Policies and Permissions

Implemented - Spatie Permission is used via app/Models/Roles.php and app/Models/Permissions.php. - Permissions groups are mapped with PermissionsGroups and Permissions relationships. - UserPolicy is registered in app/Providers/AuthServiceProvider.php.

Observed Admin Patterns - Many admin routes are protected by auth middleware in routes/web/backend.php. - Granular permission checks appear in views and controllers but are not centralized in policies.

Inferred / Partial - A fully granular policy layer for CMS entities is not implemented (only user policy is defined).