feat: P2 RBAC defers — REST API + invitation workflow
Closes the P2 items from /tmp/service/new/01-TZ-rbac §4.1 §4.2.
== User invitation workflow ==
New columns on users: invited_at, invited_by_id (FK self), accepted_at,
invitation_token (sha256 hash, indexed). Migration is idempotent.
User::sendInvitation($invitedBy = auth()->user())
- generates 64-char random token
- stores sha256(token) in invitation_token column (never plaintext)
- marks invited_at = now(), status = inactive
- queues UserInvitationMail to the user's email with the signed accept URL
- returns the raw token (for tests / API consumers)
User::findByInvitationToken($rawToken) hashes + lookups.
User::acceptInvitation($password) sets password (hashed cast), clears
invitation_token, marks accepted_at + email_verified_at, status = active.
Web routes (no auth — token IS the credential):
GET /invitations/{token} → password-set form
POST /invitations/{token} → validates min:8 + confirmed, accepts
Tokens expire after 7 days (checked against invited_at). Expired and
invalid tokens render dedicated views (invitations/expired.blade.php,
invitations/invalid.blade.php) instead of generic 404 — so the user
knows to ask for a resend.
UserInvitationMail uses Filament's existing markdown layout; subject
includes the tenant display_name.
== REST API ==
Twenty new endpoints under /api/v1/ (Sanctum auth + tenant scoping
via the existing EnsureTokenMatchesTenant middleware). All gated by
ADMIN_USERS_* / ADMIN_ROLES_MANAGE permissions; mechanic-level token
gets 403.
Users:
GET /users — paginated + role/status/q filters
GET /users/{u} — eager-loads roles + overrides + invitedBy
POST /users — creates inactive user + sends invitation
PATCH /users/{u} — update name/email/role/status
DELETE /users/{u} — soft delete
POST /users/{u}/activate
POST /users/{u}/deactivate — also revokes all sessions
POST /users/{u}/resend-invitation
POST /users/{u}/force-password-reset — re-sends invitation
GET /users/{u}/sessions — list active sessions (from sessions table)
DELETE /users/{u}/sessions — revoke all
DELETE /users/{u}/sessions/{sessionId} — revoke one
GET /users/{u}/roles — assigned roles
POST /users/{u}/roles — assign role
DELETE /users/{u}/roles/{role} — remove role
GET /users/{u}/permissions — effective: role perms + grants - active denies
POST /users/{u}/permission-overrides — add grant/deny (with optional expires_at)
DELETE /users/{u}/permission-overrides/{perm}
Roles:
apiResource roles — index/show/store/update/destroy
(system roles guarded against rename/delete)
GET /roles/{r}/permissions
PUT /roles/{r}/permissions — bulk sync
GET /permissions — catalog: flat list + grouped + labels + role labels
Authorization is uniform: every controller method calls $this->authorize()
which throws 403 if canDo(perm) is false. canDo() already honors the
overrides + admin bypass + audit log from earlier commits, so the API
behaves identically to the Filament UI.
== Tests ==
InvitationFlowTest (8): token generation + sha256 storage + queued mail,
findByInvitationToken happy/sad path, accept sets password + activates,
GET form renders, POST accepts + redirects, invalid token view,
backdated invited_at → expired view, password too short → validation error.
RbacApiTest (12): admin can list users, mechanic 403, create user
queues invitation, assign+remove role round-trip, effective permissions
endpoint subtracts active denies, add+remove override via API,
role index returns 7 system roles with permission counts (51 for owner),
role sync permissions, system role destroy rejected with 422,
permission catalog endpoint returns all 51 + grouped + labels,
revoke all sessions deletes only target user's rows.
Suite: 234 passed (659 assertions). Was 214.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,102 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Controllers\Api;
|
||||||
|
|
||||||
|
use App\Auth\Permissions;
|
||||||
|
use App\Http\Controllers\Controller;
|
||||||
|
use Illuminate\Http\JsonResponse;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Spatie\Permission\Models\Permission;
|
||||||
|
use Spatie\Permission\Models\Role;
|
||||||
|
use Spatie\Permission\PermissionRegistrar;
|
||||||
|
|
||||||
|
class RoleApiController extends Controller
|
||||||
|
{
|
||||||
|
public function index(): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
$roles = Role::withCount('permissions')->orderBy('name')->get();
|
||||||
|
return response()->json(['data' => $roles]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function show(Role $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
return response()->json(['data' => $role->load('permissions')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function store(Request $request): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
$data = $request->validate([
|
||||||
|
'name' => 'required|string|max:64',
|
||||||
|
'permissions' => 'sometimes|array',
|
||||||
|
'permissions.*' => 'string',
|
||||||
|
]);
|
||||||
|
// Disallow overwriting system roles
|
||||||
|
if (in_array($data['name'], array_keys(Permissions::roleMatrix()), true)) {
|
||||||
|
return response()->json(['error' => 'System role name is reserved'], 422);
|
||||||
|
}
|
||||||
|
$role = Role::create(['name' => $data['name'], 'guard_name' => 'web']);
|
||||||
|
if (! empty($data['permissions'])) {
|
||||||
|
$role->syncPermissions($data['permissions']);
|
||||||
|
}
|
||||||
|
return response()->json(['data' => $role->load('permissions')], 201);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function update(Request $request, Role $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
if (in_array($role->name, array_keys(Permissions::roleMatrix()), true)) {
|
||||||
|
return response()->json(['error' => 'Cannot rename system role'], 422);
|
||||||
|
}
|
||||||
|
$data = $request->validate(['name' => 'required|string|max:64']);
|
||||||
|
$role->update($data);
|
||||||
|
return response()->json(['data' => $role]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function destroy(Role $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
if (in_array($role->name, array_keys(Permissions::roleMatrix()), true)) {
|
||||||
|
return response()->json(['error' => 'Cannot delete system role'], 422);
|
||||||
|
}
|
||||||
|
$role->delete();
|
||||||
|
return response()->json(['deleted' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function permissions(Role $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
return response()->json(['data' => $role->permissions->pluck('name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function syncPermissions(Request $request, Role $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_ROLES_MANAGE);
|
||||||
|
$data = $request->validate([
|
||||||
|
'permissions' => 'required|array',
|
||||||
|
'permissions.*' => 'string',
|
||||||
|
]);
|
||||||
|
$role->syncPermissions($data['permissions']);
|
||||||
|
app(PermissionRegistrar::class)->forgetCachedPermissions();
|
||||||
|
return response()->json(['data' => $role->fresh()->permissions->pluck('name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function permissionCatalog(): JsonResponse
|
||||||
|
{
|
||||||
|
return response()->json([
|
||||||
|
'data' => Permission::orderBy('name')->get(['id', 'name']),
|
||||||
|
'grouped' => Permissions::grouped(),
|
||||||
|
'labels' => Permissions::labels(),
|
||||||
|
'roles' => Permissions::roleLabels(),
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function authorize(string $permission): void
|
||||||
|
{
|
||||||
|
if (! auth()->user() || ! auth()->user()->canDo($permission)) {
|
||||||
|
abort(403, "Missing permission: $permission");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,228 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Controllers\Api;
|
||||||
|
|
||||||
|
use App\Auth\Permissions;
|
||||||
|
use App\Http\Controllers\Controller;
|
||||||
|
use App\Models\Tenant\User;
|
||||||
|
use App\Models\Tenant\UserPermissionOverride;
|
||||||
|
use Illuminate\Http\JsonResponse;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Illuminate\Support\Facades\DB;
|
||||||
|
use Illuminate\Support\Facades\Hash;
|
||||||
|
use Spatie\Permission\Models\Permission;
|
||||||
|
|
||||||
|
class UserApiController extends Controller
|
||||||
|
{
|
||||||
|
public function index(Request $request): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_VIEW);
|
||||||
|
|
||||||
|
$q = User::query();
|
||||||
|
if ($role = $request->query('role')) $q->where('role', $role);
|
||||||
|
if ($status = $request->query('status')) $q->where('status', $status);
|
||||||
|
if ($search = $request->query('q')) {
|
||||||
|
$q->where(fn ($qq) => $qq->where('name', 'like', "%$search%")->orWhere('email', 'like', "%$search%"));
|
||||||
|
}
|
||||||
|
return response()->json([
|
||||||
|
'data' => $q->paginate((int) $request->query('per_page', 25))->items(),
|
||||||
|
'meta' => ['total' => $q->count()],
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function show(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_VIEW);
|
||||||
|
return response()->json(['data' => $user->load('roles', 'permissionOverrides.permission', 'invitedBy:id,name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function store(Request $request): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
|
||||||
|
$data = $request->validate([
|
||||||
|
'name' => 'required|string|max:120',
|
||||||
|
'email' => 'required|email|max:120',
|
||||||
|
'phone' => 'nullable|string|max:40',
|
||||||
|
'role' => 'required|string|in:' . implode(',', array_keys(Permissions::roleMatrix())),
|
||||||
|
'locale' => 'nullable|in:ro,ru,en',
|
||||||
|
'send_invitation' => 'nullable|boolean',
|
||||||
|
]);
|
||||||
|
|
||||||
|
$user = User::create([
|
||||||
|
'name' => $data['name'],
|
||||||
|
'email' => $data['email'],
|
||||||
|
'phone' => $data['phone'] ?? null,
|
||||||
|
'role' => $data['role'],
|
||||||
|
'locale' => $data['locale'] ?? 'ro',
|
||||||
|
'status' => 'inactive',
|
||||||
|
'password' => Hash::make(bin2hex(random_bytes(16))), // placeholder until invitation accept
|
||||||
|
]);
|
||||||
|
$user->syncRoles([$data['role']]);
|
||||||
|
|
||||||
|
if ($data['send_invitation'] ?? true) {
|
||||||
|
$user->sendInvitation(auth()->user());
|
||||||
|
}
|
||||||
|
|
||||||
|
return response()->json(['data' => $user->fresh(), 'invitation_sent' => $data['send_invitation'] ?? true], 201);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function update(Request $request, User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
|
||||||
|
$data = $request->validate([
|
||||||
|
'name' => 'sometimes|string|max:120',
|
||||||
|
'email' => 'sometimes|email|max:120',
|
||||||
|
'phone' => 'sometimes|nullable|string|max:40',
|
||||||
|
'locale' => 'sometimes|in:ro,ru,en',
|
||||||
|
'role' => 'sometimes|in:' . implode(',', array_keys(Permissions::roleMatrix())),
|
||||||
|
'status' => 'sometimes|in:active,inactive,blocked',
|
||||||
|
]);
|
||||||
|
$user->update($data);
|
||||||
|
if (isset($data['role'])) $user->syncRoles([$data['role']]);
|
||||||
|
return response()->json(['data' => $user->fresh()]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function destroy(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$user->delete();
|
||||||
|
return response()->json(['deleted' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function activate(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$user->update(['status' => 'active']);
|
||||||
|
return response()->json(['data' => $user->fresh()]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function deactivate(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$user->update(['status' => 'inactive']);
|
||||||
|
DB::table('sessions')->where('user_id', $user->id)->delete();
|
||||||
|
return response()->json(['data' => $user->fresh()]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function resendInvitation(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
if ($user->accepted_at) {
|
||||||
|
return response()->json(['error' => 'User already accepted invitation'], 422);
|
||||||
|
}
|
||||||
|
$user->sendInvitation(auth()->user());
|
||||||
|
return response()->json(['invitation_sent' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function forcePasswordReset(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$user->update(['status' => 'inactive', 'accepted_at' => null]);
|
||||||
|
DB::table('sessions')->where('user_id', $user->id)->delete();
|
||||||
|
$user->sendInvitation(auth()->user());
|
||||||
|
return response()->json(['invitation_sent' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function sessions(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$rows = DB::table('sessions')->where('user_id', $user->id)
|
||||||
|
->select('id', 'ip_address', 'user_agent', 'last_activity')->get();
|
||||||
|
return response()->json(['data' => $rows]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function revokeSession(User $user, string $sessionId): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$n = DB::table('sessions')->where('user_id', $user->id)->where('id', $sessionId)->delete();
|
||||||
|
return response()->json(['revoked' => $n > 0]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function revokeAllSessions(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$n = DB::table('sessions')->where('user_id', $user->id)->delete();
|
||||||
|
return response()->json(['revoked_count' => $n]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function roles(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_VIEW);
|
||||||
|
return response()->json(['data' => $user->roles->pluck('name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function assignRole(Request $request, User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$data = $request->validate(['role' => 'required|string']);
|
||||||
|
$user->assignRole($data['role']);
|
||||||
|
return response()->json(['data' => $user->roles->pluck('name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function removeRole(User $user, string $role): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$user->removeRole($role);
|
||||||
|
return response()->json(['data' => $user->roles->pluck('name')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function permissions(User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_VIEW);
|
||||||
|
// Effective: roles + grants - denies (active only)
|
||||||
|
$rolePerms = $user->getAllPermissions()->pluck('name');
|
||||||
|
$denies = $user->permissionOverrides()
|
||||||
|
->where('mode', 'deny')
|
||||||
|
->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now()))
|
||||||
|
->with('permission')->get()->pluck('permission.name');
|
||||||
|
$grants = $user->permissionOverrides()
|
||||||
|
->where('mode', 'grant')
|
||||||
|
->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now()))
|
||||||
|
->with('permission')->get()->pluck('permission.name');
|
||||||
|
$effective = $rolePerms->merge($grants)->unique()->reject(fn ($p) => $denies->contains($p))->values();
|
||||||
|
return response()->json([
|
||||||
|
'data' => $effective,
|
||||||
|
'overrides' => ['grants' => $grants, 'denies' => $denies],
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function addOverride(Request $request, User $user): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$data = $request->validate([
|
||||||
|
'permission' => 'required|string',
|
||||||
|
'mode' => 'required|in:grant,deny',
|
||||||
|
'reason' => 'nullable|string',
|
||||||
|
'expires_at' => 'nullable|date',
|
||||||
|
]);
|
||||||
|
$perm = Permission::where('name', $data['permission'])->firstOrFail();
|
||||||
|
UserPermissionOverride::updateOrCreate(
|
||||||
|
['user_id' => $user->id, 'permission_id' => $perm->id],
|
||||||
|
[
|
||||||
|
'mode' => $data['mode'],
|
||||||
|
'reason' => $data['reason'] ?? null,
|
||||||
|
'expires_at' => $data['expires_at'] ?? null,
|
||||||
|
'granted_by_id' => auth()->id(),
|
||||||
|
'granted_at' => now(),
|
||||||
|
]
|
||||||
|
);
|
||||||
|
return response()->json(['data' => $user->load('permissionOverrides.permission')]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function removeOverride(User $user, string $permission): JsonResponse
|
||||||
|
{
|
||||||
|
$this->authorize(Permissions::ADMIN_USERS_MANAGE);
|
||||||
|
$perm = Permission::where('name', $permission)->firstOrFail();
|
||||||
|
UserPermissionOverride::where('user_id', $user->id)->where('permission_id', $perm->id)->delete();
|
||||||
|
return response()->json(['removed' => true]);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function authorize(string $permission): void
|
||||||
|
{
|
||||||
|
if (! auth()->user() || ! auth()->user()->canDo($permission)) {
|
||||||
|
abort(403, "Missing permission: $permission");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,49 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Controllers;
|
||||||
|
|
||||||
|
use App\Models\Tenant\User;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
|
||||||
|
class InvitationController extends Controller
|
||||||
|
{
|
||||||
|
public function show(string $token)
|
||||||
|
{
|
||||||
|
$user = User::findByInvitationToken($token);
|
||||||
|
if (! $user || ! $user->isPendingInvitation()) {
|
||||||
|
return view('invitations.invalid');
|
||||||
|
}
|
||||||
|
// Invitations expire after 7 days
|
||||||
|
if ($user->invited_at && $user->invited_at->lt(now()->subDays(7))) {
|
||||||
|
return view('invitations.expired');
|
||||||
|
}
|
||||||
|
|
||||||
|
return view('invitations.accept', [
|
||||||
|
'token' => $token,
|
||||||
|
'name' => $user->name,
|
||||||
|
'email' => $user->email,
|
||||||
|
'company' => $user->company?->display_name ?? $user->company?->name ?? 'AutoCRM',
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function accept(string $token, Request $request)
|
||||||
|
{
|
||||||
|
$request->validate([
|
||||||
|
'password' => 'required|min:8|confirmed',
|
||||||
|
]);
|
||||||
|
|
||||||
|
$user = User::findByInvitationToken($token);
|
||||||
|
if (! $user || ! $user->isPendingInvitation()) {
|
||||||
|
return view('invitations.invalid');
|
||||||
|
}
|
||||||
|
if ($user->invited_at && $user->invited_at->lt(now()->subDays(7))) {
|
||||||
|
return view('invitations.expired');
|
||||||
|
}
|
||||||
|
|
||||||
|
$user->acceptInvitation($request->input('password'));
|
||||||
|
|
||||||
|
// Redirect to tenant login on the appropriate subdomain
|
||||||
|
$loginUrl = $user->company?->url('/app/login') ?? '/app/login';
|
||||||
|
return redirect($loginUrl)->with('status', 'Invitația a fost acceptată. Loghează-te cu noua parolă.');
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,42 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Mail;
|
||||||
|
|
||||||
|
use App\Models\Tenant\User;
|
||||||
|
use Illuminate\Bus\Queueable;
|
||||||
|
use Illuminate\Mail\Mailable;
|
||||||
|
use Illuminate\Mail\Mailables\Content;
|
||||||
|
use Illuminate\Mail\Mailables\Envelope;
|
||||||
|
use Illuminate\Queue\SerializesModels;
|
||||||
|
|
||||||
|
class UserInvitationMail extends Mailable
|
||||||
|
{
|
||||||
|
use Queueable, SerializesModels;
|
||||||
|
|
||||||
|
public function __construct(
|
||||||
|
public User $user,
|
||||||
|
public string $rawToken,
|
||||||
|
) {}
|
||||||
|
|
||||||
|
public function envelope(): Envelope
|
||||||
|
{
|
||||||
|
$company = $this->user->company?->display_name ?? $this->user->company?->name ?? 'AutoCRM';
|
||||||
|
return new Envelope(
|
||||||
|
subject: "Invitație de acces — {$company}",
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function content(): Content
|
||||||
|
{
|
||||||
|
$company = $this->user->company;
|
||||||
|
return new Content(
|
||||||
|
view: 'emails.user-invitation',
|
||||||
|
with: [
|
||||||
|
'name' => $this->user->name,
|
||||||
|
'invitedBy' => $this->user->invitedBy?->name ?? 'Echipa',
|
||||||
|
'companyName' => $company?->display_name ?? $company?->name ?? 'AutoCRM',
|
||||||
|
'acceptUrl' => url('/invitations/' . $this->rawToken),
|
||||||
|
],
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -35,6 +35,7 @@ class User extends Authenticatable implements FilamentUser, HasAppAuthentication
|
|||||||
'email_verified_at', 'password', 'last_login_at',
|
'email_verified_at', 'password', 'last_login_at',
|
||||||
'email_authentication_at',
|
'email_authentication_at',
|
||||||
'app_authentication_secret', 'app_authentication_recovery_codes',
|
'app_authentication_secret', 'app_authentication_recovery_codes',
|
||||||
|
'invited_at', 'invited_by_id', 'accepted_at', 'invitation_token',
|
||||||
];
|
];
|
||||||
|
|
||||||
protected $hidden = [
|
protected $hidden = [
|
||||||
@@ -47,6 +48,8 @@ class User extends Authenticatable implements FilamentUser, HasAppAuthentication
|
|||||||
'email_verified_at' => 'datetime',
|
'email_verified_at' => 'datetime',
|
||||||
'last_login_at' => 'datetime',
|
'last_login_at' => 'datetime',
|
||||||
'email_authentication_at' => 'datetime',
|
'email_authentication_at' => 'datetime',
|
||||||
|
'invited_at' => 'datetime',
|
||||||
|
'accepted_at' => 'datetime',
|
||||||
'password' => 'hashed',
|
'password' => 'hashed',
|
||||||
'app_authentication_secret' => 'encrypted',
|
'app_authentication_secret' => 'encrypted',
|
||||||
'app_authentication_recovery_codes' => 'encrypted:array',
|
'app_authentication_recovery_codes' => 'encrypted:array',
|
||||||
@@ -84,6 +87,16 @@ class User extends Authenticatable implements FilamentUser, HasAppAuthentication
|
|||||||
return $this->hasMany(UserPermissionOverride::class);
|
return $this->hasMany(UserPermissionOverride::class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function invitedBy(): \Illuminate\Database\Eloquent\Relations\BelongsTo
|
||||||
|
{
|
||||||
|
return $this->belongsTo(self::class, 'invited_by_id');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function company(): \Illuminate\Database\Eloquent\Relations\BelongsTo
|
||||||
|
{
|
||||||
|
return $this->belongsTo(\App\Models\Central\Company::class);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Permission check honoring (in order):
|
* Permission check honoring (in order):
|
||||||
* 1. Active deny-override → false
|
* 1. Active deny-override → false
|
||||||
@@ -150,6 +163,50 @@ class User extends Authenticatable implements FilamentUser, HasAppAuthentication
|
|||||||
return $this->app_authentication_secret !== null;
|
return $this->app_authentication_secret !== null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Pending invitation (sent but not yet accepted). */
|
||||||
|
public function isPendingInvitation(): bool
|
||||||
|
{
|
||||||
|
return $this->invited_at !== null && $this->accepted_at === null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create + send an invitation: generates a random token, marks invited_at,
|
||||||
|
* and queues the email with the signed accept link. Idempotent — calling
|
||||||
|
* again regenerates the token (useful for "resend invitation").
|
||||||
|
*/
|
||||||
|
public function sendInvitation(?User $invitedBy = null): string
|
||||||
|
{
|
||||||
|
$token = bin2hex(random_bytes(32)); // 64 chars
|
||||||
|
$this->forceFill([
|
||||||
|
'invitation_token' => hash('sha256', $token),
|
||||||
|
'invited_at' => now(),
|
||||||
|
'invited_by_id' => $invitedBy?->id ?? auth()->id(),
|
||||||
|
'accepted_at' => null,
|
||||||
|
'status' => 'inactive', // can't login until accepted
|
||||||
|
])->saveQuietly();
|
||||||
|
|
||||||
|
\Illuminate\Support\Facades\Mail::to($this->email)
|
||||||
|
->queue(new \App\Mail\UserInvitationMail($this, $token));
|
||||||
|
|
||||||
|
return $token; // returned mainly for tests / API
|
||||||
|
}
|
||||||
|
|
||||||
|
public static function findByInvitationToken(string $rawToken): ?self
|
||||||
|
{
|
||||||
|
return self::where('invitation_token', hash('sha256', $rawToken))->first();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function acceptInvitation(string $password): void
|
||||||
|
{
|
||||||
|
$this->forceFill([
|
||||||
|
'password' => $password, // hashed cast handles it
|
||||||
|
'invitation_token' => null,
|
||||||
|
'accepted_at' => now(),
|
||||||
|
'status' => 'active',
|
||||||
|
'email_verified_at' => now(),
|
||||||
|
])->save();
|
||||||
|
}
|
||||||
|
|
||||||
public function hasEmailAuthentication(): bool
|
public function hasEmailAuthentication(): bool
|
||||||
{
|
{
|
||||||
return $this->email_authentication_at !== null;
|
return $this->email_authentication_at !== null;
|
||||||
|
|||||||
@@ -0,0 +1,49 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
return new class extends Migration
|
||||||
|
{
|
||||||
|
public function up(): void
|
||||||
|
{
|
||||||
|
Schema::table('users', function (Blueprint $t) {
|
||||||
|
if (! Schema::hasColumn('users', 'invited_at')) {
|
||||||
|
$t->timestamp('invited_at')->nullable()->after('status');
|
||||||
|
}
|
||||||
|
if (! Schema::hasColumn('users', 'invited_by_id')) {
|
||||||
|
$t->foreignId('invited_by_id')->nullable()->after('invited_at')->constrained('users')->nullOnDelete();
|
||||||
|
}
|
||||||
|
if (! Schema::hasColumn('users', 'accepted_at')) {
|
||||||
|
$t->timestamp('accepted_at')->nullable()->after('invited_by_id');
|
||||||
|
}
|
||||||
|
if (! Schema::hasColumn('users', 'invitation_token')) {
|
||||||
|
$t->string('invitation_token', 80)->nullable()->after('accepted_at');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
// index on token for fast lookup
|
||||||
|
if (Schema::hasColumn('users', 'invitation_token')) {
|
||||||
|
try {
|
||||||
|
Schema::table('users', function (Blueprint $t) {
|
||||||
|
$t->index('invitation_token', 'users_invitation_token_idx');
|
||||||
|
});
|
||||||
|
} catch (\Throwable $e) { /* idempotent */ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function down(): void
|
||||||
|
{
|
||||||
|
Schema::table('users', function (Blueprint $t) {
|
||||||
|
try { $t->dropIndex('users_invitation_token_idx'); } catch (\Throwable $e) {}
|
||||||
|
foreach (['invitation_token', 'accepted_at', 'invited_by_id', 'invited_at'] as $col) {
|
||||||
|
if (Schema::hasColumn('users', $col)) {
|
||||||
|
if ($col === 'invited_by_id') {
|
||||||
|
try { $t->dropForeign(['invited_by_id']); } catch (\Throwable $e) {}
|
||||||
|
}
|
||||||
|
$t->dropColumn($col);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
<x-mail::message>
|
||||||
|
# Salut, {{ $name }}
|
||||||
|
|
||||||
|
Ai fost invitat de **{{ $invitedBy }}** să accesezi **{{ $companyName }}** pe AutoCRM.
|
||||||
|
|
||||||
|
Pentru a-ți activa contul și a-ți seta parola, apasă pe linkul de mai jos:
|
||||||
|
|
||||||
|
<x-mail::button :url="$acceptUrl" color="primary">
|
||||||
|
Acceptă invitația
|
||||||
|
</x-mail::button>
|
||||||
|
|
||||||
|
Linkul expiră în 7 zile. Dacă nu te aștepți la această invitație, ignoră acest mesaj.
|
||||||
|
|
||||||
|
Mulțumim,<br>
|
||||||
|
**{{ $companyName }}**
|
||||||
|
</x-mail::message>
|
||||||
@@ -0,0 +1,53 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="ro">
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<title>Acceptă invitația — {{ $company }}</title>
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
|
<style>
|
||||||
|
body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; background: #f5f7fa; color: #1a202c; margin: 0; padding: 0; min-height: 100vh; display: flex; align-items: center; justify-content: center; }
|
||||||
|
.card { background: white; padding: 32px; border-radius: 12px; box-shadow: 0 4px 20px rgba(0,0,0,0.08); max-width: 420px; width: 100%; }
|
||||||
|
h1 { font-size: 22px; margin: 0 0 8px; }
|
||||||
|
.sub { color: #4a5568; font-size: 14px; margin-bottom: 24px; }
|
||||||
|
label { display: block; font-size: 12px; font-weight: 600; color: #718096; text-transform: uppercase; letter-spacing: 0.5px; margin-bottom: 6px; }
|
||||||
|
input { width: 100%; padding: 10px 12px; border: 1px solid #e2e8f0; border-radius: 8px; font-size: 15px; box-sizing: border-box; outline: none; }
|
||||||
|
input:focus { border-color: #3b82f6; }
|
||||||
|
.field { margin-bottom: 16px; }
|
||||||
|
.field.readonly input { background: #f7fafc; color: #718096; }
|
||||||
|
.btn { width: 100%; padding: 12px; background: #3b82f6; color: white; border: none; border-radius: 8px; font-size: 15px; font-weight: 600; cursor: pointer; margin-top: 8px; }
|
||||||
|
.btn:hover { background: #2563eb; }
|
||||||
|
.errors { background: #fee2e2; color: #991b1b; padding: 10px 12px; border-radius: 6px; font-size: 13px; margin-bottom: 16px; }
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div class="card">
|
||||||
|
<h1>Bine ai venit, {{ $name }}!</h1>
|
||||||
|
<p class="sub">Ai fost invitat să accesezi <strong>{{ $company }}</strong>. Setează o parolă pentru a-ți activa contul.</p>
|
||||||
|
|
||||||
|
@if ($errors->any())
|
||||||
|
<div class="errors">
|
||||||
|
@foreach ($errors->all() as $error)
|
||||||
|
<div>{{ $error }}</div>
|
||||||
|
@endforeach
|
||||||
|
</div>
|
||||||
|
@endif
|
||||||
|
|
||||||
|
<form method="POST" action="{{ url('/invitations/' . $token) }}">
|
||||||
|
@csrf
|
||||||
|
<div class="field readonly">
|
||||||
|
<label>Email</label>
|
||||||
|
<input type="email" value="{{ $email }}" readonly>
|
||||||
|
</div>
|
||||||
|
<div class="field">
|
||||||
|
<label>Parolă nouă</label>
|
||||||
|
<input type="password" name="password" required minlength="8" autofocus>
|
||||||
|
</div>
|
||||||
|
<div class="field">
|
||||||
|
<label>Confirmă parola</label>
|
||||||
|
<input type="password" name="password_confirmation" required minlength="8">
|
||||||
|
</div>
|
||||||
|
<button class="btn" type="submit">Activează contul</button>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="ro"><head><meta charset="UTF-8"><title>Invitație expirată</title>
|
||||||
|
<style>body{font-family:-apple-system,sans-serif;background:#f5f7fa;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;color:#1a202c}.card{background:white;padding:32px;border-radius:12px;box-shadow:0 4px 20px rgba(0,0,0,0.08);max-width:420px;text-align:center}</style></head>
|
||||||
|
<body><div class="card"><h1>Invitație expirată</h1><p style="color:#4a5568">Linkul de invitație a expirat (durata maximă: 7 zile). Roagă administratorul să retrimită invitația.</p></div></body></html>
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="ro"><head><meta charset="UTF-8"><title>Invitație invalidă</title>
|
||||||
|
<style>body{font-family:-apple-system,sans-serif;background:#f5f7fa;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;color:#1a202c}.card{background:white;padding:32px;border-radius:12px;box-shadow:0 4px 20px rgba(0,0,0,0.08);max-width:420px;text-align:center}</style></head>
|
||||||
|
<body><div class="card"><h1>Invitație invalidă</h1><p style="color:#4a5568">Linkul nu mai este valabil sau a fost deja folosit.</p></div></body></html>
|
||||||
@@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
use App\Http\Controllers\Api\ApiAuthController;
|
use App\Http\Controllers\Api\ApiAuthController;
|
||||||
use App\Http\Controllers\Api\ClientApiController;
|
use App\Http\Controllers\Api\ClientApiController;
|
||||||
|
use App\Http\Controllers\Api\RoleApiController;
|
||||||
|
use App\Http\Controllers\Api\UserApiController;
|
||||||
use App\Http\Controllers\Api\VehicleApiController;
|
use App\Http\Controllers\Api\VehicleApiController;
|
||||||
use App\Http\Controllers\Api\WorkOrderApiController;
|
use App\Http\Controllers\Api\WorkOrderApiController;
|
||||||
use Illuminate\Support\Facades\Route;
|
use Illuminate\Support\Facades\Route;
|
||||||
@@ -17,5 +19,26 @@ Route::prefix('v1')->group(function () {
|
|||||||
Route::apiResource('clients', ClientApiController::class);
|
Route::apiResource('clients', ClientApiController::class);
|
||||||
Route::apiResource('vehicles', VehicleApiController::class);
|
Route::apiResource('vehicles', VehicleApiController::class);
|
||||||
Route::apiResource('work-orders', WorkOrderApiController::class);
|
Route::apiResource('work-orders', WorkOrderApiController::class);
|
||||||
|
|
||||||
|
// RBAC management — guarded by ADMIN_USERS_* / ADMIN_ROLES_MANAGE.
|
||||||
|
Route::apiResource('users', UserApiController::class);
|
||||||
|
Route::post('users/{user}/activate', [UserApiController::class, 'activate']);
|
||||||
|
Route::post('users/{user}/deactivate', [UserApiController::class, 'deactivate']);
|
||||||
|
Route::post('users/{user}/resend-invitation', [UserApiController::class, 'resendInvitation']);
|
||||||
|
Route::post('users/{user}/force-password-reset', [UserApiController::class, 'forcePasswordReset']);
|
||||||
|
Route::get('users/{user}/sessions', [UserApiController::class, 'sessions']);
|
||||||
|
Route::delete('users/{user}/sessions', [UserApiController::class, 'revokeAllSessions']);
|
||||||
|
Route::delete('users/{user}/sessions/{sessionId}', [UserApiController::class, 'revokeSession']);
|
||||||
|
Route::get('users/{user}/roles', [UserApiController::class, 'roles']);
|
||||||
|
Route::post('users/{user}/roles', [UserApiController::class, 'assignRole']);
|
||||||
|
Route::delete('users/{user}/roles/{role}', [UserApiController::class, 'removeRole']);
|
||||||
|
Route::get('users/{user}/permissions', [UserApiController::class, 'permissions']);
|
||||||
|
Route::post('users/{user}/permission-overrides', [UserApiController::class, 'addOverride']);
|
||||||
|
Route::delete('users/{user}/permission-overrides/{permission}', [UserApiController::class, 'removeOverride']);
|
||||||
|
|
||||||
|
Route::apiResource('roles', RoleApiController::class);
|
||||||
|
Route::get('roles/{role}/permissions', [RoleApiController::class, 'permissions']);
|
||||||
|
Route::put('roles/{role}/permissions', [RoleApiController::class, 'syncPermissions']);
|
||||||
|
Route::get('permissions', [RoleApiController::class, 'permissionCatalog']);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -47,6 +47,12 @@ Route::post('/payments/paypal/webhook', [\App\Http\Controllers\PaymentController
|
|||||||
Route::post('/payments/paynet/webhook', [\App\Http\Controllers\PaymentController::class, 'paynetWebhook'])
|
Route::post('/payments/paynet/webhook', [\App\Http\Controllers\PaymentController::class, 'paynetWebhook'])
|
||||||
->withoutMiddleware([\Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class]);
|
->withoutMiddleware([\Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class]);
|
||||||
|
|
||||||
|
// User invitation accept flow (no auth required — token is the credential).
|
||||||
|
Route::get('/invitations/{token}', [\App\Http\Controllers\InvitationController::class, 'show'])
|
||||||
|
->name('invitation.show');
|
||||||
|
Route::post('/invitations/{token}', [\App\Http\Controllers\InvitationController::class, 'accept'])
|
||||||
|
->name('invitation.accept');
|
||||||
|
|
||||||
// Stub `login` route — needed because Laravel's auth middleware tries to
|
// Stub `login` route — needed because Laravel's auth middleware tries to
|
||||||
// route('login') when redirecting unauthenticated requests. We don't have a
|
// route('login') when redirecting unauthenticated requests. We don't have a
|
||||||
// global /login (panels use /admin/login and /app/login), so stub it.
|
// global /login (panels use /admin/login and /app/login), so stub it.
|
||||||
|
|||||||
@@ -0,0 +1,151 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use App\Mail\UserInvitationMail;
|
||||||
|
use App\Models\Central\Company;
|
||||||
|
use App\Models\Central\Plan;
|
||||||
|
use App\Models\Tenant\User;
|
||||||
|
use App\Services\RbacSeeder;
|
||||||
|
use App\Tenancy\TenantManager;
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Illuminate\Support\Facades\Mail;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class InvitationFlowTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
private Company $company;
|
||||||
|
|
||||||
|
protected function setUp(): void
|
||||||
|
{
|
||||||
|
parent::setUp();
|
||||||
|
$plan = Plan::firstOrCreate(['slug' => 'test'], ['name' => 'T', 'price' => 0, 'features' => []]);
|
||||||
|
$this->company = Company::create([
|
||||||
|
'plan_id' => $plan->id, 'slug' => 'inv-' . uniqid(),
|
||||||
|
'name' => 'Inv Co', 'status' => 'active',
|
||||||
|
]);
|
||||||
|
app(TenantManager::class)->setCurrent($this->company);
|
||||||
|
app(RbacSeeder::class)->seedTenantRoles($this->company->id);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_send_invitation_generates_token_marks_pending_and_queues_mail(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$u->refresh();
|
||||||
|
$this->assertNotEmpty($token);
|
||||||
|
$this->assertEquals(64, strlen($token));
|
||||||
|
$this->assertNotNull($u->invited_at);
|
||||||
|
$this->assertNull($u->accepted_at);
|
||||||
|
$this->assertEquals('inactive', $u->status);
|
||||||
|
$this->assertTrue($u->isPendingInvitation());
|
||||||
|
|
||||||
|
// Stored token is sha256 hash, not the raw value
|
||||||
|
$this->assertNotEquals($token, $u->invitation_token);
|
||||||
|
$this->assertEquals(hash('sha256', $token), $u->invitation_token);
|
||||||
|
|
||||||
|
Mail::assertQueued(UserInvitationMail::class, fn ($m) => $m->user->id === $u->id);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_find_by_invitation_token_resolves_user(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$found = User::findByInvitationToken($token);
|
||||||
|
$this->assertNotNull($found);
|
||||||
|
$this->assertEquals($u->id, $found->id);
|
||||||
|
|
||||||
|
// Wrong token returns null
|
||||||
|
$this->assertNull(User::findByInvitationToken('not-a-real-token'));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_accept_invitation_sets_password_clears_token_activates(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('placeholder'), 'role' => 'mechanic', 'status' => 'inactive']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$u->refresh();
|
||||||
|
$u->acceptInvitation('NewStrongPass123');
|
||||||
|
|
||||||
|
$u->refresh();
|
||||||
|
$this->assertNull($u->invitation_token);
|
||||||
|
$this->assertNotNull($u->accepted_at);
|
||||||
|
$this->assertEquals('active', $u->status);
|
||||||
|
$this->assertNotNull($u->email_verified_at);
|
||||||
|
$this->assertTrue(\Hash::check('NewStrongPass123', $u->password));
|
||||||
|
$this->assertFalse($u->isPendingInvitation());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_invitation_url_returns_form_with_token(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$resp = $this->get("/invitations/{$token}");
|
||||||
|
$resp->assertStatus(200);
|
||||||
|
$resp->assertSee($u->name);
|
||||||
|
$resp->assertSee('Activează contul');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_invitation_post_accepts_password_and_redirects(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('placeholder'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$resp = $this->post("/invitations/{$token}", [
|
||||||
|
'password' => 'BrandNewPass1',
|
||||||
|
'password_confirmation' => 'BrandNewPass1',
|
||||||
|
]);
|
||||||
|
$resp->assertStatus(302);
|
||||||
|
|
||||||
|
$u->refresh();
|
||||||
|
$this->assertNotNull($u->accepted_at);
|
||||||
|
$this->assertTrue(\Hash::check('BrandNewPass1', $u->password));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_invalid_token_returns_invalid_view(): void
|
||||||
|
{
|
||||||
|
$resp = $this->get('/invitations/not-a-real-token');
|
||||||
|
$resp->assertStatus(200);
|
||||||
|
$resp->assertSee('Invitație invalidă');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_expired_invitation_returns_expired_view(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
// Force expiry by backdating invited_at
|
||||||
|
$u->forceFill(['invited_at' => now()->subDays(8)])->saveQuietly();
|
||||||
|
|
||||||
|
$resp = $this->get("/invitations/{$token}");
|
||||||
|
$resp->assertStatus(200);
|
||||||
|
$resp->assertSee('Invitație expirată');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_password_too_short_returns_validation_error(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$token = $u->sendInvitation();
|
||||||
|
|
||||||
|
$resp = $this->post("/invitations/{$token}", [
|
||||||
|
'password' => 'short',
|
||||||
|
'password_confirmation' => 'short',
|
||||||
|
]);
|
||||||
|
$resp->assertSessionHasErrors('password');
|
||||||
|
|
||||||
|
$u->refresh();
|
||||||
|
$this->assertNull($u->accepted_at);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,203 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use App\Auth\Permissions;
|
||||||
|
use App\Mail\UserInvitationMail;
|
||||||
|
use App\Models\Central\Company;
|
||||||
|
use App\Models\Central\Plan;
|
||||||
|
use App\Models\Tenant\User;
|
||||||
|
use App\Models\Tenant\UserPermissionOverride;
|
||||||
|
use App\Services\RbacSeeder;
|
||||||
|
use App\Tenancy\TenantManager;
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Illuminate\Support\Facades\Mail;
|
||||||
|
use Laravel\Sanctum\Sanctum;
|
||||||
|
use Spatie\Permission\Models\Permission;
|
||||||
|
use Spatie\Permission\PermissionRegistrar;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class RbacApiTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
private Company $company;
|
||||||
|
private User $admin;
|
||||||
|
private User $mechanic;
|
||||||
|
|
||||||
|
protected function setUp(): void
|
||||||
|
{
|
||||||
|
parent::setUp();
|
||||||
|
$plan = Plan::firstOrCreate(['slug' => 'test'], ['name' => 'T', 'price' => 0, 'features' => []]);
|
||||||
|
$this->company = Company::create([
|
||||||
|
'plan_id' => $plan->id, 'slug' => 'api-' . uniqid(),
|
||||||
|
'name' => 'API Co', 'status' => 'active',
|
||||||
|
]);
|
||||||
|
app(TenantManager::class)->setCurrent($this->company);
|
||||||
|
app(RbacSeeder::class)->seedTenantRoles($this->company->id);
|
||||||
|
app(PermissionRegistrar::class)->setPermissionsTeamId($this->company->id);
|
||||||
|
|
||||||
|
$this->admin = User::create(['name' => 'A', 'email' => 'a@e.com', 'password' => bcrypt('x'), 'role' => 'admin', 'status' => 'active']);
|
||||||
|
$this->admin->syncRoles(['admin']);
|
||||||
|
|
||||||
|
$this->mechanic = User::create(['name' => 'M', 'email' => 'm@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
||||||
|
$this->mechanic->syncRoles(['mechanic']);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_admin_can_list_users_via_api(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->getJson('/api/v1/users');
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->assertGreaterThanOrEqual(2, count($resp->json('data')));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_mechanic_cannot_list_users_403(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->mechanic);
|
||||||
|
|
||||||
|
$resp = $this->getJson('/api/v1/users');
|
||||||
|
$resp->assertForbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_admin_can_create_user_and_invitation_is_sent(): void
|
||||||
|
{
|
||||||
|
Mail::fake();
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->postJson('/api/v1/users', [
|
||||||
|
'name' => 'New U', 'email' => 'newu@e.com',
|
||||||
|
'role' => 'receptionist', 'send_invitation' => true,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$resp->assertCreated();
|
||||||
|
$this->assertEquals('inactive', $resp->json('data.status')); // inactive until invitation accepted
|
||||||
|
$this->assertTrue($resp->json('invitation_sent'));
|
||||||
|
Mail::assertQueued(UserInvitationMail::class);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_admin_can_assign_and_remove_roles_via_api(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->postJson("/api/v1/users/{$this->mechanic->id}/roles", ['role' => 'receptionist']);
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->mechanic->refresh();
|
||||||
|
$this->assertTrue($this->mechanic->hasRole('receptionist'));
|
||||||
|
|
||||||
|
$resp = $this->deleteJson("/api/v1/users/{$this->mechanic->id}/roles/receptionist");
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->mechanic->refresh();
|
||||||
|
$this->assertFalse($this->mechanic->hasRole('receptionist'));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_effective_permissions_endpoint_subtracts_denies(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
// Admin has FINANCE_VIEW_OVERVIEW. Add a deny override.
|
||||||
|
$perm = Permission::where('name', Permissions::FINANCE_VIEW_OVERVIEW)->first();
|
||||||
|
UserPermissionOverride::create([
|
||||||
|
'user_id' => $this->admin->id, 'permission_id' => $perm->id,
|
||||||
|
'mode' => 'deny', 'reason' => 'test', 'granted_at' => now(),
|
||||||
|
]);
|
||||||
|
|
||||||
|
$resp = $this->getJson("/api/v1/users/{$this->admin->id}/permissions");
|
||||||
|
$resp->assertOk();
|
||||||
|
$effective = collect($resp->json('data'));
|
||||||
|
$this->assertFalse($effective->contains(Permissions::FINANCE_VIEW_OVERVIEW));
|
||||||
|
$denies = collect($resp->json('overrides.denies'));
|
||||||
|
$this->assertTrue($denies->contains(Permissions::FINANCE_VIEW_OVERVIEW));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_add_override_via_api_persists(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->postJson("/api/v1/users/{$this->mechanic->id}/permission-overrides", [
|
||||||
|
'permission' => Permissions::WORK_ORDERS_VIEW_ALL,
|
||||||
|
'mode' => 'grant',
|
||||||
|
'reason' => 'pinch hitter',
|
||||||
|
'expires_at' => now()->addDays(3)->toIso8601String(),
|
||||||
|
]);
|
||||||
|
$resp->assertOk();
|
||||||
|
|
||||||
|
$this->mechanic->refresh();
|
||||||
|
$this->assertEquals(1, $this->mechanic->permissionOverrides()->count());
|
||||||
|
$this->assertTrue($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_remove_override_via_api(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
$perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first();
|
||||||
|
UserPermissionOverride::create(['user_id' => $this->mechanic->id, 'permission_id' => $perm->id, 'mode' => 'grant', 'granted_at' => now()]);
|
||||||
|
|
||||||
|
$resp = $this->deleteJson("/api/v1/users/{$this->mechanic->id}/permission-overrides/" . Permissions::WORK_ORDERS_VIEW_ALL);
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->assertEquals(0, $this->mechanic->fresh()->permissionOverrides()->count());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_role_index_returns_all_roles_with_counts(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->getJson('/api/v1/roles');
|
||||||
|
$resp->assertOk();
|
||||||
|
$roles = collect($resp->json('data'));
|
||||||
|
$this->assertGreaterThanOrEqual(7, $roles->count());
|
||||||
|
$owner = $roles->firstWhere('name', 'owner');
|
||||||
|
$this->assertNotNull($owner);
|
||||||
|
$this->assertEquals(51, $owner['permissions_count']);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_role_sync_permissions_updates_role(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
$role = \Spatie\Permission\Models\Role::create(['name' => 'custom_role', 'guard_name' => 'web']);
|
||||||
|
|
||||||
|
$resp = $this->putJson("/api/v1/roles/{$role->id}/permissions", [
|
||||||
|
'permissions' => [Permissions::CLIENTS_VIEW_ALL, Permissions::VEHICLES_VIEW_ALL],
|
||||||
|
]);
|
||||||
|
$resp->assertOk();
|
||||||
|
|
||||||
|
$this->assertEquals(2, $role->fresh()->permissions()->count());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_role_destroy_rejects_system_role(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
$owner = \Spatie\Permission\Models\Role::where('name', 'owner')->where('company_id', $this->company->id)->first();
|
||||||
|
|
||||||
|
$resp = $this->deleteJson("/api/v1/roles/{$owner->id}");
|
||||||
|
$resp->assertStatus(422);
|
||||||
|
$this->assertEquals('Cannot delete system role', $resp->json('error'));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_permission_catalog_endpoint_returns_full_list_and_groups(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
|
||||||
|
$resp = $this->getJson('/api/v1/permissions');
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->assertEquals(51, count($resp->json('data')));
|
||||||
|
$this->assertArrayHasKey('grouped', $resp->json());
|
||||||
|
$this->assertArrayHasKey('clients', $resp->json('grouped'));
|
||||||
|
$this->assertArrayHasKey('roles', $resp->json());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_revoke_all_sessions_endpoint(): void
|
||||||
|
{
|
||||||
|
Sanctum::actingAs($this->admin);
|
||||||
|
\DB::table('sessions')->insert([
|
||||||
|
['id' => 's1', 'user_id' => $this->mechanic->id, 'ip_address' => '1.1.1.1', 'user_agent' => 'X', 'payload' => '', 'last_activity' => time()],
|
||||||
|
['id' => 's2', 'user_id' => $this->mechanic->id, 'ip_address' => '2.2.2.2', 'user_agent' => 'Y', 'payload' => '', 'last_activity' => time()],
|
||||||
|
]);
|
||||||
|
|
||||||
|
$resp = $this->deleteJson("/api/v1/users/{$this->mechanic->id}/sessions");
|
||||||
|
$resp->assertOk();
|
||||||
|
$this->assertEquals(2, $resp->json('revoked_count'));
|
||||||
|
$this->assertEquals(0, \DB::table('sessions')->where('user_id', $this->mechanic->id)->count());
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user