authorize(Permissions::ADMIN_USERS_VIEW); $q = User::query(); if ($role = $request->query('role')) $q->where('role', $role); if ($status = $request->query('status')) $q->where('status', $status); if ($search = $request->query('q')) { $q->where(fn ($qq) => $qq->where('name', 'like', "%$search%")->orWhere('email', 'like', "%$search%")); } return response()->json([ 'data' => $q->paginate((int) $request->query('per_page', 25))->items(), 'meta' => ['total' => $q->count()], ]); } public function show(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_VIEW); return response()->json(['data' => $user->load('roles', 'permissionOverrides.permission', 'invitedBy:id,name')]); } public function store(Request $request): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $data = $request->validate([ 'name' => 'required|string|max:120', 'email' => 'required|email|max:120', 'phone' => 'nullable|string|max:40', 'role' => 'required|string|in:' . implode(',', array_keys(Permissions::roleMatrix())), 'locale' => 'nullable|in:ro,ru,en', 'send_invitation' => 'nullable|boolean', ]); $user = User::create([ 'name' => $data['name'], 'email' => $data['email'], 'phone' => $data['phone'] ?? null, 'role' => $data['role'], 'locale' => $data['locale'] ?? 'ro', 'status' => 'inactive', 'password' => Hash::make(bin2hex(random_bytes(16))), // placeholder until invitation accept ]); $user->syncRoles([$data['role']]); if ($data['send_invitation'] ?? true) { $user->sendInvitation(auth()->user()); } return response()->json(['data' => $user->fresh(), 'invitation_sent' => $data['send_invitation'] ?? true], 201); } public function update(Request $request, User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $data = $request->validate([ 'name' => 'sometimes|string|max:120', 'email' => 'sometimes|email|max:120', 'phone' => 'sometimes|nullable|string|max:40', 'locale' => 'sometimes|in:ro,ru,en', 'role' => 'sometimes|in:' . implode(',', array_keys(Permissions::roleMatrix())), 'status' => 'sometimes|in:active,inactive,blocked', ]); $user->update($data); if (isset($data['role'])) $user->syncRoles([$data['role']]); return response()->json(['data' => $user->fresh()]); } public function destroy(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $user->delete(); return response()->json(['deleted' => true]); } public function activate(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $user->update(['status' => 'active']); return response()->json(['data' => $user->fresh()]); } public function deactivate(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $user->update(['status' => 'inactive']); DB::table('sessions')->where('user_id', $user->id)->delete(); return response()->json(['data' => $user->fresh()]); } public function resendInvitation(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); if ($user->accepted_at) { return response()->json(['error' => 'User already accepted invitation'], 422); } $user->sendInvitation(auth()->user()); return response()->json(['invitation_sent' => true]); } public function forcePasswordReset(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $user->update(['status' => 'inactive', 'accepted_at' => null]); DB::table('sessions')->where('user_id', $user->id)->delete(); $user->sendInvitation(auth()->user()); return response()->json(['invitation_sent' => true]); } public function sessions(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $rows = DB::table('sessions')->where('user_id', $user->id) ->select('id', 'ip_address', 'user_agent', 'last_activity')->get(); return response()->json(['data' => $rows]); } public function revokeSession(User $user, string $sessionId): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $n = DB::table('sessions')->where('user_id', $user->id)->where('id', $sessionId)->delete(); return response()->json(['revoked' => $n > 0]); } public function revokeAllSessions(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $n = DB::table('sessions')->where('user_id', $user->id)->delete(); return response()->json(['revoked_count' => $n]); } public function roles(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_VIEW); return response()->json(['data' => $user->roles->pluck('name')]); } public function assignRole(Request $request, User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $data = $request->validate(['role' => 'required|string']); $user->assignRole($data['role']); return response()->json(['data' => $user->roles->pluck('name')]); } public function removeRole(User $user, string $role): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $user->removeRole($role); return response()->json(['data' => $user->roles->pluck('name')]); } public function permissions(User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_VIEW); // Effective: roles + grants - denies (active only) $rolePerms = $user->getAllPermissions()->pluck('name'); $denies = $user->permissionOverrides() ->where('mode', 'deny') ->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now())) ->with('permission')->get()->pluck('permission.name'); $grants = $user->permissionOverrides() ->where('mode', 'grant') ->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now())) ->with('permission')->get()->pluck('permission.name'); $effective = $rolePerms->merge($grants)->unique()->reject(fn ($p) => $denies->contains($p))->values(); return response()->json([ 'data' => $effective, 'overrides' => ['grants' => $grants, 'denies' => $denies], ]); } public function addOverride(Request $request, User $user): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $data = $request->validate([ 'permission' => 'required|string', 'mode' => 'required|in:grant,deny', 'reason' => 'nullable|string', 'expires_at' => 'nullable|date', ]); $perm = Permission::where('name', $data['permission'])->firstOrFail(); UserPermissionOverride::updateOrCreate( ['user_id' => $user->id, 'permission_id' => $perm->id], [ 'mode' => $data['mode'], 'reason' => $data['reason'] ?? null, 'expires_at' => $data['expires_at'] ?? null, 'granted_by_id' => auth()->id(), 'granted_at' => now(), ] ); return response()->json(['data' => $user->load('permissionOverrides.permission')]); } public function removeOverride(User $user, string $permission): JsonResponse { $this->authorize(Permissions::ADMIN_USERS_MANAGE); $perm = Permission::where('name', $permission)->firstOrFail(); UserPermissionOverride::where('user_id', $user->id)->where('permission_id', $perm->id)->delete(); return response()->json(['removed' => true]); } private function authorize(string $permission): void { if (! auth()->user() || ! auth()->user()->canDo($permission)) { abort(403, "Missing permission: $permission"); } } }