ahmido
210cf5ce8b
Implements 064-auth-structure (Auth Structure v1.0): Adds platform_users + PlatformUser identity (factory + seeder) for platform operators Introduces platform auth guard/provider in auth.php Adds a dedicated Filament v5 System panel at system using guard platform (custom login + dashboard) Enforces strict cross-scope isolation between /admin and system (deny-as-404) Adds platform capability gating (platform.access_system_panel, platform.use_break_glass) + gates in AuthServiceProvider Implements audited break-glass mode (enter/exit/expire), banner via render hook, feature flag + TTL config Removes legacy users.is_platform_superadmin runtime usage and adds an architecture test to prevent regressions Updates tenant membership pivot usage where needed (tenant_memberships) Testing: vendor/bin/sail artisan test --compact tests/Feature/Auth (28 passed) vendor/bin/sail bin pint --dirty Notes: Filament v5 / Livewire v4 compatible. Panel providers registered in providers.php. Destructive actions use ->action(...) + ->requiresConfirmation() where applicable. Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #77
58 lines
1.9 KiB
PHP
58 lines
1.9 KiB
PHP
<?php
|
|
|
|
namespace App\Providers;
|
|
|
|
use App\Models\PlatformUser;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Policies\ProviderConnectionPolicy;
|
|
use App\Services\Auth\CapabilityResolver;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\PlatformCapabilities;
|
|
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
|
|
use Illuminate\Support\Facades\Gate;
|
|
|
|
class AuthServiceProvider extends ServiceProvider
|
|
{
|
|
protected $policies = [
|
|
ProviderConnection::class => ProviderConnectionPolicy::class,
|
|
];
|
|
|
|
public function boot(): void
|
|
{
|
|
$this->registerPolicies();
|
|
|
|
$resolver = app(CapabilityResolver::class);
|
|
|
|
$defineTenantCapability = function (string $capability) use ($resolver): void {
|
|
Gate::define($capability, function (User $user, Tenant $tenant) use ($resolver, $capability): bool {
|
|
return $resolver->can($user, $tenant, $capability);
|
|
});
|
|
};
|
|
|
|
foreach ([
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_RUN,
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_MEMBERSHIP_MANAGE,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_MANAGE,
|
|
Capabilities::AUDIT_VIEW,
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_DELETE,
|
|
Capabilities::TENANT_SYNC,
|
|
] as $capability) {
|
|
$defineTenantCapability($capability);
|
|
}
|
|
|
|
foreach (PlatformCapabilities::all() as $capability) {
|
|
Gate::define($capability, function (PlatformUser $user) use ($capability): bool {
|
|
return $user->hasCapability($capability);
|
|
});
|
|
}
|
|
}
|
|
}
|