TenantAtlas/app/Http/Middleware/EnsureWorkspaceSelected.php

<?php

namespace App\Http\Middleware;

use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
use App\Support\Workspaces\WorkspaceIntendedUrl;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Http\Response as HttpResponse;
use Illuminate\Support\Facades\Gate;
use Illuminate\Support\Facades\Schema;
use Symfony\Component\HttpFoundation\Response;

class EnsureWorkspaceSelected
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        $routeName = $request->route()?->getName();

        if (is_string($routeName) && str_contains($routeName, '.auth.')) {
            return $next($request);
        }

        $path = '/'.ltrim($request->path(), '/');

        if ($this->isWorkspaceOptionalPath($request, $path)) {
            return $next($request);
        }

        if (str_starts_with($path, '/admin/t/')) {
            return $next($request);
        }

        $user = $request->user();

        if (! $user instanceof User) {
            return $next($request);
        }

        /** @var WorkspaceContext $context */
        $context = app(WorkspaceContext::class);

        $workspace = $context->resolveInitialWorkspaceFor($user, $request);

        if ($workspace !== null) {
            return $next($request);
        }

        $membershipQuery = WorkspaceMembership::query()->where('user_id', $user->getKey());

        $hasAnyActiveMembership = Schema::hasColumn('workspaces', 'archived_at')
            ? $membershipQuery
                ->join('workspaces', 'workspace_memberships.workspace_id', '=', 'workspaces.id')
                ->whereNull('workspaces.archived_at')
                ->exists()
            : $membershipQuery->exists();

        $canCreateWorkspace = Gate::forUser($user)->check('create', Workspace::class);

        if (! $hasAnyActiveMembership && $this->isOperateHubPath($path)) {
            abort(404);
        }

        if (! $hasAnyActiveMembership && str_starts_with($path, '/admin/tenants')) {
            abort(404);
        }

        $target = ($hasAnyActiveMembership || $canCreateWorkspace)
            ? '/admin/choose-workspace'
            : '/admin/no-access';

        if ($target === '/admin/choose-workspace') {
            WorkspaceIntendedUrl::storeFromRequest($request);
        }

        return new HttpResponse('', 302, ['Location' => $target]);
    }

    private function isWorkspaceOptionalPath(Request $request, string $path): bool
    {
        if (str_starts_with($path, '/admin/workspaces')) {
            return true;
        }

        if (in_array($path, ['/admin/choose-workspace', '/admin/no-access', '/admin/onboarding'], true)) {
            return true;
        }

        if ($path === '/livewire/update') {
            $refererPath = parse_url((string) $request->headers->get('referer', ''), PHP_URL_PATH) ?? '';
            $refererPath = '/'.ltrim((string) $refererPath, '/');

            if (preg_match('#^/admin/operations/[^/]+$#', $refererPath) === 1) {
                return true;
            }
        }

        return preg_match('#^/admin/operations/[^/]+$#', $path) === 1;
    }

    private function isOperateHubPath(string $path): bool
    {
        return in_array($path, [
            '/admin/operations',
            '/admin/alerts',
            '/admin/audit-log',
        ], true);
    }
}