Issue & Reproduction Steps

An authenticated user with no designer permissions could load /designer directly.
Repro: create a user with no designer permissions, log in, visit /designer; the page renders instead of returning 403.

Solution

• Register the view-designer gate in AuthServiceProvider::defineGates() and reuse it in menu middleware.
• Protect the designer.index route with can:view-designer, so menu visibility and route access share the same rule.
• Add a feature test that asserts a 403 for users without designer permissions hitting /designer.

How to Test

1. Run php artisan test --filter=DesignerControllerTest.
2. Manual: log in as a user without designer permissions and visit /designer; expect 403. Log in as an admin or a user with designer permissions; the designer page should load.

Related Tickets & Packages

• FOUR-28206

ci:deploy

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.