indigo-600 t
                    </svg>
                    {{ __('messages.documents.edit') }}
                </a>
-            @endauth
+            @endcan
        </div>

        <div class="flex flex-col sm:flex-row sm:items-center text-xs sm:text-sm text-gray-500 gap-2 sm:gap-4">