@php /** @var \App\Models\User|null $user */ $user = auth()->user(); $isSuperAdmin = $user?->isSuperAdmin() ?? false; // M01: the account switcher is a SUPER-ADMIN-ONLY control. A // non-super-admin renders NOTHING here — no switcher, and no // read-only indicator (they operate within their single bound // account). The SwitchAccountController also refuses their switches // server-side (defence in depth). See // docs/decisions/M01-decisions.md (D2, D3). /** @var \App\Models\Account|null $current */ $current = app(\App\Support\CurrentAccount::class)->get(); // Super-admins see EVERY account on the platform (Account isn't // tenant-scoped — it IS the tenant root, so the unscoped read is // safe; ordered alphabetically). The pivot-member ids tag the rows // the super-admin enters via the `is_super_admin` escape hatch (not // real membership) with a "Platform access" pill. Only computed for // super-admins, since no one else renders the dropdown. $accounts = collect(); $memberAccountIds = []; if ($isSuperAdmin) { $accounts = \App\Models\Account::query()->orderBy('name')->get(); $memberAccountIds = $user ? $user->accounts()->pluck('accounts.id')->all() : []; } @endphp @if ($isSuperAdmin && $current)

@foreach ($accounts as $account) @php $isMember = in_array($account->id, $memberAccountIds, true); $isPlatformAccess = $isSuperAdmin && ! $isMember; @endphp @if ($account->id === $current->id) {{-- Currently active account. Marked active and not clickable — switching to the current account is a no-op. --}}

{{ $account->name }} @if ($isPlatformAccess) {{ __('Platform access') }} @endif

@else {{-- Other accounts the user can switch to. Each is a CSRF-protected POST to account.switch. The controller is the authoritative security boundary — the account id in the URL is untrusted input, and the super-admin escape hatch lives server-side, not in this view. --}} @endif @endforeach @endif