1d4ac3db38
Completes the P1 items from /tmp/service/new/01-TZ-rbac §2.1 §4.1. == user_permission_overrides table == Per-user grant/deny exceptions on top of role-based RBAC. Composite PK (user_id, permission_id) so each user can have at most one override per permission. Schema: - mode: 'grant' | 'deny' - reason: text (audit context: "lockdown audit period", etc.) - granted_by_id + granted_at: who/when made the exception - expires_at: optional auto-expiry Eloquent model UserPermissionOverride with relations to user, permission, grantedBy; isExpired() helper. == Resolution order in User::canDo() == 1. Active deny-override (not expired) → return false (and log if sensitive) 2. Active grant-override (not expired) → return true 3. Admin/owner bypass → return true 4. Standard role-based check via Spatie Critically: deny overrides ALSO block admin/owner. This is intentional — the TZ's "separation of duties" requirement (an admin who shouldn't be able to delete payments). Without this, deny is useless against admins. Override resolution uses a single query per check (cached by Eloquent during the request). The override-check happens before the role check so a deny is always authoritative. == Audit log on sensitive denials == When canDo() returns false for one of these sensitive permissions, a spatie/activitylog entry is written with event=permission_denied: - admin.users.manage / admin.roles.manage / admin.settings.edit / admin.backup.download - finance.delete_payment / finance.view_pl - salaries.mark_paid / salaries.view_all - work_orders.delete / work_orders.approve_discount_any Non-sensitive denials (e.g., clients.create) don't log to avoid noise. The activity payload includes the permission slug; causedBy is the user who was denied. Failures of the logger are swallowed so a misconfigured activitylog never breaks auth. == UserResource UI == New PermissionOverridesRelationManager mounted on the edit page: - Table: permission, mode (GRANT/DENY badge), reason, expires_at, granted_by - Create form: permission select, mode, expires_at, reason - granted_at + granted_by_id auto-populated to now() / auth()->id() - Default sort: granted_at desc Two new actions on the user row: - "Force logout" (warning color): visible only when active sessions exist. Deletes every row in `sessions` with user_id=record→id. Notification shows count revoked. - "Resetează 2FA" stays (from previous commit) Two new toggleable columns: - Sesiuni active (count from sessions table) - Excepții (count of permission overrides) == Tests == PermissionOverridesTest covers: - grant unlocks a permission the role doesn't have - deny blocks a permission the role grants - deny blocks even admin role (separation of duties) - expired override is ignored - future-expiry override stays active - audit log writes on sensitive denial - audit log silent on non-sensitive denial - force_logout deletes all user sessions but not others' Suite: 214 passed (591 assertions). Was 206. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
201 lines
9.3 KiB
PHP
201 lines
9.3 KiB
PHP
<?php
|
|
|
|
namespace App\Filament\Tenant\Resources;
|
|
|
|
use App\Filament\Tenant\Resources\UserResource\Pages;
|
|
use App\Filament\Tenant\Resources\UserResource\RelationManagers;
|
|
use App\Models\Tenant\User;
|
|
use Filament\Forms;
|
|
use Filament\Resources\Resource;
|
|
use Filament\Schemas\Schema;
|
|
use Filament\Actions;
|
|
use Filament\Schemas;
|
|
use Filament\Tables;
|
|
use Filament\Tables\Table;
|
|
use Illuminate\Support\Facades\Hash;
|
|
|
|
class UserResource extends Resource
|
|
{
|
|
protected static ?string $model = User::class;
|
|
|
|
protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-user-group';
|
|
|
|
protected static ?string $navigationLabel = 'Utilizatori';
|
|
|
|
protected static string|\UnitEnum|null $navigationGroup = 'Admin';
|
|
|
|
protected static ?string $modelLabel = 'utilizator';
|
|
|
|
protected static ?string $pluralModelLabel = 'utilizatori';
|
|
|
|
protected static ?int $navigationSort = 80;
|
|
|
|
public static function canViewAny(): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_VIEW) ?? false;
|
|
}
|
|
|
|
public static function canCreate(): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
|
|
}
|
|
|
|
public static function canDelete($record): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
|
|
}
|
|
|
|
public static function form(Schema $schema): Schema
|
|
{
|
|
return $schema->components([
|
|
Schemas\Components\Section::make('Identitate')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\TextInput::make('name')->label('Nume')->required()->maxLength(120),
|
|
Forms\Components\TextInput::make('email')->email()->required()->maxLength(120),
|
|
Forms\Components\TextInput::make('phone')->tel()->maxLength(40),
|
|
Forms\Components\Select::make('locale')
|
|
->options(['ro' => 'Română', 'ru' => 'Русский', 'en' => 'English'])
|
|
->default('ro'),
|
|
]),
|
|
Schemas\Components\Section::make('Acces')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\Select::make('role')
|
|
->label('Rol primar')
|
|
->options(\App\Auth\Permissions::roleLabels())
|
|
->required()
|
|
->default('mechanic')
|
|
->helperText('Rolul principal — sincronizat automat cu drepturile RBAC.'),
|
|
Forms\Components\Select::make('status')
|
|
->options(['active' => 'Activ', 'inactive' => 'Inactiv', 'blocked' => 'Blocat'])
|
|
->default('active')
|
|
->required(),
|
|
Forms\Components\TextInput::make('password')
|
|
->label('Parolă')
|
|
->password()
|
|
->required(fn (string $context) => $context === 'create')
|
|
->dehydrated(fn ($state) => filled($state))
|
|
->dehydrateStateUsing(fn ($state) => Hash::make($state))
|
|
->minLength(6)
|
|
->helperText('La editare lasă gol pentru a păstra parola actuală.'),
|
|
Forms\Components\Select::make('roles_picked')
|
|
->label('Roluri suplimentare')
|
|
->multiple()
|
|
->options(\App\Auth\Permissions::roleLabels())
|
|
->afterStateHydrated(function ($component, $record) {
|
|
if ($record) $component->state($record->roles->pluck('name')->all());
|
|
})
|
|
->dehydrated(false)
|
|
->columnSpanFull()
|
|
->helperText('Roluri suplimentare peste rolul primar — drepturile se cumulează.'),
|
|
]),
|
|
Schemas\Components\Section::make('Securitate')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\Placeholder::make('mfa_status')
|
|
->label('Autentificare 2FA')
|
|
->content(fn ($record) => $record && $record->hasTwoFactorEnabled() ? '✓ Activat (TOTP)' : '✗ Dezactivat'),
|
|
Forms\Components\Placeholder::make('last_login')
|
|
->label('Ultima autentificare')
|
|
->content(fn ($record) => $record?->last_login_at?->diffForHumans() ?? '—'),
|
|
]),
|
|
]);
|
|
}
|
|
|
|
public static function table(Table $table): Table
|
|
{
|
|
return $table
|
|
->columns([
|
|
Tables\Columns\TextColumn::make('name')->searchable()->sortable(),
|
|
Tables\Columns\TextColumn::make('email')->searchable()->copyable(),
|
|
Tables\Columns\TextColumn::make('phone')->placeholder('—'),
|
|
Tables\Columns\TextColumn::make('role')
|
|
->formatStateUsing(fn ($state) => \App\Auth\Permissions::roleLabels()[$state] ?? $state)
|
|
->badge(),
|
|
Tables\Columns\IconColumn::make('app_authentication_secret')
|
|
->label('2FA')
|
|
->boolean()
|
|
->getStateUsing(fn ($record) => $record->hasTwoFactorEnabled())
|
|
->trueIcon('heroicon-o-shield-check')
|
|
->trueColor('success')
|
|
->falseIcon('heroicon-o-shield-exclamation')
|
|
->falseColor('warning'),
|
|
Tables\Columns\TextColumn::make('active_sessions')
|
|
->label('Sesiuni')
|
|
->getStateUsing(fn ($record) => \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->count())
|
|
->badge()
|
|
->color(fn ($state) => $state > 0 ? 'success' : 'gray')
|
|
->toggleable(),
|
|
Tables\Columns\TextColumn::make('permission_overrides_count')
|
|
->counts('permissionOverrides')
|
|
->label('Excepții')
|
|
->badge()
|
|
->color('warning')
|
|
->toggleable(isToggledHiddenByDefault: true),
|
|
Tables\Columns\TextColumn::make('status')
|
|
->badge()
|
|
->colors([
|
|
'success' => ['active'],
|
|
'warning' => ['inactive'],
|
|
'danger' => ['blocked'],
|
|
]),
|
|
Tables\Columns\TextColumn::make('last_login_at')->dateTime()->placeholder('—')->toggleable(),
|
|
Tables\Columns\TextColumn::make('created_at')->date()->sortable()->toggleable(isToggledHiddenByDefault: true),
|
|
])
|
|
->filters([
|
|
Tables\Filters\SelectFilter::make('role')->options([
|
|
'admin' => 'Admin', 'manager' => 'Manager', 'receptionist' => 'Recepție',
|
|
'mechanic' => 'Mecanic', 'parts_manager' => 'Magazie', 'accountant' => 'Contabil', 'marketer' => 'Marketing',
|
|
]),
|
|
Tables\Filters\SelectFilter::make('status')->options([
|
|
'active' => 'Activ', 'inactive' => 'Inactiv', 'blocked' => 'Blocat',
|
|
]),
|
|
])
|
|
->actions([
|
|
Actions\EditAction::make(),
|
|
Actions\Action::make('force_logout')
|
|
->label('Force logout')
|
|
->icon('heroicon-o-arrow-right-on-rectangle')
|
|
->color('warning')
|
|
->visible(fn ($record) => \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->exists())
|
|
->requiresConfirmation()
|
|
->modalDescription('Va deconecta utilizatorul pe toate device-urile.')
|
|
->action(function ($record) {
|
|
$n = \Illuminate\Support\Facades\DB::table('sessions')->where('user_id', $record->id)->delete();
|
|
\Filament\Notifications\Notification::make()->title("$n sesiuni revoke-uite")->success()->send();
|
|
}),
|
|
Actions\Action::make('reset_2fa')
|
|
->label('Resetează 2FA')
|
|
->icon('heroicon-o-shield-exclamation')
|
|
->color('warning')
|
|
->visible(fn ($record) => $record && $record->hasTwoFactorEnabled())
|
|
->requiresConfirmation()
|
|
->modalDescription('Dezactivează 2FA pentru acest utilizator. Va trebui să re-configureze TOTP la următoarea autentificare.')
|
|
->action(function ($record) {
|
|
$record->saveAppAuthenticationSecret(null);
|
|
$record->saveAppAuthenticationRecoveryCodes(null);
|
|
\Filament\Notifications\Notification::make()->title('2FA resetat')->success()->send();
|
|
}),
|
|
Actions\DeleteAction::make(),
|
|
])
|
|
->defaultSort('created_at', 'desc');
|
|
}
|
|
|
|
public static function getRelations(): array
|
|
{
|
|
return [
|
|
RelationManagers\PermissionOverridesRelationManager::class,
|
|
];
|
|
}
|
|
|
|
public static function getPages(): array
|
|
{
|
|
return [
|
|
'index' => Pages\ListUsers::route('/'),
|
|
'create' => Pages\CreateUser::route('/create'),
|
|
'edit' => Pages\EditUser::route('/{record}/edit'),
|
|
];
|
|
}
|
|
}
|