Files
Vasyka 58004b65c4 feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission
catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/
inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants,
not magic strings — refactors against renames stay safe.

== 7 system roles ==
owner / admin / manager / accountant / receptionist / mechanic / viewer
Each gets a curated role-permission matrix per the TZ section 2.4:
- owner + admin: all 51
- manager: 23 (operations + reporting, no destructive finance/users)
- accountant: 17 (full finance/salaries, view-only WOs, no admin)
- receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create)
- mechanic: 4 (own WOs + inventory view + own salary)
- viewer: 6 (read-only everything except finance/salaries)

== Seeder ==
App\Services\RbacSeeder:
- seedPermissions() creates the 51 Permission rows globally (idempotent)
- seedTenantRoles($companyId) sets the team context, creates the 7 Role
  rows scoped to that tenant, and syncPermissions per matrix
- syncUsersToRoles($companyId) maps legacy users.role string column to
  the new Spatie role assignment (parts_manager→manager, master→mechanic,
  marketer→manager, user→viewer)

== Migration ==
2026_06_04_000003 loops over all existing Companies and runs the seeder.
On a fresh prod deploy, every tenant gets the full RBAC catalog wired up
automatically. CompanyProvisioner::provision() also calls the seeder for
new tenants going forward.

== Resource gates ==
canViewAny / canCreate / canDelete on:
- PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT)
- ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT)
- PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE)
- RoleResource (ADMIN_ROLES_MANAGE)

Mechanic sees only own WOs + inventory + own salary. Accountant sees all
finance but not admin. Receptionist sees clients/WOs but not finance
overview. Etc.

== User helpers ==
$user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to
prevent lockouts from misconfigured permission grants.
$user->isOwner() / isAccountant() / isMechanic() — role shortcuts.
$user->hasTwoFactorEnabled() — true when app_authentication_secret is set.

== 2FA ==
Filament 5's native MultiFactorAuthentication (App + Email) is already
enabled in both TenantPanelProvider and CentralPanelProvider — confirmed.
The User model already implements HasAppAuthentication +
HasAppAuthenticationRecovery + HasEmailAuthentication.

This commit adds UX around it:
- UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off)
- UserResource form: "Securitate" section shows enabled/disabled + last_login_at
- New admin action "Resetează 2FA" with confirmation modal — clears
  app_authentication_secret + recovery codes for locked-out users

== Roles management UI ==
New /app/roles RoleResource:
- List: role label + slug + permission count + user count
- Edit: 10 grouped checkbox lists (per module) for fine-grained
  permission assignment + bulk-toggle per group
- System roles (owner/admin/etc.) have slug locked, can't be deleted
- Custom tenant-specific roles can be added on top
- Gated behind ADMIN_ROLES_MANAGE

== UserResource extension ==
- Role select now uses Permissions::roleLabels() (owner/admin/manager/...)
- New "Roluri suplimentare" multi-select for stacking roles on top of
  the primary one (permissions cumulate)
- afterSave syncs the picked roles + ensures primary role is always
  included

== Tests ==
RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has
all, mechanic has minimal, accountant has finance but not admin,
canDo returns true when role has permission, admin bypass, owner helper,
syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic,
user→viewer), 2FA helper round-trip.

Suite: 206 passed (576 assertions). Was 196.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-04 22:03:03 +00:00

143 lines
6.4 KiB
PHP

<?php
namespace App\Filament\Tenant\Resources;
use App\Filament\Tenant\Resources\PayrollRunResource\Pages;
use App\Models\Tenant\PayrollRun;
use App\Models\Tenant\User;
use App\Services\PayrollCalculator;
use Filament\Actions;
use Filament\Forms;
use Filament\Notifications\Notification;
use Filament\Resources\Resource;
use Filament\Schemas;
use Filament\Schemas\Schema;
use Filament\Tables;
use Filament\Tables\Table;
class PayrollRunResource extends Resource
{
protected static ?string $model = PayrollRun::class;
protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-banknotes';
protected static ?string $navigationLabel = 'Salarii';
protected static string|\UnitEnum|null $navigationGroup = 'Finanțe';
protected static ?string $modelLabel = 'salariu';
protected static ?string $pluralModelLabel = 'salarii';
protected static ?int $navigationSort = 53;
public static function canViewAny(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_VIEW_ALL) ?? false;
}
public static function canCreate(): bool
{
return auth()->user()?->canDo(\App\Auth\Permissions::SALARIES_CALCULATE) ?? false;
}
public static function form(Schema $schema): Schema
{
return $schema->components([
Schemas\Components\Section::make('Detalii')
->columns(2)
->schema([
Forms\Components\Select::make('user_id')
->label('Utilizator')
->options(fn () => User::orderBy('name')->pluck('name', 'id'))
->searchable()
->required(),
Forms\Components\TextInput::make('period')
->label('Perioada (YYYY-MM)')
->placeholder(now()->format('Y-m'))
->required()
->regex('/^\d{4}-\d{2}$/'),
]),
Schemas\Components\Section::make('Calcul')
->columns(3)
->schema([
Forms\Components\TextInput::make('base')->label('Bază')->numeric()->default(0),
Forms\Components\TextInput::make('works_revenue')->label('Venit manopere')->numeric()->disabled(),
Forms\Components\TextInput::make('works_pct_amount')->label('Comision manopere')->numeric()->disabled(),
Forms\Components\TextInput::make('parts_margin')->label('Marja piese')->numeric()->disabled(),
Forms\Components\TextInput::make('parts_pct_amount')->label('Comision piese')->numeric()->disabled(),
Forms\Components\TextInput::make('bonus')->numeric()->default(0),
Forms\Components\TextInput::make('fines')->label('Penalizări')->numeric()->default(0),
Forms\Components\TextInput::make('advance')->label('Avans')->numeric()->default(0),
Forms\Components\TextInput::make('total')->label('Total net')->numeric()->disabled(),
]),
Schemas\Components\Section::make('Plată')
->columns(2)
->schema([
Forms\Components\Toggle::make('paid')->label('Achitat'),
Forms\Components\DatePicker::make('paid_at')->label('Data plății'),
]),
Forms\Components\Textarea::make('notes')->label('Notițe')->columnSpanFull()->rows(2),
]);
}
public static function table(Table $table): Table
{
return $table
->columns([
Tables\Columns\TextColumn::make('period')->label('Perioadă')->sortable(),
Tables\Columns\TextColumn::make('user.name')->label('Utilizator')->searchable(),
Tables\Columns\TextColumn::make('base')->money('MDL')->alignRight(),
Tables\Columns\TextColumn::make('works_pct_amount')->label('% manopere')->money('MDL')->alignRight(),
Tables\Columns\TextColumn::make('parts_pct_amount')->label('% piese')->money('MDL')->alignRight(),
Tables\Columns\TextColumn::make('bonus')->money('MDL')->alignRight()->color('success'),
Tables\Columns\TextColumn::make('fines')->money('MDL')->alignRight()->color('danger'),
Tables\Columns\TextColumn::make('advance')->money('MDL')->alignRight()->color('warning'),
Tables\Columns\TextColumn::make('total')->label('Total')->money('MDL')->alignRight()->weight('bold')
->summarize(Tables\Columns\Summarizers\Sum::make()->money('MDL')),
Tables\Columns\IconColumn::make('paid')->boolean(),
])
->headerActions([
Actions\Action::make('compute_all')
->label('Calculează luna curentă')
->icon('heroicon-m-calculator')
->color('primary')
->action(function () {
$period = now()->format('Y-m');
$count = 0;
foreach (User::pluck('id') as $uid) {
app(PayrollCalculator::class)->compute($uid, $period);
$count++;
}
Notification::make()
->title("Calculat salariul {$period} pentru {$count} utilizatori")
->success()->send();
}),
])
->filters([
Tables\Filters\SelectFilter::make('period')
->label('Perioadă')
->options(fn () => PayrollRun::distinct()->pluck('period', 'period')->toArray()),
Tables\Filters\TernaryFilter::make('paid')->label('Achitat'),
])
->actions([
Actions\Action::make('recompute')
->label('Recalculează')
->icon('heroicon-m-arrow-path')
->action(fn (PayrollRun $r) => app(PayrollCalculator::class)->compute($r->user_id, $r->period)),
Actions\EditAction::make(),
Actions\DeleteAction::make(),
])
->defaultSort('period', 'desc');
}
public static function getPages(): array
{
return [
'index' => Pages\ListPayrollRuns::route('/'),
'create' => Pages\CreatePayrollRun::route('/create'),
'edit' => Pages\EditPayrollRun::route('/{record}/edit'),
];
}
}