cbcf08b28c7c41b126723d6dc2bc442754668081
2 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
58004b65c4 |
feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
06696727dd |
Faza 6: Activity log + Kanban + Payroll + cleanup
══════ Activity log (Spatie) ══════ - spatie/laravel-activitylog v5 instalat - Migration cu company_id pentru tenant scoping - Trait Auditable (App\Models\Concerns\Auditable): - LogOptions cu logFillable + logOnlyDirty + dontSubmitEmptyLogs - tapActivity auto-fill company_id + causer - Descrieri RO (creat/modificat/șters/restaurat) - Aplicat pe: Client, Vehicle, Lead, Deal, WorkOrder, Payment, Expense - ActivityResource (group Admin → Jurnal activitate) - Listă read-only, scope pe tenant, filtre by description/today ══════ Kanban Work Orders ══════ - Custom Filament page la /app/kanban (group Service) - 6 coloane (new → diagnosis → agreement → in_work → awaiting_parts → ready) - Drag-drop nativ HTML5 cu wire:click moveCard() - Cards arată: număr fișă, client, auto, plate, master, total - Link 'Deschide' direct la editare WO ══════ Payroll (Salarii) ══════ Schema: - employee_profiles: user_id, position, base_salary, works_pct, parts_pct - payroll_runs: period (YYYY-MM), base, works_revenue/pct, parts_margin/pct, bonus, fines, advance, total auto-calculat - payroll_adjustments: bonus/fine/advance per period PayrollCalculator service: - compute($userId, $period) — calculează auto: - Manopere finalizate de mecanic în luna respectivă (sum total) - Marja pieselor montate de el (sell-buy * qty) - Bonus + fines + advance from adjustments - Total = base + works% + parts% + bonus - fines - advance Resources Filament (group Finanțe): - EmployeeProfileResource: profil cu % comisioane - PayrollRunResource: salarii cu action 'Calculează luna curentă' (toți userii) + per-row 'Recalculează'; Sum summary pe total - PayrollAdjustmentResource: gestionare bonus/penalizări/avansuri ══════ Cleanup ══════ - Șterse toate /__debug, /__seed, /__try-login, /__force-login, /__whoami, /__coolify-check (security) - Routes/web.php conține doar / redirect, /manifest.json, /sw.js Total Filament tenant routes: 92. |