ahmido
807d574d31
## Summary - amend the operator UI constitution and related SpecKit templates for the new UI/UX governance rules - add Spec 168 artifacts plus the tenant governance aggregate implementation used by the tenant dashboard, banner, and baseline compare landing surfaces - normalize Filament action surfaces around clickable-row inspection, grouped secondary actions, and explicit action-surface declarations across enrolled resources and pages - fix post-suite regressions in membership cache priming, finding workflow state refresh, tenant review derived-state invalidation, and tenant-bound backup-set related navigation ## Commit Series - `docs: amend operator UI constitution` - `spec: add tenant governance aggregate contract` - `feat: add tenant governance aggregate contract` - `refactor: normalize filament action surfaces` - `fix: resolve post-suite state regressions` ## Testing - `vendor/bin/sail artisan test --compact` - Result: `3176 passed, 8 skipped (17384 assertions)` ## Notes - Livewire v4 / Filament v5 stack remains unchanged - no provider registration changes; `bootstrap/providers.php` remains the relevant location - no new global-search resources or asset-registration changes in this branch Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #199
297 lines
8.6 KiB
PHP
297 lines
8.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Filament\Pages;
|
|
|
|
use App\Filament\Resources\ProviderConnectionResource;
|
|
use App\Filament\Resources\TenantResource;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Services\Intune\TenantRequiredPermissionsViewModelBuilder;
|
|
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
|
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
|
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Pages\Page;
|
|
use Livewire\Attributes\Locked;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
class TenantRequiredPermissions extends Page
|
|
{
|
|
protected static bool $isDiscovered = false;
|
|
|
|
protected static bool $shouldRegisterNavigation = false;
|
|
|
|
protected static ?string $slug = 'tenants/{tenant}/required-permissions';
|
|
|
|
protected static ?string $title = 'Required permissions';
|
|
|
|
protected string $view = 'filament.pages.tenant-required-permissions';
|
|
|
|
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
|
{
|
|
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
|
|
->exempt(ActionSurfaceSlot::ListHeader, 'Required permissions keeps guidance, copy flows, and filter reset actions inside body sections instead of page header actions.')
|
|
->exempt(ActionSurfaceSlot::InspectAffordance, 'Required permissions rows are reviewed inline inside the diagnostic matrix and do not open a separate inspect destination.')
|
|
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Permission rows are read-only and do not expose row-level secondary actions.')
|
|
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Required permissions does not expose bulk actions.')
|
|
->satisfy(ActionSurfaceSlot::ListEmptyState, 'The inline permissions matrix provides purposeful no-data, all-clear, and no-matches states with verification or reset guidance.');
|
|
}
|
|
|
|
public string $status = 'missing';
|
|
|
|
public string $type = 'all';
|
|
|
|
/**
|
|
* @var array<int, string>
|
|
*/
|
|
public array $features = [];
|
|
|
|
public string $search = '';
|
|
|
|
/**
|
|
* @var array<string, mixed>
|
|
*/
|
|
public array $viewModel = [];
|
|
|
|
#[Locked]
|
|
public ?int $scopedTenantId = null;
|
|
|
|
public static function canAccess(): bool
|
|
{
|
|
return static::hasScopedTenantAccess(static::resolveScopedTenant());
|
|
}
|
|
|
|
public function currentTenant(): ?Tenant
|
|
{
|
|
return $this->trustedScopedTenant();
|
|
}
|
|
|
|
public function mount(): void
|
|
{
|
|
$tenant = static::resolveScopedTenant();
|
|
|
|
if (! $tenant instanceof Tenant || ! static::hasScopedTenantAccess($tenant)) {
|
|
abort(404);
|
|
}
|
|
|
|
$this->scopedTenantId = (int) $tenant->getKey();
|
|
$this->heading = $tenant->getFilamentName();
|
|
$this->subheading = 'Required permissions';
|
|
|
|
$queryFeatures = request()->query('features', $this->features);
|
|
|
|
$state = TenantRequiredPermissionsViewModelBuilder::normalizeFilterState([
|
|
'status' => request()->query('status', $this->status),
|
|
'type' => request()->query('type', $this->type),
|
|
'features' => is_array($queryFeatures) ? $queryFeatures : [],
|
|
'search' => request()->query('search', $this->search),
|
|
]);
|
|
|
|
$this->status = $state['status'];
|
|
$this->type = $state['type'];
|
|
$this->features = $state['features'];
|
|
$this->search = $state['search'];
|
|
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function updatedStatus(): void
|
|
{
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function updatedType(): void
|
|
{
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function updatedFeatures(): void
|
|
{
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function updatedSearch(): void
|
|
{
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function applyFeatureFilter(string $feature): void
|
|
{
|
|
$feature = trim($feature);
|
|
|
|
if ($feature === '') {
|
|
return;
|
|
}
|
|
|
|
if (in_array($feature, $this->features, true)) {
|
|
$this->features = array_values(array_filter(
|
|
$this->features,
|
|
static fn (string $value): bool => $value !== $feature,
|
|
));
|
|
} else {
|
|
$this->features[] = $feature;
|
|
}
|
|
|
|
$this->features = array_values(array_unique($this->features));
|
|
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function clearFeatureFilter(): void
|
|
{
|
|
$this->features = [];
|
|
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
public function resetFilters(): void
|
|
{
|
|
$this->status = 'missing';
|
|
$this->type = 'all';
|
|
$this->features = [];
|
|
$this->search = '';
|
|
|
|
$this->refreshViewModel();
|
|
}
|
|
|
|
private function refreshViewModel(): void
|
|
{
|
|
$tenant = $this->trustedScopedTenant();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
$this->viewModel = [];
|
|
|
|
return;
|
|
}
|
|
|
|
$builder = app(TenantRequiredPermissionsViewModelBuilder::class);
|
|
|
|
$this->viewModel = $builder->build($tenant, [
|
|
'status' => $this->status,
|
|
'type' => $this->type,
|
|
'features' => $this->features,
|
|
'search' => $this->search,
|
|
]);
|
|
|
|
$filters = $this->viewModel['filters'] ?? null;
|
|
|
|
if (is_array($filters)) {
|
|
$this->status = (string) ($filters['status'] ?? $this->status);
|
|
$this->type = (string) ($filters['type'] ?? $this->type);
|
|
$this->features = is_array($filters['features'] ?? null) ? $filters['features'] : $this->features;
|
|
$this->search = (string) ($filters['search'] ?? $this->search);
|
|
}
|
|
}
|
|
|
|
public function reRunVerificationUrl(): string
|
|
{
|
|
$tenant = $this->trustedScopedTenant();
|
|
|
|
if ($tenant instanceof Tenant) {
|
|
return TenantResource::getUrl('view', ['record' => $tenant]);
|
|
}
|
|
|
|
return route('admin.onboarding');
|
|
}
|
|
|
|
public function manageProviderConnectionUrl(): ?string
|
|
{
|
|
$tenant = $this->trustedScopedTenant();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
return null;
|
|
}
|
|
|
|
return ProviderConnectionResource::getUrl('index', ['tenant' => $tenant], panel: 'admin');
|
|
}
|
|
|
|
protected static function resolveScopedTenant(): ?Tenant
|
|
{
|
|
$routeTenant = request()->route('tenant');
|
|
|
|
if ($routeTenant instanceof Tenant) {
|
|
return $routeTenant;
|
|
}
|
|
|
|
if (is_string($routeTenant) && $routeTenant !== '') {
|
|
return Tenant::query()
|
|
->where('external_id', $routeTenant)
|
|
->first();
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
private static function hasScopedTenantAccess(?Tenant $tenant): bool
|
|
{
|
|
$user = auth()->user();
|
|
|
|
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
|
return false;
|
|
}
|
|
|
|
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
|
|
|
if ($workspaceId === null || (int) $tenant->workspace_id !== (int) $workspaceId) {
|
|
return false;
|
|
}
|
|
|
|
$isWorkspaceMember = WorkspaceMembership::query()
|
|
->where('workspace_id', (int) $workspaceId)
|
|
->where('user_id', (int) $user->getKey())
|
|
->exists();
|
|
|
|
if (! $isWorkspaceMember) {
|
|
return false;
|
|
}
|
|
|
|
return $user->canAccessTenant($tenant);
|
|
}
|
|
|
|
private function trustedScopedTenant(): ?Tenant
|
|
{
|
|
$user = auth()->user();
|
|
|
|
if (! $user instanceof User) {
|
|
return null;
|
|
}
|
|
|
|
$workspaceContext = app(WorkspaceContext::class);
|
|
|
|
try {
|
|
$workspace = $workspaceContext->currentWorkspaceForMemberOrFail($user, request());
|
|
} catch (NotFoundHttpException) {
|
|
return null;
|
|
}
|
|
|
|
$routeTenant = static::resolveScopedTenant();
|
|
|
|
if ($routeTenant instanceof Tenant) {
|
|
try {
|
|
return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($routeTenant, $user, request());
|
|
} catch (NotFoundHttpException) {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
if ($this->scopedTenantId === null) {
|
|
return null;
|
|
}
|
|
|
|
$tenant = Tenant::query()->withTrashed()->whereKey($this->scopedTenantId)->first();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($tenant, $user, request());
|
|
} catch (NotFoundHttpException) {
|
|
return null;
|
|
}
|
|
}
|
|
}
|