ahmido
eef85af990
Kurzbeschreibung Implementiert Tenant RBAC v1 (specs/062-tenant-rbac-v1): tenant_memberships, Capability registry/resolver, gates, Filament RelationManager für Tenant→Members, Last‑Owner‑Guard, bootstrap assign/recover (break‑glass), Audit-Logging. Wichtige Änderungen Migration: create_tenant_memberships_table (T004) — ausgeführt Models/Services: TenantMembership, Capabilities, RoleCapabilityMap, CapabilityResolver (T008–T013) Auth: Gates registriert in AuthServiceProvider.php (T011) Filament: RelationManager unter Settings → Tenants (Members CRUD + Last‑Owner‑Guard) (T017–T018) Break‑glass: lokale platform superadmin + persistent banner + bootstrap_recover action (T024–T026) Audit: Audit‑Einträge für membership actions mit canonical action_ids (T022) Tests: neue/aktualisierte Feature- und Unit‑Tests (siehe Test‑Abschnitt) Migrations / Deploy Run migrations: vendor/bin/sail artisan migrate Keine neuen Panel‑Assets registriert (kein php artisan filament:assets nötig) Wenn Frontend nicht sichtbar: vendor/bin/sail npm run dev oder vendor/bin/sail npm run build Tests (geprüft / neu) Fokus-Suite ausgeführt für Tenant RBAC (T031). Neu / aktualisiert: CapabilitiesRegistryTest CapabilityResolverTest TenantSwitcherScopeTest TenantRouteDenyAsNotFoundTest TenantMembershipCrudTest LastOwnerGuardTest TenantBootstrapAssignTest MembershipAuditLogTest BreakGlassRecoveryTest Befehl zum lokalen Ausführen (minimal): vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure Filament / Sicherheits‑Contract (erforderliche Punkte) Livewire v4.0+ compliance: bestätigt (Filament v5 target). Provider registration: keine neue Panel‑Provider-Änderung; falls nötig: providers.php (Laravel 11+). Globale Suche: keine neuen Ressourcen für Global Search hinzugefügt; vorhandene Ressourcen behalten Edit/View‑Pages unverändert. Destructive actions: tenant_membership.remove und role‑demote sind destruktive — implemented via Action::make(...)->action(...)->requiresConfirmation() + policy checks. Asset strategy: keine globalen Assets; on‑demand/load as before. Deployment: filament:assets nicht erforderlich für diese PR. Testing plan: Livewire/Filament Komponenten + actions abgedeckt — RelationManager CRUD, Last‑Owner‑Guard, BreakGlassRecovery, CapabilityResolver/Registry, Tenant switcher + deny‑as‑not‑found route tests. Offene/optionale Punkte T005/T028/T029 (tenant_role_mappings migration + UI + Tests) sind optional und noch nicht umgesetzt. Checklist (aus tasks.md) T001–T003 Discovery T004, T006–T007 Migrations (T005 optional) T008–T013 Models/Capabilities/Gates T014–T016 Tenant isolation & route enforcement T017–T021 Membership UI + bootstrap flows T022–T023 Audit logging + tests T024–T027 Break‑glass flows & tests T005, T028, T029 Optional mappings T030–T031 Formatting + focused tests Migration / Test commands to run locally vendor/bin/sail up -d vendor/bin/sail artisan migrate vendor/bin/sail artisan tinker (falls manuell Benutzer/Flags setzen) vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure Wenn du einen PR‑Titel und Labels willst, schlage ich vor: Title: feat(062): Tenant RBAC v1 — memberships, capability resolver, break‑glass recovery Labels: feature, tests, migration Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #74
54 lines
1.3 KiB
PHP
54 lines
1.3 KiB
PHP
<?php
|
|
|
|
namespace App\Support\Auth;
|
|
|
|
/**
|
|
* Canonical Capability Registry
|
|
*
|
|
* This is the single source of truth for all capability strings in the system.
|
|
* All role-to-capability mappings must reference only these constants.
|
|
*/
|
|
class Capabilities
|
|
{
|
|
// Tenants
|
|
public const TENANT_VIEW = 'tenant.view';
|
|
|
|
public const TENANT_MANAGE = 'tenant.manage';
|
|
|
|
public const TENANT_DELETE = 'tenant.delete';
|
|
|
|
public const TENANT_SYNC = 'tenant.sync';
|
|
|
|
// Tenant memberships
|
|
public const TENANT_MEMBERSHIP_VIEW = 'tenant_membership.view';
|
|
|
|
public const TENANT_MEMBERSHIP_MANAGE = 'tenant_membership.manage';
|
|
|
|
// Optional mappings (no Graph resolution in v1)
|
|
public const TENANT_ROLE_MAPPING_VIEW = 'tenant_role_mapping.view';
|
|
|
|
public const TENANT_ROLE_MAPPING_MANAGE = 'tenant_role_mapping.manage';
|
|
|
|
// Providers (existing gate names used throughout the app)
|
|
public const PROVIDER_VIEW = 'provider.view';
|
|
|
|
public const PROVIDER_MANAGE = 'provider.manage';
|
|
|
|
public const PROVIDER_RUN = 'provider.run';
|
|
|
|
// Audit
|
|
public const AUDIT_VIEW = 'audit.view';
|
|
|
|
/**
|
|
* Get all capability constants
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function all(): array
|
|
{
|
|
$reflection = new \ReflectionClass(self::class);
|
|
|
|
return array_values($reflection->getConstants());
|
|
}
|
|
}
|