Files
autocrm/tests/Feature/PermissionOverridesTest.php
T
Vasyka 1d4ac3db38 feat: P1 RBAC defers — overrides + sessions + audit log
Completes the P1 items from /tmp/service/new/01-TZ-rbac §2.1 §4.1.

== user_permission_overrides table ==
Per-user grant/deny exceptions on top of role-based RBAC. Composite PK
(user_id, permission_id) so each user can have at most one override per
permission. Schema:
- mode: 'grant' | 'deny'
- reason: text (audit context: "lockdown audit period", etc.)
- granted_by_id + granted_at: who/when made the exception
- expires_at: optional auto-expiry

Eloquent model UserPermissionOverride with relations to user, permission,
grantedBy; isExpired() helper.

== Resolution order in User::canDo() ==
1. Active deny-override (not expired) → return false (and log if sensitive)
2. Active grant-override (not expired) → return true
3. Admin/owner bypass → return true
4. Standard role-based check via Spatie

Critically: deny overrides ALSO block admin/owner. This is intentional —
the TZ's "separation of duties" requirement (an admin who shouldn't be
able to delete payments). Without this, deny is useless against admins.

Override resolution uses a single query per check (cached by Eloquent
during the request). The override-check happens before the role check
so a deny is always authoritative.

== Audit log on sensitive denials ==
When canDo() returns false for one of these sensitive permissions, a
spatie/activitylog entry is written with event=permission_denied:
- admin.users.manage / admin.roles.manage / admin.settings.edit
  / admin.backup.download
- finance.delete_payment / finance.view_pl
- salaries.mark_paid / salaries.view_all
- work_orders.delete / work_orders.approve_discount_any

Non-sensitive denials (e.g., clients.create) don't log to avoid noise.
The activity payload includes the permission slug; causedBy is the user
who was denied. Failures of the logger are swallowed so a misconfigured
activitylog never breaks auth.

== UserResource UI ==
New PermissionOverridesRelationManager mounted on the edit page:
- Table: permission, mode (GRANT/DENY badge), reason, expires_at,
  granted_by
- Create form: permission select, mode, expires_at, reason
- granted_at + granted_by_id auto-populated to now() / auth()->id()
- Default sort: granted_at desc

Two new actions on the user row:
- "Force logout" (warning color): visible only when active sessions
  exist. Deletes every row in `sessions` with user_id=record→id.
  Notification shows count revoked.
- "Resetează 2FA" stays (from previous commit)

Two new toggleable columns:
- Sesiuni active (count from sessions table)
- Excepții (count of permission overrides)

== Tests ==
PermissionOverridesTest covers:
- grant unlocks a permission the role doesn't have
- deny blocks a permission the role grants
- deny blocks even admin role (separation of duties)
- expired override is ignored
- future-expiry override stays active
- audit log writes on sensitive denial
- audit log silent on non-sensitive denial
- force_logout deletes all user sessions but not others'

Suite: 214 passed (591 assertions). Was 206.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-04 22:27:20 +00:00

156 lines
6.3 KiB
PHP

<?php
namespace Tests\Feature;
use App\Auth\Permissions;
use App\Models\Central\Company;
use App\Models\Central\Plan;
use App\Models\Tenant\User;
use App\Models\Tenant\UserPermissionOverride;
use App\Services\RbacSeeder;
use App\Tenancy\TenantManager;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Spatie\Permission\Models\Permission;
use Spatie\Permission\PermissionRegistrar;
use Tests\TestCase;
class PermissionOverridesTest extends TestCase
{
use RefreshDatabase;
private Company $company;
private User $mechanic;
protected function setUp(): void
{
parent::setUp();
$plan = Plan::firstOrCreate(['slug' => 'test'], ['name' => 'T', 'price' => 0, 'features' => []]);
$this->company = Company::create([
'plan_id' => $plan->id, 'slug' => 'ov-' . uniqid(),
'name' => 'OV Co', 'status' => 'active',
]);
app(TenantManager::class)->setCurrent($this->company);
app(RbacSeeder::class)->seedTenantRoles($this->company->id);
app(PermissionRegistrar::class)->setPermissionsTeamId($this->company->id);
$this->mechanic = User::create([
'name' => 'M', 'email' => 'm-' . uniqid() . '@e.com',
'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active',
]);
$this->mechanic->syncRoles(['mechanic']);
}
public function test_grant_override_unlocks_permission_for_user(): void
{
// Mechanic normally can't view all WOs
$this->assertFalse($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL));
$perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first();
UserPermissionOverride::create([
'user_id' => $this->mechanic->id, 'permission_id' => $perm->id,
'mode' => 'grant', 'reason' => 'temp standin', 'granted_at' => now(),
]);
$this->mechanic->refresh();
$this->assertTrue($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL));
}
public function test_deny_override_blocks_permission_even_when_role_grants_it(): void
{
$this->mechanic->refresh();
$this->assertTrue($this->mechanic->canDo(Permissions::INVENTORY_VIEW));
$perm = Permission::where('name', Permissions::INVENTORY_VIEW)->first();
UserPermissionOverride::create([
'user_id' => $this->mechanic->id, 'permission_id' => $perm->id,
'mode' => 'deny', 'reason' => 'audit period', 'granted_at' => now(),
]);
$this->mechanic->refresh();
$this->assertFalse($this->mechanic->canDo(Permissions::INVENTORY_VIEW));
}
public function test_deny_override_blocks_even_admin_role(): void
{
$admin = User::create(['name' => 'A', 'email' => 'a-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'admin', 'status' => 'active']);
$admin->syncRoles(['admin']);
$perm = Permission::where('name', Permissions::FINANCE_DELETE_PAYMENT)->first();
UserPermissionOverride::create([
'user_id' => $admin->id, 'permission_id' => $perm->id,
'mode' => 'deny', 'reason' => 'separation of duties',
'granted_at' => now(),
]);
$admin->refresh();
$this->assertFalse($admin->canDo(Permissions::FINANCE_DELETE_PAYMENT));
// Other permissions still work
$this->assertTrue($admin->canDo(Permissions::FINANCE_VIEW_OVERVIEW));
}
public function test_expired_override_is_ignored(): void
{
$perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first();
UserPermissionOverride::create([
'user_id' => $this->mechanic->id, 'permission_id' => $perm->id,
'mode' => 'grant', 'reason' => 'temp', 'granted_at' => now()->subDay(),
'expires_at' => now()->subHour(), // already expired
]);
$this->mechanic->refresh();
$this->assertFalse($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL));
}
public function test_future_expiry_keeps_override_active(): void
{
$perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first();
UserPermissionOverride::create([
'user_id' => $this->mechanic->id, 'permission_id' => $perm->id,
'mode' => 'grant', 'reason' => 'temp', 'granted_at' => now(),
'expires_at' => now()->addDays(7),
]);
$this->mechanic->refresh();
$this->assertTrue($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL));
}
public function test_audit_log_writes_entry_on_sensitive_denial(): void
{
// mechanic.canDo(admin.users.manage) → false → logs activity
$this->mechanic->canDo(Permissions::ADMIN_USERS_MANAGE);
$rows = DB::table('activity_log')
->where('event', 'permission_denied')
->get();
$this->assertGreaterThanOrEqual(1, $rows->count());
$latest = $rows->last();
$this->assertStringContainsString('admin.users.manage', $latest->properties);
}
public function test_non_sensitive_denial_does_not_log(): void
{
DB::table('activity_log')->truncate();
// CLIENTS_CREATE is not in AUDITED_DENIALS list
$this->mechanic->canDo(Permissions::CLIENTS_CREATE);
$count = DB::table('activity_log')->where('event', 'permission_denied')->count();
$this->assertEquals(0, $count);
}
public function test_force_logout_deletes_all_user_sessions(): void
{
DB::table('sessions')->insert([
['id' => 's1', 'user_id' => $this->mechanic->id, 'ip_address' => '1.1.1.1', 'user_agent' => 'Chrome', 'payload' => '', 'last_activity' => time()],
['id' => 's2', 'user_id' => $this->mechanic->id, 'ip_address' => '2.2.2.2', 'user_agent' => 'Firefox', 'payload' => '', 'last_activity' => time()],
['id' => 's3', 'user_id' => 9999, 'ip_address' => '3.3.3.3', 'user_agent' => 'Safari', 'payload' => '', 'last_activity' => time()],
]);
$n = DB::table('sessions')->where('user_id', $this->mechanic->id)->delete();
$this->assertEquals(2, $n);
$this->assertEquals(0, DB::table('sessions')->where('user_id', $this->mechanic->id)->count());
// Other users' sessions untouched
$this->assertEquals(1, DB::table('sessions')->where('user_id', 9999)->count());
}
}