Patrick Bass Area: mobieusHelp (audit p7) · Surface: platform/src/Services/Helpdesk/HelpdeskPermissions.php · Dimension: dead-code · Severity: minor
assert() is the exception-throwing counterpart to can(). Every controller that needs an authorization gate calls can() and handles the false case itself (e.g. AgentController::requirePerm renders helpdesk/agent/forbidden). assert() has no call sites and is dead.
Evidence
Definition at platform/src/Services/Helpdesk/HelpdeskPermissions.php:127 `public static function assert(array $permSet, string $action, int $queueId = 0): void` (throws RuntimeException on denial). Grep for callers: `grep -rn "Permissions::assert\|->assert(" platform/src --include='*.php' | grep -v vendor | grep -v "function assert"` => 0. The non-throwing sibling HelpdeskPermissions::can() IS used (platform/src/Controllers/Helpdesk/AgentController.php). AgentController implements its own requirePerm() that calls can() and renders a forbidden page rather than calling assert().Suggested fix. Remove assert(), or adopt it in the API controllers (TicketsApiController / Api\V1\HelpdeskController) where a thrown 403 would be cleaner than manual can() branches — but as written it is unreferenced.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
