ahmido
5ec62cd117
## Summary
- add the shared trusted-state model and resolver helpers for first-slice Livewire and Filament surfaces
- harden managed tenant onboarding, tenant required permissions, and system runbooks against forged or stale public state
- add focused Pest guard and regression coverage plus the complete spec 152 artifact set
## Validation
- `vendor/bin/sail artisan test --compact`
- manual smoke validated on `/admin/onboarding/{onboardingDraft}`
- manual smoke validated on `/admin/tenants/{tenant}/required-permissions`
- manual smoke validated on `/system/ops/runbooks`
## Notes
- Livewire v4.0+ / Filament v5 stack unchanged
- no new panels, routes, assets, or global-search changes
- provider registration remains in `bootstrap/providers.php`
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #182
75 lines
1.8 KiB
PHP
75 lines
1.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Services\System;
|
|
|
|
use App\Models\Tenant;
|
|
use Illuminate\Database\Eloquent\Builder;
|
|
use Illuminate\Validation\ValidationException;
|
|
|
|
class AllowedTenantUniverse
|
|
{
|
|
public const PLATFORM_TENANT_EXTERNAL_ID = 'platform';
|
|
|
|
public function query(): Builder
|
|
{
|
|
return Tenant::query()
|
|
->where('external_id', '!=', self::PLATFORM_TENANT_EXTERNAL_ID);
|
|
}
|
|
|
|
public function isAllowed(Tenant $tenant): bool
|
|
{
|
|
return (string) $tenant->external_id !== self::PLATFORM_TENANT_EXTERNAL_ID;
|
|
}
|
|
|
|
public function ensureAllowed(Tenant $tenant): void
|
|
{
|
|
if ($this->isAllowed($tenant)) {
|
|
return;
|
|
}
|
|
|
|
throw ValidationException::withMessages([
|
|
'tenant_id' => 'This tenant is not eligible for System runbooks.',
|
|
]);
|
|
}
|
|
|
|
public function resolveAllowed(int|string|null $tenantId): ?Tenant
|
|
{
|
|
if (! is_numeric($tenantId)) {
|
|
return null;
|
|
}
|
|
|
|
$tenant = Tenant::query()->whereKey((int) $tenantId)->first();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
return null;
|
|
}
|
|
|
|
$this->ensureAllowed($tenant);
|
|
|
|
return $tenant;
|
|
}
|
|
|
|
public function resolveAllowedOrFail(int|string|null $tenantId): Tenant
|
|
{
|
|
if (! is_numeric($tenantId) || (int) $tenantId <= 0) {
|
|
throw ValidationException::withMessages([
|
|
'tenant_id' => 'Select a tenant.',
|
|
]);
|
|
}
|
|
|
|
$tenant = Tenant::query()->whereKey((int) $tenantId)->first();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
throw ValidationException::withMessages([
|
|
'tenant_id' => 'Select a valid tenant.',
|
|
]);
|
|
}
|
|
|
|
$this->ensureAllowed($tenant);
|
|
|
|
return $tenant;
|
|
}
|
|
}
|