58004b65c4
Implements the RBAC TZ in app/Auth/Permissions.php with a 51-permission catalog spanning 9 modules (clients/vehicles/work_orders/finance/salaries/ inventory/suppliers/admin/ai_assistant+analytics). All slugs are constants, not magic strings — refactors against renames stay safe. == 7 system roles == owner / admin / manager / accountant / receptionist / mechanic / viewer Each gets a curated role-permission matrix per the TZ section 2.4: - owner + admin: all 51 - manager: 23 (operations + reporting, no destructive finance/users) - accountant: 17 (full finance/salaries, view-only WOs, no admin) - receptionist: 13 (front-desk: clients/vehicles/WOs/payment-create) - mechanic: 4 (own WOs + inventory view + own salary) - viewer: 6 (read-only everything except finance/salaries) == Seeder == App\Services\RbacSeeder: - seedPermissions() creates the 51 Permission rows globally (idempotent) - seedTenantRoles($companyId) sets the team context, creates the 7 Role rows scoped to that tenant, and syncPermissions per matrix - syncUsersToRoles($companyId) maps legacy users.role string column to the new Spatie role assignment (parts_manager→manager, master→mechanic, marketer→manager, user→viewer) == Migration == 2026_06_04_000003 loops over all existing Companies and runs the seeder. On a fresh prod deploy, every tenant gets the full RBAC catalog wired up automatically. CompanyProvisioner::provision() also calls the seeder for new tenants going forward. == Resource gates == canViewAny / canCreate / canDelete on: - PaymentResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_PAYMENT / FINANCE_DELETE_PAYMENT) - ExpenseResource (FINANCE_VIEW_OVERVIEW / FINANCE_CREATE_EXPENSE / FINANCE_DELETE_PAYMENT) - PayrollAdjustmentResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - PayrollRunResource (SALARIES_VIEW_ALL / SALARIES_CALCULATE) - UserResource (ADMIN_USERS_VIEW / ADMIN_USERS_MANAGE) - RoleResource (ADMIN_ROLES_MANAGE) Mechanic sees only own WOs + inventory + own salary. Accountant sees all finance but not admin. Receptionist sees clients/WOs but not finance overview. Etc. == User helpers == $user->canDo(Permissions::WORK_ORDERS_CREATE) — admin gets a bypass to prevent lockouts from misconfigured permission grants. $user->isOwner() / isAccountant() / isMechanic() — role shortcuts. $user->hasTwoFactorEnabled() — true when app_authentication_secret is set. == 2FA == Filament 5's native MultiFactorAuthentication (App + Email) is already enabled in both TenantPanelProvider and CentralPanelProvider — confirmed. The User model already implements HasAppAuthentication + HasAppAuthenticationRecovery + HasEmailAuthentication. This commit adds UX around it: - UserResource list column: 2FA badge (green ✓ when enabled, amber ⚠ when off) - UserResource form: "Securitate" section shows enabled/disabled + last_login_at - New admin action "Resetează 2FA" with confirmation modal — clears app_authentication_secret + recovery codes for locked-out users == Roles management UI == New /app/roles RoleResource: - List: role label + slug + permission count + user count - Edit: 10 grouped checkbox lists (per module) for fine-grained permission assignment + bulk-toggle per group - System roles (owner/admin/etc.) have slug locked, can't be deleted - Custom tenant-specific roles can be added on top - Gated behind ADMIN_ROLES_MANAGE == UserResource extension == - Role select now uses Permissions::roleLabels() (owner/admin/manager/...) - New "Roluri suplimentare" multi-select for stacking roles on top of the primary one (permissions cumulate) - afterSave syncs the picked roles + ensures primary role is always included == Tests == RbacTest covers: 51 permissions seeded, 7 roles per tenant, owner has all, mechanic has minimal, accountant has finance but not admin, canDo returns true when role has permission, admin bypass, owner helper, syncUsersToRoles legacy mapping (parts_manager→manager, master→mechanic, user→viewer), 2FA helper round-trip. Suite: 206 passed (576 assertions). Was 196. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
170 lines
7.7 KiB
PHP
170 lines
7.7 KiB
PHP
<?php
|
|
|
|
namespace App\Filament\Tenant\Resources;
|
|
|
|
use App\Filament\Tenant\Resources\UserResource\Pages;
|
|
use App\Models\Tenant\User;
|
|
use Filament\Forms;
|
|
use Filament\Resources\Resource;
|
|
use Filament\Schemas\Schema;
|
|
use Filament\Actions;
|
|
use Filament\Schemas;
|
|
use Filament\Tables;
|
|
use Filament\Tables\Table;
|
|
use Illuminate\Support\Facades\Hash;
|
|
|
|
class UserResource extends Resource
|
|
{
|
|
protected static ?string $model = User::class;
|
|
|
|
protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-user-group';
|
|
|
|
protected static ?string $navigationLabel = 'Utilizatori';
|
|
|
|
protected static string|\UnitEnum|null $navigationGroup = 'Admin';
|
|
|
|
protected static ?string $modelLabel = 'utilizator';
|
|
|
|
protected static ?string $pluralModelLabel = 'utilizatori';
|
|
|
|
protected static ?int $navigationSort = 80;
|
|
|
|
public static function canViewAny(): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_VIEW) ?? false;
|
|
}
|
|
|
|
public static function canCreate(): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
|
|
}
|
|
|
|
public static function canDelete($record): bool
|
|
{
|
|
return auth()->user()?->canDo(\App\Auth\Permissions::ADMIN_USERS_MANAGE) ?? false;
|
|
}
|
|
|
|
public static function form(Schema $schema): Schema
|
|
{
|
|
return $schema->components([
|
|
Schemas\Components\Section::make('Identitate')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\TextInput::make('name')->label('Nume')->required()->maxLength(120),
|
|
Forms\Components\TextInput::make('email')->email()->required()->maxLength(120),
|
|
Forms\Components\TextInput::make('phone')->tel()->maxLength(40),
|
|
Forms\Components\Select::make('locale')
|
|
->options(['ro' => 'Română', 'ru' => 'Русский', 'en' => 'English'])
|
|
->default('ro'),
|
|
]),
|
|
Schemas\Components\Section::make('Acces')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\Select::make('role')
|
|
->label('Rol primar')
|
|
->options(\App\Auth\Permissions::roleLabels())
|
|
->required()
|
|
->default('mechanic')
|
|
->helperText('Rolul principal — sincronizat automat cu drepturile RBAC.'),
|
|
Forms\Components\Select::make('status')
|
|
->options(['active' => 'Activ', 'inactive' => 'Inactiv', 'blocked' => 'Blocat'])
|
|
->default('active')
|
|
->required(),
|
|
Forms\Components\TextInput::make('password')
|
|
->label('Parolă')
|
|
->password()
|
|
->required(fn (string $context) => $context === 'create')
|
|
->dehydrated(fn ($state) => filled($state))
|
|
->dehydrateStateUsing(fn ($state) => Hash::make($state))
|
|
->minLength(6)
|
|
->helperText('La editare lasă gol pentru a păstra parola actuală.'),
|
|
Forms\Components\Select::make('roles_picked')
|
|
->label('Roluri suplimentare')
|
|
->multiple()
|
|
->options(\App\Auth\Permissions::roleLabels())
|
|
->afterStateHydrated(function ($component, $record) {
|
|
if ($record) $component->state($record->roles->pluck('name')->all());
|
|
})
|
|
->dehydrated(false)
|
|
->columnSpanFull()
|
|
->helperText('Roluri suplimentare peste rolul primar — drepturile se cumulează.'),
|
|
]),
|
|
Schemas\Components\Section::make('Securitate')
|
|
->columns(2)
|
|
->schema([
|
|
Forms\Components\Placeholder::make('mfa_status')
|
|
->label('Autentificare 2FA')
|
|
->content(fn ($record) => $record && $record->hasTwoFactorEnabled() ? '✓ Activat (TOTP)' : '✗ Dezactivat'),
|
|
Forms\Components\Placeholder::make('last_login')
|
|
->label('Ultima autentificare')
|
|
->content(fn ($record) => $record?->last_login_at?->diffForHumans() ?? '—'),
|
|
]),
|
|
]);
|
|
}
|
|
|
|
public static function table(Table $table): Table
|
|
{
|
|
return $table
|
|
->columns([
|
|
Tables\Columns\TextColumn::make('name')->searchable()->sortable(),
|
|
Tables\Columns\TextColumn::make('email')->searchable()->copyable(),
|
|
Tables\Columns\TextColumn::make('phone')->placeholder('—'),
|
|
Tables\Columns\TextColumn::make('role')
|
|
->formatStateUsing(fn ($state) => \App\Auth\Permissions::roleLabels()[$state] ?? $state)
|
|
->badge(),
|
|
Tables\Columns\IconColumn::make('app_authentication_secret')
|
|
->label('2FA')
|
|
->boolean()
|
|
->getStateUsing(fn ($record) => $record->hasTwoFactorEnabled())
|
|
->trueIcon('heroicon-o-shield-check')
|
|
->trueColor('success')
|
|
->falseIcon('heroicon-o-shield-exclamation')
|
|
->falseColor('warning'),
|
|
Tables\Columns\TextColumn::make('status')
|
|
->badge()
|
|
->colors([
|
|
'success' => ['active'],
|
|
'warning' => ['inactive'],
|
|
'danger' => ['blocked'],
|
|
]),
|
|
Tables\Columns\TextColumn::make('last_login_at')->dateTime()->placeholder('—')->toggleable(),
|
|
Tables\Columns\TextColumn::make('created_at')->date()->sortable()->toggleable(isToggledHiddenByDefault: true),
|
|
])
|
|
->filters([
|
|
Tables\Filters\SelectFilter::make('role')->options([
|
|
'admin' => 'Admin', 'manager' => 'Manager', 'receptionist' => 'Recepție',
|
|
'mechanic' => 'Mecanic', 'parts_manager' => 'Magazie', 'accountant' => 'Contabil', 'marketer' => 'Marketing',
|
|
]),
|
|
Tables\Filters\SelectFilter::make('status')->options([
|
|
'active' => 'Activ', 'inactive' => 'Inactiv', 'blocked' => 'Blocat',
|
|
]),
|
|
])
|
|
->actions([
|
|
Actions\EditAction::make(),
|
|
Actions\Action::make('reset_2fa')
|
|
->label('Resetează 2FA')
|
|
->icon('heroicon-o-shield-exclamation')
|
|
->color('warning')
|
|
->visible(fn ($record) => $record && $record->hasTwoFactorEnabled())
|
|
->requiresConfirmation()
|
|
->modalDescription('Dezactivează 2FA pentru acest utilizator. Va trebui să re-configureze TOTP la următoarea autentificare.')
|
|
->action(function ($record) {
|
|
$record->saveAppAuthenticationSecret(null);
|
|
$record->saveAppAuthenticationRecoveryCodes(null);
|
|
\Filament\Notifications\Notification::make()->title('2FA resetat')->success()->send();
|
|
}),
|
|
Actions\DeleteAction::make(),
|
|
])
|
|
->defaultSort('created_at', 'desc');
|
|
}
|
|
|
|
public static function getPages(): array
|
|
{
|
|
return [
|
|
'index' => Pages\ListUsers::route('/'),
|
|
'create' => Pages\CreateUser::route('/create'),
|
|
'edit' => Pages\EditUser::route('/{record}/edit'),
|
|
];
|
|
}
|
|
}
|