ahmido
3f09fd50f6
Implements Spec 080: split Filament into workspace-managed `/admin/*` (manage) vs tenant operations `/admin/t/{tenant}/*` (operate).
Highlights:
- Adds tenant operations panel (`tenant`) at `/admin/t` with tenancy by `Tenant.external_id`
- Keeps management resources in workspace panel (`admin`) under `/admin/tenants/*`
- Moves Provider Connections to workspace-managed routes: `/admin/tenants/{tenant}/provider-connections`
- Adds discoverability CTA on tenant view (Actions → Provider connections)
- Adds/updates Pest regression tests for routing boundaries, 404/403 RBAC-UX semantics, and global search isolation
- Includes full Spec Kit artifacts under `specs/080-workspace-managed-tenant-admin/`
Validation:
- `vendor/bin/sail bin pint --dirty`
- `vendor/bin/sail artisan test --compact tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #97
156 lines
4.3 KiB
PHP
156 lines
4.3 KiB
PHP
<?php
|
|
|
|
namespace App\Policies;
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Illuminate\Auth\Access\HandlesAuthorization;
|
|
use Illuminate\Auth\Access\Response;
|
|
use Illuminate\Support\Facades\Gate;
|
|
|
|
class ProviderConnectionPolicy
|
|
{
|
|
use HandlesAuthorization;
|
|
|
|
public function viewAny(User $user): bool
|
|
{
|
|
$workspace = $this->currentWorkspace();
|
|
if (! $workspace instanceof Workspace) {
|
|
return false;
|
|
}
|
|
|
|
$tenant = $this->currentTenant();
|
|
|
|
return $tenant instanceof Tenant
|
|
&& (int) $tenant->workspace_id === (int) $workspace->getKey()
|
|
&& Gate::forUser($user)->allows('provider.view', $tenant);
|
|
}
|
|
|
|
public function view(User $user, ProviderConnection $connection): Response|bool
|
|
{
|
|
$workspace = $this->currentWorkspace();
|
|
if (! $workspace instanceof Workspace) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
$tenant = $this->currentTenant();
|
|
|
|
if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if (! Gate::forUser($user)->allows('provider.view', $tenant)) {
|
|
return false;
|
|
}
|
|
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
public function create(User $user): bool
|
|
{
|
|
$workspace = $this->currentWorkspace();
|
|
if (! $workspace instanceof Workspace) {
|
|
return false;
|
|
}
|
|
|
|
$tenant = $this->currentTenant();
|
|
|
|
return $tenant instanceof Tenant
|
|
&& (int) $tenant->workspace_id === (int) $workspace->getKey()
|
|
&& Gate::forUser($user)->allows('provider.manage', $tenant);
|
|
}
|
|
|
|
public function update(User $user, ProviderConnection $connection): Response|bool
|
|
{
|
|
$workspace = $this->currentWorkspace();
|
|
if (! $workspace instanceof Workspace) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
$tenant = $this->currentTenant();
|
|
|
|
if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if (! Gate::forUser($user)->allows('provider.view', $tenant)) {
|
|
return false;
|
|
}
|
|
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
public function delete(User $user, ProviderConnection $connection): Response|bool
|
|
{
|
|
$workspace = $this->currentWorkspace();
|
|
if (! $workspace instanceof Workspace) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
$tenant = $this->currentTenant();
|
|
|
|
if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if (! Gate::forUser($user)->allows('provider.manage', $tenant)) {
|
|
return false;
|
|
}
|
|
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
|
|
return Response::denyAsNotFound();
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
private function currentWorkspace(): ?Workspace
|
|
{
|
|
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
|
|
|
return is_int($workspaceId)
|
|
? Workspace::query()->whereKey($workspaceId)->first()
|
|
: null;
|
|
}
|
|
|
|
private function currentTenant(): ?Tenant
|
|
{
|
|
$tenant = request()->route('tenant');
|
|
|
|
if ($tenant instanceof Tenant) {
|
|
return $tenant;
|
|
}
|
|
|
|
if (is_string($tenant) && $tenant !== '') {
|
|
return Tenant::query()
|
|
->where('external_id', $tenant)
|
|
->first();
|
|
}
|
|
|
|
return Tenant::current();
|
|
}
|
|
}
|