feat: P1 RBAC defers — overrides + sessions + audit log

Completes the P1 items from /tmp/service/new/01-TZ-rbac §2.1 §4.1.

== user_permission_overrides table ==
Per-user grant/deny exceptions on top of role-based RBAC. Composite PK
(user_id, permission_id) so each user can have at most one override per
permission. Schema:
- mode: 'grant' | 'deny'
- reason: text (audit context: "lockdown audit period", etc.)
- granted_by_id + granted_at: who/when made the exception
- expires_at: optional auto-expiry

Eloquent model UserPermissionOverride with relations to user, permission,
grantedBy; isExpired() helper.

== Resolution order in User::canDo() ==
1. Active deny-override (not expired) → return false (and log if sensitive)
2. Active grant-override (not expired) → return true
3. Admin/owner bypass → return true
4. Standard role-based check via Spatie

Critically: deny overrides ALSO block admin/owner. This is intentional —
the TZ's "separation of duties" requirement (an admin who shouldn't be
able to delete payments). Without this, deny is useless against admins.

Override resolution uses a single query per check (cached by Eloquent
during the request). The override-check happens before the role check
so a deny is always authoritative.

== Audit log on sensitive denials ==
When canDo() returns false for one of these sensitive permissions, a
spatie/activitylog entry is written with event=permission_denied:
- admin.users.manage / admin.roles.manage / admin.settings.edit
  / admin.backup.download
- finance.delete_payment / finance.view_pl
- salaries.mark_paid / salaries.view_all
- work_orders.delete / work_orders.approve_discount_any

Non-sensitive denials (e.g., clients.create) don't log to avoid noise.
The activity payload includes the permission slug; causedBy is the user
who was denied. Failures of the logger are swallowed so a misconfigured
activitylog never breaks auth.

== UserResource UI ==
New PermissionOverridesRelationManager mounted on the edit page:
- Table: permission, mode (GRANT/DENY badge), reason, expires_at,
  granted_by
- Create form: permission select, mode, expires_at, reason
- granted_at + granted_by_id auto-populated to now() / auth()->id()
- Default sort: granted_at desc

Two new actions on the user row:
- "Force logout" (warning color): visible only when active sessions
  exist. Deletes every row in `sessions` with user_id=record→id.
  Notification shows count revoked.
- "Resetează 2FA" stays (from previous commit)

Two new toggleable columns:
- Sesiuni active (count from sessions table)
- Excepții (count of permission overrides)

== Tests ==
PermissionOverridesTest covers:
- grant unlocks a permission the role doesn't have
- deny blocks a permission the role grants
- deny blocks even admin role (separation of duties)
- expired override is ignored
- future-expiry override stays active
- audit log writes on sensitive denial
- audit log silent on non-sensitive denial
- force_logout deletes all user sessions but not others'

Suite: 214 passed (591 assertions). Was 206.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-04 22:27:20 +00:00
parent 58004b65c4
commit 1d4ac3db38
6 changed files with 411 additions and 3 deletions
@@ -3,6 +3,7 @@
namespace App\Filament\Tenant\Resources;
use App\Filament\Tenant\Resources\UserResource\Pages;
use App\Filament\Tenant\Resources\UserResource\RelationManagers;
use App\Models\Tenant\User;
use Filament\Forms;
use Filament\Resources\Resource;
@@ -120,6 +121,18 @@ class UserResource extends Resource
->trueColor('success')
->falseIcon('heroicon-o-shield-exclamation')
->falseColor('warning'),
Tables\Columns\TextColumn::make('active_sessions')
->label('Sesiuni')
->getStateUsing(fn ($record) => \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->count())
->badge()
->color(fn ($state) => $state > 0 ? 'success' : 'gray')
->toggleable(),
Tables\Columns\TextColumn::make('permission_overrides_count')
->counts('permissionOverrides')
->label('Excepții')
->badge()
->color('warning')
->toggleable(isToggledHiddenByDefault: true),
Tables\Columns\TextColumn::make('status')
->badge()
->colors([
@@ -141,6 +154,17 @@ class UserResource extends Resource
])
->actions([
Actions\EditAction::make(),
Actions\Action::make('force_logout')
->label('Force logout')
->icon('heroicon-o-arrow-right-on-rectangle')
->color('warning')
->visible(fn ($record) => \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->exists())
->requiresConfirmation()
->modalDescription('Va deconecta utilizatorul pe toate device-urile.')
->action(function ($record) {
$n = \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->delete();
\Filament\Notifications\Notification::make()->title("$n sesiuni revoke-uite")->success()->send();
}),
Actions\Action::make('reset_2fa')
->label('Resetează 2FA')
->icon('heroicon-o-shield-exclamation')
@@ -158,6 +182,13 @@ class UserResource extends Resource
->defaultSort('created_at', 'desc');
}
public static function getRelations(): array
{
return [
RelationManagers\PermissionOverridesRelationManager::class,
];
}
public static function getPages(): array
{
return [
@@ -0,0 +1,90 @@
<?php
namespace App\Filament\Tenant\Resources\UserResource\RelationManagers;
use App\Auth\Permissions;
use Filament\Actions;
use Filament\Forms;
use Filament\Resources\RelationManagers\RelationManager;
use Filament\Schemas;
use Filament\Schemas\Schema;
use Filament\Tables;
use Filament\Tables\Table;
use Spatie\Permission\Models\Permission;
class PermissionOverridesRelationManager extends RelationManager
{
protected static string $relationship = 'permissionOverrides';
protected static ?string $title = 'Excepții drepturi';
protected static string|\BackedEnum|null $icon = 'heroicon-o-shield-exclamation';
public function form(Schema $schema): Schema
{
return $schema->components([
Schemas\Components\Section::make('Excepție')
->columns(2)
->schema([
Forms\Components\Select::make('permission_id')
->label('Drept')
->required()
->searchable()
->options(fn () => Permission::orderBy('name')->pluck('name', 'id'))
->columnSpanFull(),
Forms\Components\Select::make('mode')
->required()
->options(['grant' => 'GRANT — adaugă dreptul', 'deny' => 'DENY — interzice dreptul'])
->default('grant'),
Forms\Components\DatePicker::make('expires_at')
->label('Expiră la (opțional)')
->minDate(now()),
Forms\Components\Textarea::make('reason')
->label('Motiv')
->columnSpanFull()
->placeholder('Ex: lockdown temporar; acces pentru audit; etc.')
->rows(2),
]),
]);
}
public function table(Table $table): Table
{
return $table
->recordTitleAttribute('mode')
->columns([
Tables\Columns\TextColumn::make('permission.name')
->label('Drept')
->searchable()
->sortable(),
Tables\Columns\TextColumn::make('mode')
->badge()
->colors(['success' => 'grant', 'danger' => 'deny'])
->formatStateUsing(fn ($state) => strtoupper($state)),
Tables\Columns\TextColumn::make('reason')
->limit(40)
->placeholder('—'),
Tables\Columns\TextColumn::make('expires_at')
->label('Expiră')
->date()
->placeholder('niciodată')
->color(fn ($record) => $record?->isExpired() ? 'danger' : 'gray'),
Tables\Columns\TextColumn::make('grantedBy.name')
->label('Acordat de')
->placeholder('—')
->toggleable(),
])
->headerActions([
Actions\CreateAction::make()
->mutateDataUsing(fn (array $data) => array_merge($data, [
'granted_at' => now(),
'granted_by_id' => auth()->id(),
])),
])
->actions([
Actions\EditAction::make(),
Actions\DeleteAction::make(),
])
->defaultSort('granted_at', 'desc');
}
}
+57 -3
View File
@@ -11,6 +11,7 @@ use Filament\Panel;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Database\Eloquent\Relations\HasMany;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;
use Spatie\Permission\Traits\HasRoles;
@@ -78,18 +79,71 @@ class User extends Authenticatable implements FilamentUser, HasAppAuthentication
return in_array($this->role, ['mechanic', 'master'], true) || $this->hasAnyRole(['mechanic']);
}
/** Shortcut for permission check using App\Auth\Permissions slug. */
public function permissionOverrides(): HasMany
{
return $this->hasMany(UserPermissionOverride::class);
}
/**
* Permission check honoring (in order):
* 1. Active deny-override false
* 2. Active grant-override true
* 3. Admin/owner bypass true
* 4. Standard role-based check
*/
public function canDo(string $permission): bool
{
// Owner + admin always pass — safety net for misconfigured permission grants.
$override = $this->activeOverrideFor($permission);
if ($override) {
if ($override->mode === 'deny') {
$this->logDeniedIfSensitive($permission);
return false;
}
if ($override->mode === 'grant') return true;
}
// Owner + admin bypass for permissions without explicit deny.
if ($this->isAdmin()) return true;
try {
return $this->can($permission);
$allowed = $this->can($permission);
if (! $allowed) $this->logDeniedIfSensitive($permission);
return $allowed;
} catch (\Throwable $e) {
return false;
}
}
private function activeOverrideFor(string $permissionSlug): ?UserPermissionOverride
{
return $this->permissionOverrides()
->whereHas('permission', fn ($q) => $q->where('name', $permissionSlug))
->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now()))
->first();
}
/** Sensitive permissions whose deny we should record for audit. */
private const AUDITED_DENIALS = [
'admin.users.manage', 'admin.roles.manage', 'admin.settings.edit', 'admin.backup.download',
'finance.delete_payment', 'finance.view_pl',
'salaries.mark_paid', 'salaries.view_all',
'work_orders.delete', 'work_orders.approve_discount_any',
];
private function logDeniedIfSensitive(string $permission): void
{
if (! in_array($permission, self::AUDITED_DENIALS, true)) return;
try {
activity('permissions')
->causedBy($this)
->withProperties(['permission' => $permission])
->event('permission_denied')
->log("permission denied: $permission for user #{$this->id}");
} catch (\Throwable $e) {
// activity-log may be misconfigured in some contexts — never let auth fail because of it.
}
}
/** Has 2FA app authentication enabled (Filament native). */
public function hasTwoFactorEnabled(): bool
{
@@ -0,0 +1,50 @@
<?php
namespace App\Models\Tenant;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Spatie\Permission\Models\Permission;
class UserPermissionOverride extends Model
{
protected $table = 'user_permission_overrides';
public $incrementing = false;
protected $primaryKey = null;
public $timestamps = false;
protected $fillable = ['user_id', 'permission_id', 'mode', 'reason', 'granted_at', 'granted_by_id', 'expires_at'];
protected $casts = [
'granted_at' => 'datetime',
'expires_at' => 'datetime',
];
public function user(): BelongsTo
{
return $this->belongsTo(User::class);
}
public function permission(): BelongsTo
{
return $this->belongsTo(Permission::class);
}
public function grantedBy(): BelongsTo
{
return $this->belongsTo(User::class, 'granted_by_id');
}
public function isExpired(): bool
{
return $this->expires_at !== null && $this->expires_at->isPast();
}
public function isActive(): bool
{
return ! $this->isExpired();
}
}