ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dev
TenantAtlas/specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/quickstart.md
ahmido 1f3619bd16 feat: tenant-owned query canon and wrong-tenant guards (#180) 
## Summary
- introduce a shared tenant-owned query and record-resolution canon for first-slice Filament resources
- harden direct views, row actions, bulk actions, relation managers, and workspace-admin canonical viewers against wrong-tenant access
- add registry-backed rollout metadata, search posture handling, architectural guards, and focused Pest coverage for scope parity and 404/403 semantics

## Included
- Spec 150 package under `specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/`
- shared support classes: `TenantOwnedModelFamilies`, `TenantOwnedQueryScope`, `TenantOwnedRecordResolver`
- shared Filament concern: `InteractsWithTenantOwnedRecords`
- resource/page/policy hardening across findings, policies, policy versions, backup schedules, backup sets, restore runs, inventory items, and Entra groups
- additional regression coverage for canonical tenant state, wrong-tenant record resolution, relation-manager congruence, and action-surface guardrails

## Validation
- `vendor/bin/sail artisan test --compact` passed
- full suite result: `2733 passed, 8 skipped`
- formatting applied with `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Livewire v4.0+ compliant via existing Filament v5 stack
- provider registration remains in `bootstrap/providers.php`
- globally searchable first-slice posture: Entra groups scoped; policies and policy versions explicitly disabled
- destructive actions continue to use confirmation and policy authorization
- no new Filament assets added; existing deployment flow remains unchanged, including `php artisan filament:assets` when registered assets are used

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #180
2026-03-18 08:33:13 +00:00

45 lines
2.2 KiB
Markdown
Raw Permalink Blame History

# Quickstart: Tenant-Owned Query Canon and Wrong-Tenant Guards
## Goal
Implement a reusable tenant-owned query contract that keeps list, detail, search, relation-manager, and protected action paths aligned to the same tenant boundary.
## Suggested Implementation Order
1. Identify the first-slice family inventory from `TenantOwnedTables` and map each family to its primary Filament surface.
2. Introduce the shared tenant-owned query and explicit record-resolution helper(s) for representative families.
3. Migrate representative resources to the shared helper, starting with `EntraGroupResource`, `PolicyResource`, `PolicyVersionResource`, `BackupScheduleResource`, `BackupSetResource`, `RestoreRunResource`, `FindingResource`, and `InventoryItemResource`.
4. Update relation managers in the first slice so their action targets prove owner-record and tenant congruence.
5. Align global search posture per family: keep it scoped where parity exists, disable it deliberately where parity still does not exist.
6. Add the wrong-tenant regression matrix and the lightweight architectural guard.
## Expected Code Areas
- `app/Filament/Concerns/`
- `app/Filament/Resources/`
- `app/Policies/`
- `app/Support/WorkspaceIsolation/`
- `routes/web.php`
- `tests/Feature/Filament/`
- `tests/Feature/Rbac/`
- `tests/Feature/Guards/`
## Verification Flow
Run the minimum relevant checks through Sail:
```bash
vendor/bin/sail artisan test --compact tests/Feature/Filament/EntraGroupAdminScopeTest.php
vendor/bin/sail artisan test --compact tests/Feature/BackupScheduling/BackupScheduleAdminTenantParityTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php
vendor/bin/sail artisan test --compact tests/Feature/Rbac
vendor/bin/sail bin pint --dirty --format agent
```
## Completion Criteria
- Representative tenant-owned families share one canonical query and lookup pattern.
- Wrong-tenant index, detail, relation-manager, and protected action regressions are covered.
- Global search is either safely scoped or explicitly disabled per family.
- Guard coverage prevents new forbidden query patterns on covered surfaces.
Reference in New Issue View Git Blame Copy Permalink