Skip to content

feature: authorization/policy layer (wheels.Policy + authorize()/can()/policyScope()) #3156

Description

@bpamiri

Child of #2962, sequenced AFTER the auth generator (policies need a currentUser to authorize). Framework-core: wheels.Policy base + authorize()/can()/policyScope() controller+view mixins. Cross-engine constraint: mixin helpers must be public with $-prefixed internals (Invariant 7). Key design call: default-deny vs default-allow when no policy exists — Pundit denies, Laravel's before() foot-gun allows; recommendation on the parent: default-deny.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementroadmapRoadmap / tracking issue grouping scheduled work

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions