currentWorkspace($user); if (! $workspace instanceof Workspace) { return Response::denyAsNotFound(); } /** @var ManagedEnvironmentAccessScopeResolver $scopeResolver */ $scopeResolver = app(ManagedEnvironmentAccessScopeResolver::class); $entitledTenantsQuery = ManagedEnvironment::query() ->where('managed_environments.workspace_id', (int) $workspace->getKey()); $scopeResolver->applyWorkspaceScopeToQuery( query: $entitledTenantsQuery, user: $user, workspaceId: (int) $workspace->getKey(), qualifiedEnvironmentColumn: 'managed_environments.id', ); $entitledTenants = $entitledTenantsQuery->get(); if ($entitledTenants->isEmpty()) { return true; } foreach ($entitledTenants as $tenant) { if (Gate::forUser($user)->allows(Capabilities::PROVIDER_VIEW, $tenant)) { return true; } } return false; } public function view(User $user, ProviderConnection $connection): Response|bool { $workspace = $this->currentWorkspace($user); if (! $workspace instanceof Workspace) { return Response::denyAsNotFound(); } $tenant = $this->tenantForConnection($connection); if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } if (! $this->isTenantMember($user, $tenant)) { return Response::denyAsNotFound(); } if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_VIEW, $tenant)) { return false; } if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) { return Response::denyAsNotFound(); } if ((int) $connection->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } return true; } public function create(User $user): Response|bool { $workspace = $this->currentWorkspace($user); if (! $workspace instanceof Workspace) { return Response::denyAsNotFound(); } $tenant = $this->resolveCreateTenant($workspace); if (! $tenant instanceof ManagedEnvironment || ! $this->isTenantMember($user, $tenant)) { return Response::denyAsNotFound(); } if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) { return false; } return true; } public function update(User $user, ProviderConnection $connection): Response|bool { $workspace = $this->currentWorkspace($user); if (! $workspace instanceof Workspace) { return Response::denyAsNotFound(); } $tenant = $this->tenantForConnection($connection); if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } if (! $this->isTenantMember($user, $tenant)) { return Response::denyAsNotFound(); } if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) { return false; } if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) { return Response::denyAsNotFound(); } if ((int) $connection->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } return true; } public function delete(User $user, ProviderConnection $connection): Response|bool { $workspace = $this->currentWorkspace($user); if (! $workspace instanceof Workspace) { return Response::denyAsNotFound(); } $tenant = $this->tenantForConnection($connection); if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } if (! $this->isTenantMember($user, $tenant)) { return Response::denyAsNotFound(); } if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) { return false; } if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) { return Response::denyAsNotFound(); } if ((int) $connection->workspace_id !== (int) $workspace->getKey()) { return Response::denyAsNotFound(); } return true; } public function manageDedicated(User $user, ProviderConnection $connection): Response|bool { $baseAccess = $this->update($user, $connection); if ($baseAccess !== true) { return $baseAccess; } $tenant = $this->tenantForConnection($connection); if (! $tenant instanceof ManagedEnvironment) { return Response::denyAsNotFound(); } return Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE_DEDICATED, $tenant); } public function changeConnectionType(User $user, ProviderConnection $connection): Response|bool { return $this->manageDedicated($user, $connection); } public function manageDedicatedCredential(User $user, ProviderConnection $connection): Response|bool { return $this->manageDedicated($user, $connection); } public function deleteDedicatedCredential(User $user, ProviderConnection $connection): Response|bool { return $this->manageDedicated($user, $connection); } private function currentWorkspace(User $user): ?Workspace { $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request()); if (! is_int($workspaceId)) { return null; } $workspace = Workspace::query()->whereKey($workspaceId)->first(); if (! $workspace instanceof Workspace) { return null; } if (! app(WorkspaceContext::class)->isMember($user, $workspace)) { return null; } return $workspace; } private function resolveCreateTenant(Workspace $workspace): ?ManagedEnvironment { $requestedEnvironmentId = $this->requestedEnvironmentId(); if ($requestedEnvironmentId === null) { return null; } return ManagedEnvironment::query() ->whereKey($requestedEnvironmentId) ->where('workspace_id', (int) $workspace->getKey()) ->first(); } private function requestedEnvironmentId(): ?int { $environmentId = request()->query('environment_id'); if (is_numeric($environmentId)) { return (int) $environmentId; } if (is_array($environmentId)) { return null; } try { $resolved = $this->extractEnvironmentIdFromLivewireSnapshot(); if ($resolved !== null) { return $resolved; } } catch (\Throwable) { // Ignore and fall back to originalUrl() parsing. } try { $url = LivewireFacade::originalUrl(); $resolved = $this->extractEnvironmentIdFromUrl($url); if ($resolved !== null) { return $resolved; } } catch (\Throwable) { // Ignore and fall back to referer header. } $referer = request()->headers->get('referer'); if (! is_string($referer) || $referer === '') { return null; } return $this->extractEnvironmentIdFromUrl($referer); } private function extractEnvironmentIdFromLivewireSnapshot(): ?int { if (! request()->headers->has('x-livewire') && ! request()->headers->has('x-livewire-navigate')) { return null; } $snapshotJson = request()->input('components.0.snapshot'); if (! is_string($snapshotJson) || $snapshotJson === '') { return null; } $snapshot = json_decode($snapshotJson, true); if (! is_array($snapshot)) { return null; } $componentName = data_get($snapshot, 'memo.name'); if (! is_string($componentName) || $componentName !== \App\Filament\Resources\ProviderConnectionResource\Pages\CreateProviderConnection::class) { return null; } $environmentId = data_get($snapshot, 'data.environmentId'); if (is_array($environmentId) || filter_var($environmentId, FILTER_VALIDATE_INT) === false) { return null; } return (int) $environmentId; } private function extractEnvironmentIdFromUrl(?string $url): ?int { if (! is_string($url) || $url === '') { return null; } $query = parse_url($url, PHP_URL_QUERY); if (! is_string($query) || $query === '') { return null; } parse_str($query, $params); $environmentId = $params['environment_id'] ?? null; if (is_array($environmentId) || filter_var($environmentId, FILTER_VALIDATE_INT) === false) { return null; } return (int) $environmentId; } private function tenantForConnection(ProviderConnection $connection): ?ManagedEnvironment { if ($connection->relationLoaded('tenant') && $connection->tenant instanceof ManagedEnvironment) { return $connection->tenant; } if (is_int($connection->managed_environment_id) || is_numeric($connection->managed_environment_id)) { return ManagedEnvironment::query()->whereKey((int) $connection->managed_environment_id)->first(); } return null; } private function isTenantMember(User $user, ManagedEnvironment $tenant): bool { return app(ManagedEnvironmentAccessScopeResolver::class)->canAccess($user, $tenant); } }