feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)

Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission
catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/
inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants,
not magic strings — refactors against renames stay safe.

== 7 system roles ==
owner / admin / manager / accountant / receptionist / mechanic / viewer
Each gets a curated role-permission matrix per the TZ section 2.4:
- owner + admin: all 51
- manager: 23 (operations + reporting, no destructive finance/users)
- accountant: 17 (full finance/salaries, view-only WOs, no admin)
- receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create)
- mechanic: 4 (own WOs + inventory view + own salary)
- viewer: 6 (read-only everything except finance/salaries)

== Seeder ==
App\Services\RbacSeeder:
- seedPermissions() creates the 51 Permission rows globally (idempotent)
- seedTenantRoles($companyId) sets the team context, creates the 7 Role
  rows scoped to that tenant, and syncPermissions per matrix
- syncUsersToRoles($companyId) maps legacy users.role string column to
  the new Spatie role assignment (parts_manager→manager, master→mechanic,
  marketer→manager, user→viewer)

== Migration ==
2026_06_04_000003 loops over all existing Companies and runs the seeder.
On a fresh prod deploy, every tenant gets the full RBAC catalog wired up
automatically. CompanyProvisioner::provision() also calls the seeder for
new tenants going forward.

== Resource gates ==
canViewAny / canCreate / canDelete on:
- PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT)
- ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT)
- PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE)
- RoleResource (ADMIN_ROLES_MANAGE)

Mechanic sees only own WOs + inventory + own salary. Accountant sees all
finance but not admin. Receptionist sees clients/WOs but not finance
overview. Etc.

== User helpers ==
$user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to
prevent lockouts from misconfigured permission grants.
$user->isOwner() / isAccountant() / isMechanic() — role shortcuts.
$user->hasTwoFactorEnabled() — true when app_authentication_secret is set.

== 2FA ==
Filament 5's native MultiFactorAuthentication (App + Email) is already
enabled in both TenantPanelProvider and CentralPanelProvider — confirmed.
The User model already implements HasAppAuthentication +
HasAppAuthenticationRecovery + HasEmailAuthentication.

This commit adds UX around it:
- UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off)
- UserResource form: "Securitate" section shows enabled/disabled + last_login_at
- New admin action "Resetează 2FA" with confirmation modal — clears
  app_authentication_secret + recovery codes for locked-out users

== Roles management UI ==
New /app/roles RoleResource:
- List: role label + slug + permission count + user count
- Edit: 10 grouped checkbox lists (per module) for fine-grained
  permission assignment + bulk-toggle per group
- System roles (owner/admin/etc.) have slug locked, can't be deleted
- Custom tenant-specific roles can be added on top
- Gated behind ADMIN_ROLES_MANAGE

== UserResource extension ==
- Role select now uses Permissions::roleLabels() (owner/admin/manager/...)
- New "Roluri suplimentare" multi-select for stacking roles on top of
  the primary one (permissions cumulate)
- afterSave syncs the picked roles + ensures primary role is always
  included

== Tests ==
RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has
all, mechanic has minimal, accountant has finance but not admin,
canDo returns true when role has permission, admin bypass, owner helper,
syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic,
user→viewer), 2FA helper round-trip.

Suite: 206 passed (576 assertions). Was 196.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-04 22:03:03 +00:00
parent 1d5ea6d261
commit 58004b65c4
16 changed files with 808 additions and 18 deletions
@@ -29,6 +29,16 @@ class ExpenseResource extends Resource
protected static ?int $navigationSort = 51;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::FINANCE_VIEW_OVERVIEW) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::FINANCE_CREATE_EXPENSE) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
@@ -30,6 +30,21 @@ class PaymentResource extends Resource
protected static ?int $navigationSort = 50;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::FINANCE_VIEW_OVERVIEW) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::FINANCE_CREATE_PAYMENT) ?? false;
}
public static function canDelete($record): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::FINANCE_DELETE_PAYMENT) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
@@ -29,6 +29,16 @@ class PayrollAdjustmentResource extends Resource
protected static ?int $navigationSort = 54;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_VIEW_ALL) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_CALCULATE) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
@@ -31,6 +31,16 @@ class PayrollRunResource extends Resource
protected static ?int $navigationSort = 53;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_VIEW_ALL) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_CALCULATE) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
@@ -0,0 +1,117 @@
<?php
namespace App\Filament\Tenant\Resources;
use App\Auth\Permissions;
use App\Filament\Tenant\Resources\RoleResource\Pages;
use Filament\Actions;
use Filament\Forms;
use Filament\Resources\Resource;
use Filament\Schemas;
use Filament\Schemas\Schema;
use Filament\Tables;
use Filament\Tables\Table;
use Spatie\Permission\Models\Role;
class RoleResource extends Resource
{
protected static ?string $model = Role::class;
protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
protected static ?string $navigationLabel = 'Roluri & Drepturi';
protected static string|\UnitEnum|null $navigationGroup = 'Admin';
protected static ?string $modelLabel = 'rol';
protected static ?string $pluralModelLabel = 'roluri';
protected static ?int $navigationSort = 82;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(Permissions::ADMIN_ROLES_MANAGE) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
Schemas\Components\Section::make('Rol')
->columns(2)
->schema([
Forms\Components\TextInput::make('name')->label('Slug')->required()->maxLength(64)
->disabled(fn ($record) => $record && in_array($record->name, array_keys(Permissions::roleMatrix()), true))
->helperText('Rolurile sistem (owner/admin/etc.) au numele blocat'),
Forms\Components\TextInput::make('guard_name')->default('web')->disabled(),
]),
Schemas\Components\Section::make('Drepturi')
->description('Bifează ce poate face acest rol. Modificările au efect imediat.')
->schema(self::permissionFields())
->columns(1),
]);
}
private static function permissionFields(): array
{
$fields = [];
$labels = Permissions::labels();
foreach (Permissions::grouped() as $module => $perms) {
$options = [];
foreach ($perms as $p) {
$options[$p] = $p;
}
$fields[] = Forms\Components\CheckboxList::make("permissions_{$module}")
->label($labels[$module] ?? ucfirst($module))
->options($options)
->columns(2)
->bulkToggleable()
->afterStateHydrated(function (Forms\Components\CheckboxList $component, $state, $record) use ($module) {
if (! $record) { $component->state([]); return; }
$names = $record->permissions->pluck('name')->all();
$module_prefix = $module . '.';
$component->state(array_values(array_filter($names, fn ($n) => str_starts_with($n, $module_prefix))));
})
->dehydrated(false);
}
return $fields;
}
public static function table(Table $table): Table
{
return $table
->columns([
Tables\Columns\TextColumn::make('name')
->label('Rol')
->formatStateUsing(fn ($state) => Permissions::roleLabels()[$state] ?? $state)
->searchable()
->sortable(),
Tables\Columns\TextColumn::make('name')
->label('Slug')
->copyable()
->color('gray'),
Tables\Columns\TextColumn::make('permissions_count')
->counts('permissions')
->label('Drepturi')
->badge(),
Tables\Columns\TextColumn::make('users_count')
->counts('users')
->label('Utilizatori')
->badge(),
])
->actions([
Actions\EditAction::make()->label('Editează drepturi'),
Actions\DeleteAction::make()
->hidden(fn ($record) => in_array($record->name, array_keys(Permissions::roleMatrix()), true)),
])
->defaultSort('name');
}
public static function getPages(): array
{
return [
'index' => Pages\ListRoles::route('/'),
'edit' => Pages\EditRole::route('/{record}/edit'),
];
}
}
@@ -0,0 +1,37 @@
<?php
namespace App\Filament\Tenant\Resources\RoleResource\Pages;
use App\Auth\Permissions;
use App\Filament\Tenant\Resources\RoleResource;
use Filament\Resources\Pages\EditRecord;
use Spatie\Permission\PermissionRegistrar;
class EditRole extends EditRecord
{
protected static string $resource = RoleResource::class;
protected function mutateFormDataBeforeSave(array $data): array
{
// Collect all picked permissions across the module check-lists.
$picked = [];
foreach (Permissions::grouped() as $module => $_) {
$key = "permissions_{$module}";
if (isset($data[$key]) && is_array($data[$key])) {
$picked = array_merge($picked, $data[$key]);
}
unset($data[$key]);
}
$this->_pickedPermissions = $picked;
return $data;
}
/** @var array<string> */
protected array $_pickedPermissions = [];
protected function afterSave(): void
{
$this->record->syncPermissions($this->_pickedPermissions);
app(PermissionRegistrar::class)->forgetCachedPermissions();
}
}
@@ -0,0 +1,11 @@
<?php
namespace App\Filament\Tenant\Resources\RoleResource\Pages;
use App\Filament\Tenant\Resources\RoleResource;
use Filament\Resources\Pages\ListRecords;
class ListRoles extends ListRecords
{
protected static string $resource = RoleResource::class;
}
+57 -13
View File
@@ -31,8 +31,17 @@ class UserResource extends Resource
public static function canViewAny(): bool
{
$u = auth()->user();
return $u && $u->role === 'admin';
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_VIEW) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
}
public static function canDelete($record): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
}
public static function form(Schema $schema): Schema
@@ -53,17 +62,10 @@ class UserResource extends Resource
->schema([
Forms\Components\Select::make('role')
->label('Rol primar')
->options([
'admin' => 'Administrator',
'manager' => 'Manager',
'receptionist' => 'Recepție',
'mechanic' => 'Mecanic',
'parts_manager' => 'Magazioner piese',
'accountant' => 'Contabil',
'marketer' => 'Marketing',
])
->options(\App\Auth\Permissions::roleLabels())
->required()
->default('mechanic'),
->default('mechanic')
->helperText('Rolul principal — sincronizat automat cu drepturile RBAC.'),
Forms\Components\Select::make('status')
->options(['active' => 'Activ', 'inactive' => 'Inactiv', 'blocked' => 'Blocat'])
->default('active')
@@ -76,6 +78,26 @@ class UserResource extends Resource
->dehydrateStateUsing(fn ($state) => Hash::make($state))
->minLength(6)
->helperText('La editare lasă gol pentru a păstra parola actuală.'),
Forms\Components\Select::make('roles_picked')
->label('Roluri suplimentare')
->multiple()
->options(\App\Auth\Permissions::roleLabels())
->afterStateHydrated(function ($component, $record) {
if ($record) $component->state($record->roles->pluck('name')->all());
})
->dehydrated(false)
->columnSpanFull()
->helperText('Roluri suplimentare peste rolul primar — drepturile se cumulează.'),
]),
Schemas\Components\Section::make('Securitate')
->columns(2)
->schema([
Forms\Components\Placeholder::make('mfa_status')
->label('Autentificare 2FA')
->content(fn ($record) => $record && $record->hasTwoFactorEnabled() ? '✓ Activat (TOTP)' : '✗ Dezactivat'),
Forms\Components\Placeholder::make('last_login')
->label('Ultima autentificare')
->content(fn ($record) => $record?->last_login_at?->diffForHumans() ?? '—'),
]),
]);
}
@@ -87,7 +109,17 @@ class UserResource extends Resource
Tables\Columns\TextColumn::make('name')->searchable()->sortable(),
Tables\Columns\TextColumn::make('email')->searchable()->copyable(),
Tables\Columns\TextColumn::make('phone')->placeholder('—'),
Tables\Columns\TextColumn::make('role')->badge(),
Tables\Columns\TextColumn::make('role')
->formatStateUsing(fn ($state) => \App\Auth\Permissions::roleLabels()[$state] ?? $state)
->badge(),
Tables\Columns\IconColumn::make('app_authentication_secret')
->label('2FA')
->boolean()
->getStateUsing(fn ($record) => $record->hasTwoFactorEnabled())
->trueIcon('heroicon-o-shield-check')
->trueColor('success')
->falseIcon('heroicon-o-shield-exclamation')
->falseColor('warning'),
Tables\Columns\TextColumn::make('status')
->badge()
->colors([
@@ -109,6 +141,18 @@ class UserResource extends Resource
])
->actions([
Actions\EditAction::make(),
Actions\Action::make('reset_2fa')
->label('Resetează 2FA')
->icon('heroicon-o-shield-exclamation')
->color('warning')
->visible(fn ($record) => $record && $record->hasTwoFactorEnabled())
->requiresConfirmation()
->modalDescription('Dezactivează 2FA pentru acest utilizator. Va trebui să re-configureze TOTP la următoarea autentificare.')
->action(function ($record) {
$record->saveAppAuthenticationSecret(null);
$record->saveAppAuthenticationRecoveryCodes(null);
\Filament\Notifications\Notification::make()->title('2FA resetat')->success()->send();
}),
Actions\DeleteAction::make(),
])
->defaultSort('created_at', 'desc');
@@ -8,4 +8,23 @@ use Filament\Resources\Pages\CreateRecord;
class CreateUser extends CreateRecord
{
protected static string $resource = UserResource::class;
/** @var array<string> */
protected array $_rolesPicked = [];
protected function mutateFormDataBeforeCreate(array $data): array
{
$this->_rolesPicked = $data['roles_picked'] ?? [];
unset($data['roles_picked']);
return $data;
}
protected function afterCreate(): void
{
$picked = $this->_rolesPicked;
if (! in_array($this->record->role, $picked, true)) {
$picked[] = $this->record->role;
}
$this->record->syncRoles(array_unique($picked));
}
}
@@ -14,4 +14,24 @@ class EditUser extends EditRecord
{
return [Actions\DeleteAction::make()];
}
/** @var array<string> */
protected array $_rolesPicked = [];
protected function mutateFormDataBeforeSave(array $data): array
{
$this->_rolesPicked = $data['roles_picked'] ?? [];
unset($data['roles_picked']);
return $data;
}
protected function afterSave(): void
{
// Always include the primary role
$picked = $this->_rolesPicked;
if (! in_array($this->record->role, $picked, true)) {
$picked[] = $this->record->role;
}
$this->record->syncRoles(array_unique($picked));
}
}