Permissions now actually govern access instead of the hard-coded Admin role:
- Super-admin bypass (see all projects / full access) -> can('manage all')
in Project::scopeAccessibleBy, ProjectMap, ProjectDashboard, PhaseGantt,
LayerManager, ProjectReportController.
- Redundant '|| hasRole(Admin)' fallbacks dropped (Gate::before already lets
manage-all through can()): LayerManager (upload/delete layers), MediaManager
(upload), ProjectMap (update progress), ProjectUsers/ProjectCompanies
(assign users).
- Admin-only screens now gated by the matching permission: AdminUsers/UserView
-> can('view users'), UserForm -> can('create users')|can('edit users'),
CompanyView -> can('view companies').
- MediaManager delete: can('delete media') OR owner.
- Kept UserForm's domain guard (can't remove your own Admin role).
Note: the /admin route group still has middleware can:manage all, so admin
screens stay super-admin-only until that group is relaxed per-route.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
javier
8025fa6d05