116 lines
3.0 KiB
PHP
116 lines
3.0 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantMembership;
|
|
use App\Models\User;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\TenantRole;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
/**
|
|
* Capability Resolver
|
|
*
|
|
* Resolves user memberships and capabilities for a given tenant.
|
|
* Caches results per request to avoid N+1 queries.
|
|
*/
|
|
class CapabilityResolver
|
|
{
|
|
private array $resolvedMemberships = [];
|
|
|
|
private array $loggedDenials = [];
|
|
|
|
/**
|
|
* Get the user's role for a tenant
|
|
*/
|
|
public function getRole(User $user, Tenant $tenant): ?TenantRole
|
|
{
|
|
$membership = $this->getMembership($user, $tenant);
|
|
|
|
if ($membership === null) {
|
|
return null;
|
|
}
|
|
|
|
return TenantRole::tryFrom($membership['role']);
|
|
}
|
|
|
|
/**
|
|
* Check if user can perform a capability on a tenant
|
|
*/
|
|
public function can(User $user, Tenant $tenant, string $capability): bool
|
|
{
|
|
if (! Capabilities::isKnown($capability)) {
|
|
throw new \InvalidArgumentException("Unknown capability: {$capability}");
|
|
}
|
|
|
|
$role = $this->getRole($user, $tenant);
|
|
|
|
if ($role === null) {
|
|
$this->logDenial($user, $tenant, $capability);
|
|
|
|
return false;
|
|
}
|
|
|
|
$allowed = RoleCapabilityMap::hasCapability($role, $capability);
|
|
|
|
if (! $allowed) {
|
|
$this->logDenial($user, $tenant, $capability);
|
|
}
|
|
|
|
return $allowed;
|
|
}
|
|
|
|
private function logDenial(User $user, Tenant $tenant, string $capability): void
|
|
{
|
|
$key = implode(':', [(string) $user->getKey(), (string) $tenant->getKey(), $capability]);
|
|
|
|
if (isset($this->loggedDenials[$key])) {
|
|
return;
|
|
}
|
|
|
|
$this->loggedDenials[$key] = true;
|
|
|
|
Log::warning('rbac.denied', [
|
|
'capability' => $capability,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'actor_user_id' => (int) $user->getKey(),
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* Check if user has any membership for a tenant
|
|
*/
|
|
public function isMember(User $user, Tenant $tenant): bool
|
|
{
|
|
return $this->getMembership($user, $tenant) !== null;
|
|
}
|
|
|
|
/**
|
|
* Get membership details (cached per request)
|
|
*/
|
|
private function getMembership(User $user, Tenant $tenant): ?array
|
|
{
|
|
$cacheKey = "membership_{$user->id}_{$tenant->id}";
|
|
|
|
if (! isset($this->resolvedMemberships[$cacheKey])) {
|
|
$membership = TenantMembership::query()
|
|
->where('user_id', $user->id)
|
|
->where('tenant_id', $tenant->id)
|
|
->first(['role', 'source', 'source_ref']);
|
|
|
|
$this->resolvedMemberships[$cacheKey] = $membership?->toArray();
|
|
}
|
|
|
|
return $this->resolvedMemberships[$cacheKey];
|
|
}
|
|
|
|
/**
|
|
* Clear cached memberships (useful for testing or after membership changes)
|
|
*/
|
|
public function clearCache(): void
|
|
{
|
|
$this->resolvedMemberships = [];
|
|
}
|
|
}
|