feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,132 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Auth\Permissions;
|
||||
use App\Models\Central\Company;
|
||||
use App\Models\Central\Plan;
|
||||
use App\Models\Tenant\User;
|
||||
use App\Services\RbacSeeder;
|
||||
use App\Tenancy\TenantManager;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Spatie\Permission\Models\Permission;
|
||||
use Spatie\Permission\Models\Role;
|
||||
use Spatie\Permission\PermissionRegistrar;
|
||||
use Tests\TestCase;
|
||||
|
||||
class RbacTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
private Company $company;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
parent::setUp();
|
||||
$plan = Plan::firstOrCreate(['slug' => 'test'], ['name' => 'T', 'price' => 0, 'features' => []]);
|
||||
$this->company = Company::create([
|
||||
'plan_id' => $plan->id, 'slug' => 'rbac-' . uniqid(),
|
||||
'name' => 'RBAC Co', 'status' => 'active',
|
||||
]);
|
||||
app(TenantManager::class)->setCurrent($this->company);
|
||||
app(RbacSeeder::class)->seedTenantRoles($this->company->id);
|
||||
app(PermissionRegistrar::class)->setPermissionsTeamId($this->company->id);
|
||||
}
|
||||
|
||||
public function test_seeder_creates_51_permissions(): void
|
||||
{
|
||||
$this->assertEquals(51, Permission::where('guard_name', 'web')->count());
|
||||
}
|
||||
|
||||
public function test_seeder_creates_7_roles_per_tenant(): void
|
||||
{
|
||||
$roles = Role::where('company_id', $this->company->id)->pluck('name')->toArray();
|
||||
sort($roles);
|
||||
$this->assertEquals(['accountant', 'admin', 'manager', 'mechanic', 'owner', 'receptionist', 'viewer'], $roles);
|
||||
}
|
||||
|
||||
public function test_owner_role_has_all_permissions(): void
|
||||
{
|
||||
$owner = Role::where('company_id', $this->company->id)->where('name', 'owner')->first();
|
||||
$this->assertEquals(51, $owner->permissions->count());
|
||||
}
|
||||
|
||||
public function test_mechanic_role_has_minimal_permissions(): void
|
||||
{
|
||||
$mechanic = Role::where('company_id', $this->company->id)->where('name', 'mechanic')->first();
|
||||
$perms = $mechanic->permissions->pluck('name')->toArray();
|
||||
$this->assertContains(Permissions::WORK_ORDERS_VIEW_OWN_ASSIGNED, $perms);
|
||||
$this->assertContains(Permissions::INVENTORY_VIEW, $perms);
|
||||
$this->assertNotContains(Permissions::WORK_ORDERS_VIEW_ALL, $perms);
|
||||
$this->assertNotContains(Permissions::FINANCE_VIEW_OVERVIEW, $perms);
|
||||
$this->assertNotContains(Permissions::ADMIN_USERS_MANAGE, $perms);
|
||||
}
|
||||
|
||||
public function test_accountant_can_see_finance_but_not_admin(): void
|
||||
{
|
||||
$accountant = Role::where('company_id', $this->company->id)->where('name', 'accountant')->first();
|
||||
$perms = $accountant->permissions->pluck('name')->toArray();
|
||||
$this->assertContains(Permissions::FINANCE_VIEW_OVERVIEW, $perms);
|
||||
$this->assertContains(Permissions::FINANCE_VIEW_PL, $perms);
|
||||
$this->assertContains(Permissions::SALARIES_CALCULATE, $perms);
|
||||
$this->assertNotContains(Permissions::ADMIN_USERS_MANAGE, $perms);
|
||||
$this->assertNotContains(Permissions::WORK_ORDERS_DELETE, $perms);
|
||||
}
|
||||
|
||||
public function test_user_can_method_returns_true_when_role_has_permission(): void
|
||||
{
|
||||
$user = User::create(['name' => 'M', 'email' => 'm-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||
$user->syncRoles(['mechanic']);
|
||||
|
||||
$this->assertTrue($user->canDo(Permissions::WORK_ORDERS_VIEW_OWN_ASSIGNED));
|
||||
$this->assertFalse($user->canDo(Permissions::FINANCE_VIEW_OVERVIEW));
|
||||
}
|
||||
|
||||
public function test_admin_bypasses_permission_check(): void
|
||||
{
|
||||
$admin = User::create(['name' => 'A', 'email' => 'a-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'admin', 'status' => 'active']);
|
||||
$admin->syncRoles(['admin']);
|
||||
|
||||
// Admin gets the bypass even if a permission is not explicitly granted
|
||||
$this->assertTrue($admin->canDo('some.permission.that.does.not.exist'));
|
||||
$this->assertTrue($admin->canDo(Permissions::FINANCE_DELETE_PAYMENT));
|
||||
}
|
||||
|
||||
public function test_owner_helper_returns_true_for_owner_role_user(): void
|
||||
{
|
||||
$user = User::create(['name' => 'O', 'email' => 'o-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'owner', 'status' => 'active']);
|
||||
$this->assertTrue($user->isOwner());
|
||||
$this->assertTrue($user->isAdmin()); // owner counts as admin for canDo bypass
|
||||
}
|
||||
|
||||
public function test_sync_users_to_roles_maps_legacy_role_strings(): void
|
||||
{
|
||||
$u1 = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'parts_manager', 'status' => 'active']);
|
||||
$u2 = User::create(['name' => 'Y', 'email' => 'y@e.com', 'password' => bcrypt('x'), 'role' => 'master', 'status' => 'active']);
|
||||
$u3 = User::create(['name' => 'Z', 'email' => 'z@e.com', 'password' => bcrypt('x'), 'role' => 'user', 'status' => 'active']);
|
||||
|
||||
app(RbacSeeder::class)->syncUsersToRoles($this->company->id);
|
||||
|
||||
$u1->refresh(); $u2->refresh(); $u3->refresh();
|
||||
// parts_manager → manager
|
||||
$this->assertTrue($u1->hasRole('manager'));
|
||||
// master → mechanic
|
||||
$this->assertTrue($u2->hasRole('mechanic'));
|
||||
// user → viewer
|
||||
$this->assertTrue($u3->hasRole('viewer'));
|
||||
}
|
||||
|
||||
public function test_two_factor_helper_reflects_app_authentication_secret(): void
|
||||
{
|
||||
$user = User::create(['name' => 'T', 'email' => 't@e.com', 'password' => bcrypt('x'), 'role' => 'admin', 'status' => 'active']);
|
||||
$this->assertFalse($user->hasTwoFactorEnabled());
|
||||
|
||||
$user->saveAppAuthenticationSecret('FAKEBASE32SECRET====');
|
||||
$user->refresh();
|
||||
$this->assertTrue($user->hasTwoFactorEnabled());
|
||||
|
||||
$user->saveAppAuthenticationSecret(null);
|
||||
$user->refresh();
|
||||
$this->assertFalse($user->hasTwoFactorEnabled());
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user