Files
autocrm/app/Services/CompanyProvisioner.php
Vasyka 58004b65c4 feat: RBAC catalog + 2FA UX (P0 blocker from /tmp/service/new/01-TZ)
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission
catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/
inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants,
not magic strings — refactors against renames stay safe.

== 7 system roles ==
owner / admin / manager / accountant / receptionist / mechanic / viewer
Each gets a curated role-permission matrix per the TZ section 2.4:
- owner + admin: all 51
- manager: 23 (operations + reporting, no destructive finance/users)
- accountant: 17 (full finance/salaries, view-only WOs, no admin)
- receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create)
- mechanic: 4 (own WOs + inventory view + own salary)
- viewer: 6 (read-only everything except finance/salaries)

== Seeder ==
App\Services\RbacSeeder:
- seedPermissions() creates the 51 Permission rows globally (idempotent)
- seedTenantRoles($companyId) sets the team context, creates the 7 Role
  rows scoped to that tenant, and syncPermissions per matrix
- syncUsersToRoles($companyId) maps legacy users.role string column to
  the new Spatie role assignment (parts_manager→manager, master→mechanic,
  marketer→manager, user→viewer)

== Migration ==
2026_06_04_000003 loops over all existing Companies and runs the seeder.
On a fresh prod deploy, every tenant gets the full RBAC catalog wired up
automatically. CompanyProvisioner::provision() also calls the seeder for
new tenants going forward.

== Resource gates ==
canViewAny / canCreate / canDelete on:
- PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT)
- ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT)
- PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE)
- UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE)
- RoleResource (ADMIN_ROLES_MANAGE)

Mechanic sees only own WOs + inventory + own salary. Accountant sees all
finance but not admin. Receptionist sees clients/WOs but not finance
overview. Etc.

== User helpers ==
$user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to
prevent lockouts from misconfigured permission grants.
$user->isOwner() / isAccountant() / isMechanic() — role shortcuts.
$user->hasTwoFactorEnabled() — true when app_authentication_secret is set.

== 2FA ==
Filament 5's native MultiFactorAuthentication (App + Email) is already
enabled in both TenantPanelProvider and CentralPanelProvider — confirmed.
The User model already implements HasAppAuthentication +
HasAppAuthenticationRecovery + HasEmailAuthentication.

This commit adds UX around it:
- UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off)
- UserResource form: "Securitate" section shows enabled/disabled + last_login_at
- New admin action "Resetează 2FA" with confirmation modal — clears
  app_authentication_secret + recovery codes for locked-out users

== Roles management UI ==
New /app/roles RoleResource:
- List: role label + slug + permission count + user count
- Edit: 10 grouped checkbox lists (per module) for fine-grained
  permission assignment + bulk-toggle per group
- System roles (owner/admin/etc.) have slug locked, can't be deleted
- Custom tenant-specific roles can be added on top
- Gated behind ADMIN_ROLES_MANAGE

== UserResource extension ==
- Role select now uses Permissions::roleLabels() (owner/admin/manager/...)
- New "Roluri suplimentare" multi-select for stacking roles on top of
  the primary one (permissions cumulate)
- afterSave syncs the picked roles + ensures primary role is always
  included

== Tests ==
RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has
all, mechanic has minimal, accountant has finance but not admin,
canDo returns true when role has permission, admin bypass, owner helper,
syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic,
user→viewer), 2FA helper round-trip.

Suite: 206 passed (576 assertions). Was 196.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-04 22:03:03 +00:00

132 lines
4.7 KiB
PHP

<?php
namespace App\Services;
use App\Models\Central\Company;
use App\Models\Central\Plan;
use App\Models\Tenant\User;
use App\Tenancy\TenantManager;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use Spatie\Permission\Models\Role;
use Spatie\Permission\PermissionRegistrar;
/**
* Bootstraps a brand new tenant: creates the Company row, seeds default
* roles + admin user, and (if Coolify is configured) adds the new
* subdomain to the AutoCRM application's FQDN list and triggers redeploy.
*
* Returns plain credentials so the central admin can copy/email them.
*/
class CompanyProvisioner
{
public function __construct(
protected TenantManager $tenants,
protected PermissionRegistrar $permissions,
protected CoolifyClient $coolify,
) {}
/**
* @return array{company: Company, admin_email: string, admin_password: string, deploy_triggered: bool}
*/
public function provision(array $data): array
{
$defaults = [
'plan_id' => Plan::where('slug', 'free')->value('id'),
'status' => 'trial',
'trial_ends_at' => now()->addDays(14),
'settings' => [
'currency' => 'MDL',
'language' => 'ro',
'theme_color' => '#3B82F6',
'labor_rate' => 400,
],
];
return DB::transaction(function () use ($data, $defaults) {
$company = Company::create(array_merge($defaults, [
'slug' => $data['slug'],
'name' => $data['name'],
'display_name' => $data['display_name'] ?? $data['name'],
'city' => $data['city'] ?? null,
'phone' => $data['phone'] ?? null,
'email' => $data['email'] ?? null,
'contact_name' => $data['contact_name'] ?? null,
]));
// Activate tenant context to seed roles + user with company_id auto-fill.
$this->tenants->setCurrent($company);
$this->permissions->setPermissionsTeamId($company->id);
// Seed full RBAC catalog: 7 roles + 51 permissions + matrix per TZ.
app(\App\Services\RbacSeeder::class)->seedTenantRoles($company->id);
// Admin user.
$adminEmail = $data['admin_email'] ?? "admin@{$company->slug}.local";
$plainPassword = $data['admin_password'] ?? Str::password(10, true, true, false);
$admin = User::create([
'company_id' => $company->id,
'name' => $data['admin_name'] ?? 'Administrator',
'email' => $adminEmail,
'password' => Hash::make($plainPassword),
'role' => 'admin',
'status' => 'active',
'locale' => 'ro',
'email_verified_at' => now(),
]);
$admin->syncRoles(['admin']);
$this->tenants->clear();
// Add subdomain to Coolify FQDN list + trigger redeploy.
$deployTriggered = false;
$coolifyMessage = null;
$appUuid = (string) config('services.coolify.app_uuid');
if (! $this->coolify->isConfigured()) {
$coolifyMessage = 'Coolify API nu e configurat (lipsesc env vars).';
} elseif ($appUuid === '') {
$coolifyMessage = 'COOLIFY_APP_UUID lipsește.';
} else {
$url = $company->url('');
$url = rtrim($url, '/') . ':8000';
if ($this->coolify->addDomain($appUuid, $url)) {
if ($this->coolify->deploy($appUuid, true)) {
$deployTriggered = true;
$coolifyMessage = 'OK';
} else {
$coolifyMessage = 'Domain adăugat dar redeploy a eșuat.';
}
} else {
$coolifyMessage = 'addDomain Coolify eșuat (vezi log).';
}
}
return [
'company' => $company->fresh(),
'admin_email' => $adminEmail,
'admin_password' => $plainPassword,
'deploy_triggered' => $deployTriggered,
'coolify_message' => $coolifyMessage,
];
});
}
public function suspend(Company $company): void
{
$company->update(['status' => 'suspended']);
}
public function reactivate(Company $company): void
{
$company->update(['status' => 'active']);
}
public function archive(Company $company): void
{
$company->update(['status' => 'archived']);
$company->delete(); // soft-delete
}
}