ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity
200498fa8e
TenantAtlas/app/Filament/Resources/PolicyResource/Pages/ViewPolicy.php
ahmido 90bfe1516e feat(spec-090): action surface contract compliance (#108) 
Implements Spec 090 (Action Surface Contract Compliance & RBAC Hardening).

Highlights:
- Adds/updates action surface declarations and shrinks baseline exemptions.
- Standardizes Filament action grouping/order and empty-state CTAs.
- Enforces RBAC UX semantics (non-member -> 404, member w/o capability -> disabled + tooltip, server-side 403).
- Adds audit logging for successful side-effect actions.
- Fixes Provider Connections list context so header create + row actions resolve tenant correctly.

Tests (focused):
- vendor/bin/sail artisan test --compact tests/Feature/090/
- vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php
- vendor/bin/sail bin pint --dirty

Livewire/Filament:
- Filament v5 + Livewire v4 compliant.
- No panel provider registration changes (Laravel 11+ registration remains in bootstrap/providers.php).

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #108
2026-02-13 01:30:22 +00:00

162 lines
6.9 KiB
PHP
Raw Blame History

<?php
namespace App\Filament\Resources\PolicyResource\Pages;
use App\Filament\Resources\PolicyResource;
use App\Jobs\CapturePolicySnapshotJob;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Services\Operations\BulkSelectionIdentity;
use App\Support\Auth\Capabilities;
use App\Support\OperationRunLinks;
use App\Support\OpsUx\OperationUxPresenter;
use App\Support\Rbac\UiEnforcement;
use Filament\Actions\Action;
use Filament\Forms;
use Filament\Notifications\Notification;
use Filament\Resources\Pages\ViewRecord;
use Filament\Support\Enums\Width;
use Illuminate\Support\Str;
class ViewPolicy extends ViewRecord
{
protected static string $resource = PolicyResource::class;
protected Width|string|null $maxContentWidth = Width::Full;
protected function getActions(): array
{
return [$this->makeCaptureSnapshotAction()];
}
private function makeCaptureSnapshotAction(): Action
{
$action = UiEnforcement::forAction(
Action::make('capture_snapshot')
->label('Capture snapshot')
->requiresConfirmation()
->modalHeading('Capture snapshot now')
->modalSubheading('This queues a background job that fetches the latest configuration from Microsoft Graph and stores a new policy version.')
->form([
Forms\Components\Checkbox::make('include_assignments')
->label('Include assignments')
->default(true)
->helperText('Captures assignment include/exclude targeting and filters.'),
Forms\Components\Checkbox::make('include_scope_tags')
->label('Include scope tags')
->default(true)
->helperText('Captures policy scope tag IDs.'),
])
->action(function (array $data, AuditLogger $auditLogger) {
$policy = $this->record;
$tenant = $policy->tenant;
$user = auth()->user();
if (! $tenant || ! $user) {
Notification::make()
->title('Missing tenant or user context.')
->danger()
->send();
return;
}
/** @var BulkSelectionIdentity $selection */
$selection = app(BulkSelectionIdentity::class);
$selectionIdentity = $selection->fromIds([(string) $policy->getKey()]);
/** @var OperationRunService $runs */
$runs = app(OperationRunService::class);
$includeAssignments = (bool) ($data['include_assignments'] ?? false);
$includeScopeTags = (bool) ($data['include_scope_tags'] ?? false);
$opRun = $runs->enqueueBulkOperation(
tenant: $tenant,
type: 'policy.capture_snapshot',
targetScope: [
'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
],
selectionIdentity: $selectionIdentity,
dispatcher: function ($operationRun) use ($tenant, $policy, $user, $includeAssignments, $includeScopeTags): void {
CapturePolicySnapshotJob::dispatch(
tenantId: (int) $tenant->getKey(),
userId: (int) $user->getKey(),
policyId: (int) $policy->getKey(),
includeAssignments: $includeAssignments,
includeScopeTags: $includeScopeTags,
createdBy: $user->email ? Str::limit($user->email, 255, '') : null,
operationRun: $operationRun,
context: [],
);
},
initiator: $user,
extraContext: [
'policy_id' => (int) $policy->getKey(),
'include_assignments' => $includeAssignments,
'include_scope_tags' => $includeScopeTags,
],
emitQueuedNotification: false,
);
if (! $opRun->wasRecentlyCreated) {
Notification::make()
->title('Snapshot already in progress')
->body('An active run already exists for this policy. Opening run details.')
->actions([
\Filament\Actions\Action::make('view_run')
->label('View run')
->url(OperationRunLinks::view($opRun, $tenant)),
])
->info()
->send();
$this->redirect(OperationRunLinks::view($opRun, $tenant));
return;
}
$auditLogger->log(
tenant: $tenant,
action: 'policy.capture_snapshot_dispatched',
resourceType: 'operation_run',
resourceId: (string) $opRun->getKey(),
status: 'success',
context: [
'metadata' => [
'policy_id' => (int) $policy->getKey(),
'operation_run_id' => (int) $opRun->getKey(),
'include_assignments' => $includeAssignments,
'include_scope_tags' => $includeScopeTags,
],
],
actorId: (int) $user->getKey(),
actorEmail: $user->email,
actorName: $user->name,
);
OperationUxPresenter::queuedToast('policy.capture_snapshot')
->actions([
\Filament\Actions\Action::make('view_run')
->label('View run')
->url(OperationRunLinks::view($opRun, $tenant)),
])
->send();
$this->redirect(OperationRunLinks::view($opRun, $tenant));
})
->color('primary')
)
->requireCapability(Capabilities::TENANT_SYNC)
->tooltip('You do not have permission to capture policy snapshots.')
->apply();
if (! $action instanceof Action) {
throw new \RuntimeException('Capture snapshot action must resolve to a Filament action.');
}
return $action;
}
}
Reference in New Issue View Git Blame Copy Permalink