# Permissions System

## How It Works

Uses **Spatie Laravel Permission** with a custom `PermissionPrefix` middleware.

```php
// Route protection pattern — middleware appends '.view' automatically
Route::middleware(['permission_prefix:reservation.'])->group(function () {
    Route::get('/reservations', [ReservationsController::class, 'index'])
        ->name('reservations.index');
    // Checks: 'reservation.view'
});
```

## Naming Convention

`<domain>.<action>` — examples: `reservation.view`, `property.create`, `caisse.view`, `reclamation.delete`

## Roles

| Role | Access |
|---|---|
| `admin` | Full access to everything |
| `co-host` | Limited, scoped to assigned properties |
| `sub-user` | Further restricted, specific property access |

## Adding a Permission for a New Feature

1. Define permission names: `newfeature.view`, `newfeature.create`, etc.
2. Add to `database/seeders/RolesAndPermissionsSeeder.php` and assign to appropriate roles.
3. Add `permission_prefix:newfeature.` middleware to the route group.
4. Run `php artisan db:seed --class=RolesAndPermissionsSeeder`.

## Frontend Permission Check

```tsx
// Permissions are in Inertia shared props
const { auth } = usePage<PageProps>().props;
// auth.user.permissions contains the array
```