feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -59,10 +59,8 @@ class CompanyProvisioner
|
||||
$this->tenants->setCurrent($company);
|
||||
$this->permissions->setPermissionsTeamId($company->id);
|
||||
|
||||
// Default roles per tenant.
|
||||
foreach (['admin', 'manager', 'receptionist', 'mechanic', 'parts_manager', 'accountant', 'marketer'] as $r) {
|
||||
Role::findOrCreate($r, 'web');
|
||||
}
|
||||
// Seed full RBAC catalog: 7 roles + 51 permissions + matrix per TZ.
|
||||
app(\App\Services\RbacSeeder::class)->seedTenantRoles($company->id);
|
||||
|
||||
// Admin user.
|
||||
$adminEmail = $data['admin_email'] ?? "admin@{$company->slug}.local";
|
||||
|
||||
@@ -0,0 +1,86 @@
|
||||
<?php
|
||||
|
||||
namespace App\Services;
|
||||
|
||||
use App\Auth\Permissions;
|
||||
use App\Models\Tenant\User;
|
||||
use Spatie\Permission\Models\Permission;
|
||||
use Spatie\Permission\Models\Role;
|
||||
use Spatie\Permission\PermissionRegistrar;
|
||||
|
||||
/**
|
||||
* Seeds the RBAC catalog for a tenant: 50 permissions (global) + 7 system roles
|
||||
* + role-permission matrix per the TZ.
|
||||
*
|
||||
* Idempotent — safe to run multiple times. Adding new permissions later is also
|
||||
* idempotent: each Permission::firstOrCreate skips existing rows.
|
||||
*/
|
||||
class RbacSeeder
|
||||
{
|
||||
/** Seed permissions globally (they're not tenant-scoped). */
|
||||
public function seedPermissions(): void
|
||||
{
|
||||
foreach (Permissions::all() as $slug) {
|
||||
Permission::firstOrCreate(['name' => $slug, 'guard_name' => 'web']);
|
||||
}
|
||||
}
|
||||
|
||||
/** Seed 7 system roles + role-permission matrix for a specific tenant (team). */
|
||||
public function seedTenantRoles(int $companyId): void
|
||||
{
|
||||
$this->seedPermissions();
|
||||
|
||||
$registrar = app(PermissionRegistrar::class);
|
||||
$registrar->setPermissionsTeamId($companyId);
|
||||
// Bust cache so newly created roles are visible immediately.
|
||||
$registrar->forgetCachedPermissions();
|
||||
|
||||
foreach (Permissions::roleMatrix() as $roleName => $perms) {
|
||||
$role = Role::firstOrCreate(
|
||||
['name' => $roleName, 'guard_name' => 'web', 'company_id' => $companyId]
|
||||
);
|
||||
$role->syncPermissions($perms);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* After seeding roles, sync each user's role assignment based on legacy
|
||||
* users.role string column. Idempotent: re-running just re-syncs.
|
||||
*/
|
||||
public function syncUsersToRoles(int $companyId): int
|
||||
{
|
||||
$registrar = app(PermissionRegistrar::class);
|
||||
$registrar->setPermissionsTeamId($companyId);
|
||||
$registrar->forgetCachedPermissions();
|
||||
|
||||
$count = 0;
|
||||
$validRoles = array_keys(Permissions::roleMatrix());
|
||||
|
||||
User::query()
|
||||
->where('company_id', $companyId)
|
||||
->whereNotNull('role')
|
||||
->chunk(100, function ($users) use ($validRoles, &$count) {
|
||||
foreach ($users as $user) {
|
||||
// Map legacy role strings to the new catalog
|
||||
$role = match ($user->role) {
|
||||
'admin' => 'admin',
|
||||
'manager' => 'manager',
|
||||
'receptionist' => 'receptionist',
|
||||
'mechanic', 'master' => 'mechanic',
|
||||
'accountant' => 'accountant',
|
||||
'parts_manager' => 'manager', // map to manager
|
||||
'marketer' => 'manager',
|
||||
'owner' => 'owner',
|
||||
'viewer', 'user' => 'viewer',
|
||||
default => 'viewer',
|
||||
};
|
||||
if (in_array($role, $validRoles, true)) {
|
||||
$user->syncRoles([$role]);
|
||||
$count++;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
return $count;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user