ahmido
a989ef1a23
Implements specs 070–072 (workspace foundation, workspace-scoped tenant selection, managed-tenants workspace enforcement).
Highlights
- Adds Workspace + WorkspaceMembership models/migrations + middleware to persist/enforce current workspace context.
- Scopes tenant selection to the current workspace.
- Makes legacy `/admin/managed-tenants*` routes redirect into workspace-scoped URLs.
- Enforces tenant routes under `/admin/t/{tenant}` to 404 when workspace context is missing or mismatched.
- Fixes Filament page Blade wrappers so header actions render on choose-workspace / choose-tenant / no-access pages.
Verification
- Pint: `vendor/bin/sail bin pint --dirty`
- Tests: `vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php tests/Feature/Workspaces tests/Feature/Filament/ChooseTenantIsWorkspaceScopedTest.php tests/Feature/Filament/ChooseTenantRequiresWorkspaceTest.php tests/Feature/Filament/TenantSwitcherUrlResolvesTenantTest.php tests/Feature/ManagedTenants tests/Feature/AdminNewRedirectTest.php`
Notes
- Filament v5 / Livewire v4 compatible.
- Panel provider registration stays in `bootstrap/providers.php` (Laravel 11+ rule).
- No new heavy frontend assets added.
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #85
109 lines
3.0 KiB
PHP
109 lines
3.0 KiB
PHP
<?php
|
|
|
|
namespace App\Policies;
|
|
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Services\Auth\WorkspaceCapabilityResolver;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\WorkspaceRole;
|
|
|
|
class WorkspaceMembershipPolicy
|
|
{
|
|
/**
|
|
* Determine whether the user can view any models.
|
|
*/
|
|
public function viewAny(User $user): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can view the model.
|
|
*/
|
|
public function view(User $user, WorkspaceMembership $workspaceMembership): bool
|
|
{
|
|
/** @var WorkspaceCapabilityResolver $resolver */
|
|
$resolver = app(WorkspaceCapabilityResolver::class);
|
|
|
|
return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_VIEW);
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can create models.
|
|
*/
|
|
public function create(User $user): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can update the model.
|
|
*/
|
|
public function update(User $user, WorkspaceMembership $workspaceMembership): bool
|
|
{
|
|
if ($this->isLastOwner($workspaceMembership)) {
|
|
return false;
|
|
}
|
|
|
|
/** @var WorkspaceCapabilityResolver $resolver */
|
|
$resolver = app(WorkspaceCapabilityResolver::class);
|
|
|
|
return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can delete the model.
|
|
*/
|
|
public function delete(User $user, WorkspaceMembership $workspaceMembership): bool
|
|
{
|
|
if ($this->isLastOwner($workspaceMembership)) {
|
|
return false;
|
|
}
|
|
|
|
/** @var WorkspaceCapabilityResolver $resolver */
|
|
$resolver = app(WorkspaceCapabilityResolver::class);
|
|
|
|
return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can restore the model.
|
|
*/
|
|
public function restore(User $user, WorkspaceMembership $workspaceMembership): bool
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Determine whether the user can permanently delete the model.
|
|
*/
|
|
public function forceDelete(User $user, WorkspaceMembership $workspaceMembership): bool
|
|
{
|
|
return false;
|
|
}
|
|
|
|
public function manageForWorkspace(User $user, Workspace $workspace): bool
|
|
{
|
|
/** @var WorkspaceCapabilityResolver $resolver */
|
|
$resolver = app(WorkspaceCapabilityResolver::class);
|
|
|
|
return $resolver->can($user, $workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
|
|
}
|
|
|
|
private function isLastOwner(WorkspaceMembership $membership): bool
|
|
{
|
|
if ($membership->role !== WorkspaceRole::Owner->value) {
|
|
return false;
|
|
}
|
|
|
|
$ownerCount = WorkspaceMembership::query()
|
|
->where('workspace_id', $membership->workspace_id)
|
|
->where('role', WorkspaceRole::Owner->value)
|
|
->count();
|
|
|
|
return $ownerCount <= 1;
|
|
}
|
|
}
|