ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7217559e5a
TenantAtlas/specs/066-rbac-ui-enforcement-helper/contracts/guardrails.md
ahmido 7217559e5a spec/066-rbac-ui-enforcement-helper-v2 (#82) 
Ziel: Spec/Plan/Tasks für “RBAC UI Enforcement Helper v2” (suite-wide, mixed visibility, record-scoped tenant) bereitstellen, damit die anschließende Implementierung sauber reviewbar ist.

Enthält

Feature-Spec inkl. RBAC-UX Contract (Non-member 404/hidden, member-no-cap disabled + Tooltip, member-with-cap enabled).
Implementation Plan + Research/Decisions.
Contracts:
UiEnforcement v2 (mixed visibility composition, tenant resolvers, bulk preflight).
Guardrails (CI-failing allowlist guard gegen ad-hoc Filament auth patterns).
Data-model/Quickstart/Tasks inkl. “Definition of Done”.
Review-Fokus

Scope: Tenant plane only (/admin/t/{tenant}), Platform plane out of scope.
Bulk semantics: authorization-only all-or-nothing; eligibility separat mit Feedback.
preserveVisibility() nur tenant-scoped, verboten für record-scoped/cross-tenant.
Standard tooltip copy: “Insufficient permission — ask a tenant Owner.”
Keine Code-Änderungen

PR ist spec-only (keine Runtime-Änderungen).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #82
2026-01-30 17:22:25 +00:00

1.4 KiB
Raw Blame History

Contract: RBAC Guardrails for Filament (v2)

Branch: 066-rbac-ui-enforcement-helper-v2
Date: 2026-01-30
Spec: /Users/ahmeddarrazi/Documents/projects/TenantAtlas-066-rbac-ui-enforcement-helper-v2/specs/066-rbac-ui-enforcement-helper/spec.md

Goal

Prevent re-introducing ad-hoc RBAC authorization patterns inside app/Filament/** by keeping a CI-failing, allowlist-driven guard.

Guard contract

  • The guard is CI-failing for new violations (no “warnings only” mode).
  • Legacy violations are allowed only via an explicit allowlist.
  • Every v2 migration batch removes allowlist entries for the migrated files.

Forbidden patterns (examples)

The exact pattern list is defined in the guard test, but v2 migrations must remove ad-hoc patterns such as:

  • Gate::... checks inside Filament resources/pages when the enforcement helper is intended.
  • abort_* calls used as the primary UI enforcement mechanism inside Filament resources/pages.
  • Raw policy ability string literals (instead of Capabilities::* constants).
  • Custom RBAC helper patterns that bypass UiEnforcement.

Allowed patterns

  • Capability checks via UiEnforcement and Capabilities::* registry constants.
  • Defense-in-depth server-side authorization inside action handlers (403 for members without capability; 404 for non-members where reachable).
  • Filament action UX patterns: ->requiresConfirmation() for destructive/high-impact actions.