58004b65c4
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
132 lines
4.7 KiB
PHP
132 lines
4.7 KiB
PHP
<?php
|
|
|
|
namespace App\Services;
|
|
|
|
use App\Models\Central\Company;
|
|
use App\Models\Central\Plan;
|
|
use App\Models\Tenant\User;
|
|
use App\Tenancy\TenantManager;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Hash;
|
|
use Illuminate\Support\Str;
|
|
use Spatie\Permission\Models\Role;
|
|
use Spatie\Permission\PermissionRegistrar;
|
|
|
|
/**
|
|
* Bootstraps a brand new tenant: creates the Company row, seeds default
|
|
* roles + admin user, and (if Coolify is configured) adds the new
|
|
* subdomain to the AutoCRM application's FQDN list and triggers redeploy.
|
|
*
|
|
* Returns plain credentials so the central admin can copy/email them.
|
|
*/
|
|
class CompanyProvisioner
|
|
{
|
|
public function __construct(
|
|
protected TenantManager $tenants,
|
|
protected PermissionRegistrar $permissions,
|
|
protected CoolifyClient $coolify,
|
|
) {}
|
|
|
|
/**
|
|
* @return array{company: Company, admin_email: string, admin_password: string, deploy_triggered: bool}
|
|
*/
|
|
public function provision(array $data): array
|
|
{
|
|
$defaults = [
|
|
'plan_id' => Plan::where('slug', 'free')->value('id'),
|
|
'status' => 'trial',
|
|
'trial_ends_at' => now()->addDays(14),
|
|
'settings' => [
|
|
'currency' => 'MDL',
|
|
'language' => 'ro',
|
|
'theme_color' => '#3B82F6',
|
|
'labor_rate' => 400,
|
|
],
|
|
];
|
|
|
|
return DB::transaction(function () use ($data, $defaults) {
|
|
$company = Company::create(array_merge($defaults, [
|
|
'slug' => $data['slug'],
|
|
'name' => $data['name'],
|
|
'display_name' => $data['display_name'] ?? $data['name'],
|
|
'city' => $data['city'] ?? null,
|
|
'phone' => $data['phone'] ?? null,
|
|
'email' => $data['email'] ?? null,
|
|
'contact_name' => $data['contact_name'] ?? null,
|
|
]));
|
|
|
|
// Activate tenant context to seed roles + user with company_id auto-fill.
|
|
$this->tenants->setCurrent($company);
|
|
$this->permissions->setPermissionsTeamId($company->id);
|
|
|
|
// Seed full RBAC catalog: 7 roles + 51 permissions + matrix per TZ.
|
|
app(\App\Services\RbacSeeder::class)->seedTenantRoles($company->id);
|
|
|
|
// Admin user.
|
|
$adminEmail = $data['admin_email'] ?? "admin@{$company->slug}.local";
|
|
$plainPassword = $data['admin_password'] ?? Str::password(10, true, true, false);
|
|
$admin = User::create([
|
|
'company_id' => $company->id,
|
|
'name' => $data['admin_name'] ?? 'Administrator',
|
|
'email' => $adminEmail,
|
|
'password' => Hash::make($plainPassword),
|
|
'role' => 'admin',
|
|
'status' => 'active',
|
|
'locale' => 'ro',
|
|
'email_verified_at' => now(),
|
|
]);
|
|
$admin->syncRoles(['admin']);
|
|
|
|
$this->tenants->clear();
|
|
|
|
// Add subdomain to Coolify FQDN list + trigger redeploy.
|
|
$deployTriggered = false;
|
|
$coolifyMessage = null;
|
|
$appUuid = (string) config('services.coolify.app_uuid');
|
|
|
|
if (! $this->coolify->isConfigured()) {
|
|
$coolifyMessage = 'Coolify API nu e configurat (lipsesc env vars).';
|
|
} elseif ($appUuid === '') {
|
|
$coolifyMessage = 'COOLIFY_APP_UUID lipsește.';
|
|
} else {
|
|
$url = $company->url('');
|
|
$url = rtrim($url, '/') . ':8000';
|
|
if ($this->coolify->addDomain($appUuid, $url)) {
|
|
if ($this->coolify->deploy($appUuid, true)) {
|
|
$deployTriggered = true;
|
|
$coolifyMessage = 'OK';
|
|
} else {
|
|
$coolifyMessage = 'Domain adăugat dar redeploy a eșuat.';
|
|
}
|
|
} else {
|
|
$coolifyMessage = 'addDomain Coolify eșuat (vezi log).';
|
|
}
|
|
}
|
|
|
|
return [
|
|
'company' => $company->fresh(),
|
|
'admin_email' => $adminEmail,
|
|
'admin_password' => $plainPassword,
|
|
'deploy_triggered' => $deployTriggered,
|
|
'coolify_message' => $coolifyMessage,
|
|
];
|
|
});
|
|
}
|
|
|
|
public function suspend(Company $company): void
|
|
{
|
|
$company->update(['status' => 'suspended']);
|
|
}
|
|
|
|
public function reactivate(Company $company): void
|
|
{
|
|
$company->update(['status' => 'active']);
|
|
}
|
|
|
|
public function archive(Company $company): void
|
|
{
|
|
$company->update(['status' => 'archived']);
|
|
$company->delete(); // soft-delete
|
|
}
|
|
}
|