feat/066-rbac-ui-enforcement-helper-v2 #83

Merged

ahmido merged 7 commits from feat/066-rbac-ui-enforcement-helper-v2 into dev 2026-01-30 17:28:48 +00:00

Conversation 0 Commits 7 Files Changed 18 +1219 -95

ahmido commented 2026-01-30 17:22:59 +00:00

Owner

Copy Link

Implementiert Feature 066: “RBAC UI Enforcement Helper v2” inkl. Migration der betroffenen Filament-Surfaces + Regression-Tests.

Was ist drin

Neuer Helper:
UiEnforcement.php: mixed visibility (preserveVisibility, andVisibleWhen, andHiddenWhen), tenant resolver (tenantFromFilament, tenantFromRecord, tenantFrom(callable)), bulk preflight (preflightByCapability, preflightByTenantMembership, preflightSelection) + server-side authorizeOrAbort() / authorizeBulkSelectionOrAbort().
UiTooltips.php: standard Tooltip “Insufficient permission — ask a tenant Owner.”
Filament migrations (weg von Gate::… / abort_* hin zu UiEnforcement):
Backup/Restore (mixed visibility)
TenantResource (record-scoped tenant actions + bulk preflight)
Inventory/Entra/ProviderConnections (Tier-2 surfaces)
Guardrails:
NoAdHocFilamentAuthPatternsTest.php als CI-failing allowlist guard für app/Filament/**.
Verhalten / Contract

Non-member: deny-as-not-found (404) auf tenant routes; Actions hidden.
Member ohne Capability: Action visible but disabled + standard tooltip; keine Ausführung.
Member mit Capability: Action enabled; destructive/high-impact Actions bleiben confirmation-gated (->requiresConfirmation()).
Server-side Enforcement bleibt vorhanden: Mutations/Operations rufen authorizeOrAbort() / authorizeBulkSelectionOrAbort().
Tests

Neue/erweiterte Feature-Tests für RBAC UX inkl. Http::preventStrayRequests() (DB-only render):
BackupSetUiEnforcementTest.php
RestoreRunUiEnforcementTest.php
ProviderConnectionsUiEnforcementTest.php
diverse bestehende Filament Tests erweitert (Inventory/Entra/Tenant actions/bulk)
Unit-Tests:
UiEnforcementTest.php
UiEnforcementBulkPreflightQueryCountTest.php
Verification

vendor/bin/sail bin pint --dirty ✅
vendor/bin/sail artisan test --compact tests/Unit/Auth tests/Feature/Filament tests/Feature/Guards tests/Feature/Rbac ✅ (185 passed, 5 skipped)
Notes für Reviewer

Filament v5 / Livewire v4 compliant.
Destructive actions: weiterhin ->requiresConfirmation() + server-side auth.
Bulk: authorization preflight ist set-based (Query-count test vorhanden).

Implementiert Feature 066: “RBAC UI Enforcement Helper v2” inkl. Migration der betroffenen Filament-Surfaces + Regression-Tests. Was ist drin Neuer Helper: UiEnforcement.php: mixed visibility (preserveVisibility, andVisibleWhen, andHiddenWhen), tenant resolver (tenantFromFilament, tenantFromRecord, tenantFrom(callable)), bulk preflight (preflightByCapability, preflightByTenantMembership, preflightSelection) + server-side authorizeOrAbort() / authorizeBulkSelectionOrAbort(). UiTooltips.php: standard Tooltip “Insufficient permission — ask a tenant Owner.” Filament migrations (weg von Gate::… / abort_* hin zu UiEnforcement): Backup/Restore (mixed visibility) TenantResource (record-scoped tenant actions + bulk preflight) Inventory/Entra/ProviderConnections (Tier-2 surfaces) Guardrails: NoAdHocFilamentAuthPatternsTest.php als CI-failing allowlist guard für app/Filament/**. Verhalten / Contract Non-member: deny-as-not-found (404) auf tenant routes; Actions hidden. Member ohne Capability: Action visible but disabled + standard tooltip; keine Ausführung. Member mit Capability: Action enabled; destructive/high-impact Actions bleiben confirmation-gated (->requiresConfirmation()). Server-side Enforcement bleibt vorhanden: Mutations/Operations rufen authorizeOrAbort() / authorizeBulkSelectionOrAbort(). Tests Neue/erweiterte Feature-Tests für RBAC UX inkl. Http::preventStrayRequests() (DB-only render): BackupSetUiEnforcementTest.php RestoreRunUiEnforcementTest.php ProviderConnectionsUiEnforcementTest.php diverse bestehende Filament Tests erweitert (Inventory/Entra/Tenant actions/bulk) Unit-Tests: UiEnforcementTest.php UiEnforcementBulkPreflightQueryCountTest.php Verification vendor/bin/sail bin pint --dirty ✅ vendor/bin/sail artisan test --compact tests/Unit/Auth tests/Feature/Filament tests/Feature/Guards tests/Feature/Rbac ✅ (185 passed, 5 skipped) Notes für Reviewer Filament v5 / Livewire v4 compliant. Destructive actions: weiterhin ->requiresConfirmation() + server-side auth. Bulk: authorization preflight ist set-based (Query-count test vorhanden).

ahmido added 6 commits 2026-01-30 17:23:00 +00:00

spec: 066 rbac ui enforcement helper v1 e5ad9b6cf8

spec: clarify 066 rbac ui enforcement defaults 07dda36d6e

spec: add 066 UiEnforcement v2 spec/plan/tasks a53bb3f708

feat: enforce Filament RBAC via UiEnforcement v2 95ccc3008c

Merge remote-tracking branch 'origin/dev' into feat/066-rbac-ui-enforcement-helper-v2 ... ea72c34398

# Conflicts:
#	app/Filament/Resources/BackupSetResource.php
#	app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php
#	app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php
#	app/Filament/Resources/EntraGroupSyncRunResource/Pages/ListEntraGroupSyncRuns.php
#	app/Filament/Resources/InventoryItemResource.php
#	app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php
#	app/Filament/Resources/InventorySyncRunResource.php
#	app/Filament/Resources/ProviderConnectionResource.php
#	app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php
#	app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php
#	app/Filament/Resources/RestoreRunResource.php
#	app/Filament/Resources/RestoreRunResource/Pages/CreateRestoreRun.php
#	app/Filament/Resources/TenantResource.php
#	app/Filament/Resources/TenantResource/Pages/EditTenant.php
#	specs/066-rbac-ui-enforcement-helper/checklists/requirements.md
#	specs/066-rbac-ui-enforcement-helper/plan.md
#	specs/066-rbac-ui-enforcement-helper/quickstart.md
#	specs/066-rbac-ui-enforcement-helper/spec.md
#	specs/066-rbac-ui-enforcement-helper/tasks.md
#	tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php

fix: align tooltip + guard after dev merge d4148020bc

ahmido added 1 commit 2026-01-30 17:28:01 +00:00

Merge remote-tracking branch 'origin/dev' into feat/066-rbac-ui-enforcement-helper-v2 ccfd491260

ahmido merged commit d1a9989037 into dev 2026-01-30 17:28:48 +00:00

ahmido referenced this issue from a commit 2026-01-30 17:28:50 +00:00

feat/066-rbac-ui-enforcement-helper-v2 (#83)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ahmido/TenantAtlas#83

No description provided.