1d4ac3db38
Completes the P1 items from /tmp/service/new/01-TZ-rbac §2.1 §4.1. == user_permission_overrides table == Per-user grant/deny exceptions on top of role-based RBAC. Composite PK (user_id, permission_id) so each user can have at most one override per permission. Schema: - mode: 'grant' | 'deny' - reason: text (audit context: "lockdown audit period", etc.) - granted_by_id + granted_at: who/when made the exception - expires_at: optional auto-expiry Eloquent model UserPermissionOverride with relations to user, permission, grantedBy; isExpired() helper. == Resolution order in User::canDo() == 1. Active deny-override (not expired) → return false (and log if sensitive) 2. Active grant-override (not expired) → return true 3. Admin/owner bypass → return true 4. Standard role-based check via Spatie Critically: deny overrides ALSO block admin/owner. This is intentional — the TZ's "separation of duties" requirement (an admin who shouldn't be able to delete payments). Without this, deny is useless against admins. Override resolution uses a single query per check (cached by Eloquent during the request). The override-check happens before the role check so a deny is always authoritative. == Audit log on sensitive denials == When canDo() returns false for one of these sensitive permissions, a spatie/activitylog entry is written with event=permission_denied: - admin.users.manage / admin.roles.manage / admin.settings.edit / admin.backup.download - finance.delete_payment / finance.view_pl - salaries.mark_paid / salaries.view_all - work_orders.delete / work_orders.approve_discount_any Non-sensitive denials (e.g., clients.create) don't log to avoid noise. The activity payload includes the permission slug; causedBy is the user who was denied. Failures of the logger are swallowed so a misconfigured activitylog never breaks auth. == UserResource UI == New PermissionOverridesRelationManager mounted on the edit page: - Table: permission, mode (GRANT/DENY badge), reason, expires_at, granted_by - Create form: permission select, mode, expires_at, reason - granted_at + granted_by_id auto-populated to now() / auth()->id() - Default sort: granted_at desc Two new actions on the user row: - "Force logout" (warning color): visible only when active sessions exist. Deletes every row in `sessions` with user_id=record→id. Notification shows count revoked. - "Resetează 2FA" stays (from previous commit) Two new toggleable columns: - Sesiuni active (count from sessions table) - Excepții (count of permission overrides) == Tests == PermissionOverridesTest covers: - grant unlocks a permission the role doesn't have - deny blocks a permission the role grants - deny blocks even admin role (separation of duties) - expired override is ignored - future-expiry override stays active - audit log writes on sensitive denial - audit log silent on non-sensitive denial - force_logout deletes all user sessions but not others' Suite: 214 passed (591 assertions). Was 206. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
190 lines
6.2 KiB
PHP
190 lines
6.2 KiB
PHP
<?php
|
|
|
|
namespace App\Models\Tenant;
|
|
|
|
use App\Models\Concerns\BelongsToTenant;
|
|
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthentication;
|
|
use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthenticationRecovery;
|
|
use Filament\Auth\MultiFactor\Email\Contracts\HasEmailAuthentication;
|
|
use Filament\Models\Contracts\FilamentUser;
|
|
use Filament\Panel;
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\SoftDeletes;
|
|
use Illuminate\Foundation\Auth\User as Authenticatable;
|
|
use Illuminate\Database\Eloquent\Relations\HasMany;
|
|
use Illuminate\Notifications\Notifiable;
|
|
use Laravel\Sanctum\HasApiTokens;
|
|
use Spatie\Permission\Traits\HasRoles;
|
|
|
|
/**
|
|
* Tenant-bound user. Belongs to exactly one Company.
|
|
* UNIQUE(company_id, email) — same email can exist in different tenants
|
|
* as completely separate accounts.
|
|
*/
|
|
class User extends Authenticatable implements FilamentUser, HasAppAuthentication, HasAppAuthenticationRecovery, HasEmailAuthentication
|
|
{
|
|
use BelongsToTenant, HasApiTokens, HasFactory, HasRoles, Notifiable, SoftDeletes;
|
|
|
|
/** Spatie Permission scope key matches the team_foreign_key (company_id). */
|
|
protected $guard_name = 'web';
|
|
|
|
protected $fillable = [
|
|
'company_id', 'name', 'email', 'phone', 'avatar_url',
|
|
'role', 'status', 'locale',
|
|
'specialization', 'color', 'hourly_rate',
|
|
'email_verified_at', 'password', 'last_login_at',
|
|
'email_authentication_at',
|
|
'app_authentication_secret', 'app_authentication_recovery_codes',
|
|
];
|
|
|
|
protected $hidden = [
|
|
'password', 'remember_token',
|
|
];
|
|
|
|
protected function casts(): array
|
|
{
|
|
return [
|
|
'email_verified_at' => 'datetime',
|
|
'last_login_at' => 'datetime',
|
|
'email_authentication_at' => 'datetime',
|
|
'password' => 'hashed',
|
|
'app_authentication_secret' => 'encrypted',
|
|
'app_authentication_recovery_codes' => 'encrypted:array',
|
|
];
|
|
}
|
|
|
|
public function canAccessPanel(Panel $panel): bool
|
|
{
|
|
return $panel->getId() === 'tenant'
|
|
&& $this->status === 'active';
|
|
}
|
|
|
|
public function isAdmin(): bool
|
|
{
|
|
return $this->role === 'admin' || $this->role === 'owner' || $this->hasAnyRole(['admin', 'owner']);
|
|
}
|
|
|
|
public function isOwner(): bool
|
|
{
|
|
return $this->role === 'owner' || $this->hasRole('owner');
|
|
}
|
|
|
|
public function isAccountant(): bool
|
|
{
|
|
return $this->role === 'accountant' || $this->hasRole('accountant');
|
|
}
|
|
|
|
public function isMechanic(): bool
|
|
{
|
|
return in_array($this->role, ['mechanic', 'master'], true) || $this->hasAnyRole(['mechanic']);
|
|
}
|
|
|
|
public function permissionOverrides(): HasMany
|
|
{
|
|
return $this->hasMany(UserPermissionOverride::class);
|
|
}
|
|
|
|
/**
|
|
* Permission check honoring (in order):
|
|
* 1. Active deny-override → false
|
|
* 2. Active grant-override → true
|
|
* 3. Admin/owner bypass → true
|
|
* 4. Standard role-based check
|
|
*/
|
|
public function canDo(string $permission): bool
|
|
{
|
|
$override = $this->activeOverrideFor($permission);
|
|
if ($override) {
|
|
if ($override->mode === 'deny') {
|
|
$this->logDeniedIfSensitive($permission);
|
|
return false;
|
|
}
|
|
if ($override->mode === 'grant') return true;
|
|
}
|
|
|
|
// Owner + admin bypass for permissions without explicit deny.
|
|
if ($this->isAdmin()) return true;
|
|
|
|
try {
|
|
$allowed = $this->can($permission);
|
|
if (! $allowed) $this->logDeniedIfSensitive($permission);
|
|
return $allowed;
|
|
} catch (\Throwable $e) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private function activeOverrideFor(string $permissionSlug): ?UserPermissionOverride
|
|
{
|
|
return $this->permissionOverrides()
|
|
->whereHas('permission', fn ($q) => $q->where('name', $permissionSlug))
|
|
->where(fn ($q) => $q->whereNull('expires_at')->orWhere('expires_at', '>', now()))
|
|
->first();
|
|
}
|
|
|
|
/** Sensitive permissions whose deny we should record for audit. */
|
|
private const AUDITED_DENIALS = [
|
|
'admin.users.manage', 'admin.roles.manage', 'admin.settings.edit', 'admin.backup.download',
|
|
'finance.delete_payment', 'finance.view_pl',
|
|
'salaries.mark_paid', 'salaries.view_all',
|
|
'work_orders.delete', 'work_orders.approve_discount_any',
|
|
];
|
|
|
|
private function logDeniedIfSensitive(string $permission): void
|
|
{
|
|
if (! in_array($permission, self::AUDITED_DENIALS, true)) return;
|
|
try {
|
|
activity('permissions')
|
|
->causedBy($this)
|
|
->withProperties(['permission' => $permission])
|
|
->event('permission_denied')
|
|
->log("permission denied: $permission for user #{$this->id}");
|
|
} catch (\Throwable $e) {
|
|
// activity-log may be misconfigured in some contexts — never let auth fail because of it.
|
|
}
|
|
}
|
|
|
|
/** Has 2FA app authentication enabled (Filament native). */
|
|
public function hasTwoFactorEnabled(): bool
|
|
{
|
|
return $this->app_authentication_secret !== null;
|
|
}
|
|
|
|
public function hasEmailAuthentication(): bool
|
|
{
|
|
return $this->email_authentication_at !== null;
|
|
}
|
|
|
|
public function toggleEmailAuthentication(bool $condition): void
|
|
{
|
|
$this->forceFill([
|
|
'email_authentication_at' => $condition ? now() : null,
|
|
])->saveQuietly();
|
|
}
|
|
|
|
public function getAppAuthenticationSecret(): ?string
|
|
{
|
|
return $this->app_authentication_secret;
|
|
}
|
|
|
|
public function saveAppAuthenticationSecret(?string $secret): void
|
|
{
|
|
$this->forceFill(['app_authentication_secret' => $secret])->saveQuietly();
|
|
}
|
|
|
|
public function getAppAuthenticationHolderName(): string
|
|
{
|
|
return $this->email;
|
|
}
|
|
|
|
public function getAppAuthenticationRecoveryCodes(): ?array
|
|
{
|
|
return $this->app_authentication_recovery_codes;
|
|
}
|
|
|
|
public function saveAppAuthenticationRecoveryCodes(?array $codes): void
|
|
{
|
|
$this->forceFill(['app_authentication_recovery_codes' => $codes])->saveQuietly();
|
|
}
|
|
}
|