ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
55166cf9b8
TenantAtlas/specs/083-required-permissions-hardening/quickstart.md
ahmido 55166cf9b8 Spec 083: Required permissions hardening (canonical /admin/tenants, DB-only, 404 semantics) (#101) 
Implements Spec 083 (Canonical Required Permissions manage surface hardening + issues-first UX).

Highlights:
- Enforces canonical route: /admin/tenants/{tenant}/required-permissions
- Legacy tenant-plane URL /admin/t/{tenant}/required-permissions stays non-existent (404)
- Deny-as-not-found (404) for non-workspace members and non-tenant-entitled users
- Strict tenant resolution (no cross-plane fallback)
- DB-only render (no external provider calls on page load)
- Issues-first layout + canonical next-step links (re-run verification -> /admin/onboarding)
- Freshness/stale detection (missing or >30 days -> warning)

Tests (Sail):
- vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions
- vendor/bin/sail artisan test --compact tests/Unit/TenantRequiredPermissionsFreshnessTest.php tests/Unit/TenantRequiredPermissionsOverallStatusTest.php

Notes:
- Filament v5 / Livewire v4 compliant.
- No destructive actions added in this spec; link-only CTAs.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #101
2026-02-08 23:13:25 +00:00

1.2 KiB
Raw Blame History

Quickstart — Spec 083

Dev prerequisites

  • Run via Sail (local): Docker + vendor/bin/sail available.

What to validate

Route semantics

  • Canonical (must exist): GET /admin/tenants/{tenant}/required-permissions
  • Legacy (must 404): GET /admin/t/{tenant}/required-permissions

Authorization semantics

  • Non-workspace-member → 404
  • Workspace-member but not tenant-entitled → 404
  • Tenant-entitled (including read-only) → 200

Render behavior

  • Page render uses stored DB data only (no Graph / no outbound HTTP).
  • If no stored permission data exists, page shows "Keine Daten verfügbar" with a canonical CTA to /admin/onboarding.
  • "Technical details" appears after Issues/Passed and is collapsed by default.

Run targeted tests

  • vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions/*
    • (Exact filenames to be created in Phase 2 tasks.)

Manual smoke test

  1. Log in to admin panel.
  2. Select a workspace.
  3. Open /admin/tenants/{external_id}/required-permissions for a tenant you are a member of.
  4. Confirm Summary + Issues-first layout and that "Re-run verification" links to /admin/onboarding.
  5. As a user without tenant entitlement, confirm the same URL returns 404.