feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,117 @@
|
||||
<?php
|
||||
|
||||
namespace App\Filament\Tenant\Resources;
|
||||
|
||||
use App\Auth\Permissions;
|
||||
use App\Filament\Tenant\Resources\RoleResource\Pages;
|
||||
use Filament\Actions;
|
||||
use Filament\Forms;
|
||||
use Filament\Resources\Resource;
|
||||
use Filament\Schemas;
|
||||
use Filament\Schemas\Schema;
|
||||
use Filament\Tables;
|
||||
use Filament\Tables\Table;
|
||||
use Spatie\Permission\Models\Role;
|
||||
|
||||
class RoleResource extends Resource
|
||||
{
|
||||
protected static ?string $model = Role::class;
|
||||
|
||||
protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
|
||||
|
||||
protected static ?string $navigationLabel = 'Roluri & Drepturi';
|
||||
|
||||
protected static string|\UnitEnum|null $navigationGroup = 'Admin';
|
||||
|
||||
protected static ?string $modelLabel = 'rol';
|
||||
|
||||
protected static ?string $pluralModelLabel = 'roluri';
|
||||
|
||||
protected static ?int $navigationSort = 82;
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
return auth()->user()?->canDo(Permissions::ADMIN_ROLES_MANAGE) ?? false;
|
||||
}
|
||||
|
||||
public static function form(Schema $schema): Schema
|
||||
{
|
||||
return $schema->components([
|
||||
Schemas\Components\Section::make('Rol')
|
||||
->columns(2)
|
||||
->schema([
|
||||
Forms\Components\TextInput::make('name')->label('Slug')->required()->maxLength(64)
|
||||
->disabled(fn ($record) => $record && in_array($record->name, array_keys(Permissions::roleMatrix()), true))
|
||||
->helperText('Rolurile sistem (owner/admin/etc.) au numele blocat'),
|
||||
Forms\Components\TextInput::make('guard_name')->default('web')->disabled(),
|
||||
]),
|
||||
Schemas\Components\Section::make('Drepturi')
|
||||
->description('Bifează ce poate face acest rol. Modificările au efect imediat.')
|
||||
->schema(self::permissionFields())
|
||||
->columns(1),
|
||||
]);
|
||||
}
|
||||
|
||||
private static function permissionFields(): array
|
||||
{
|
||||
$fields = [];
|
||||
$labels = Permissions::labels();
|
||||
foreach (Permissions::grouped() as $module => $perms) {
|
||||
$options = [];
|
||||
foreach ($perms as $p) {
|
||||
$options[$p] = $p;
|
||||
}
|
||||
$fields[] = Forms\Components\CheckboxList::make("permissions_{$module}")
|
||||
->label($labels[$module] ?? ucfirst($module))
|
||||
->options($options)
|
||||
->columns(2)
|
||||
->bulkToggleable()
|
||||
->afterStateHydrated(function (Forms\Components\CheckboxList $component, $state, $record) use ($module) {
|
||||
if (! $record) { $component->state([]); return; }
|
||||
$names = $record->permissions->pluck('name')->all();
|
||||
$module_prefix = $module . '.';
|
||||
$component->state(array_values(array_filter($names, fn ($n) => str_starts_with($n, $module_prefix))));
|
||||
})
|
||||
->dehydrated(false);
|
||||
}
|
||||
return $fields;
|
||||
}
|
||||
|
||||
public static function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->columns([
|
||||
Tables\Columns\TextColumn::make('name')
|
||||
->label('Rol')
|
||||
->formatStateUsing(fn ($state) => Permissions::roleLabels()[$state] ?? $state)
|
||||
->searchable()
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('name')
|
||||
->label('Slug')
|
||||
->copyable()
|
||||
->color('gray'),
|
||||
Tables\Columns\TextColumn::make('permissions_count')
|
||||
->counts('permissions')
|
||||
->label('Drepturi')
|
||||
->badge(),
|
||||
Tables\Columns\TextColumn::make('users_count')
|
||||
->counts('users')
|
||||
->label('Utilizatori')
|
||||
->badge(),
|
||||
])
|
||||
->actions([
|
||||
Actions\EditAction::make()->label('Editează drepturi'),
|
||||
Actions\DeleteAction::make()
|
||||
->hidden(fn ($record) => in_array($record->name, array_keys(Permissions::roleMatrix()), true)),
|
||||
])
|
||||
->defaultSort('name');
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
{
|
||||
return [
|
||||
'index' => Pages\ListRoles::route('/'),
|
||||
'edit' => Pages\EditRole::route('/{record}/edit'),
|
||||
];
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user