ahmido
a989ef1a23
Implements specs 070–072 (workspace foundation, workspace-scoped tenant selection, managed-tenants workspace enforcement).
Highlights
- Adds Workspace + WorkspaceMembership models/migrations + middleware to persist/enforce current workspace context.
- Scopes tenant selection to the current workspace.
- Makes legacy `/admin/managed-tenants*` routes redirect into workspace-scoped URLs.
- Enforces tenant routes under `/admin/t/{tenant}` to 404 when workspace context is missing or mismatched.
- Fixes Filament page Blade wrappers so header actions render on choose-workspace / choose-tenant / no-access pages.
Verification
- Pint: `vendor/bin/sail bin pint --dirty`
- Tests: `vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php tests/Feature/Workspaces tests/Feature/Filament/ChooseTenantIsWorkspaceScopedTest.php tests/Feature/Filament/ChooseTenantRequiresWorkspaceTest.php tests/Feature/Filament/TenantSwitcherUrlResolvesTenantTest.php tests/Feature/ManagedTenants tests/Feature/AdminNewRedirectTest.php`
Notes
- Filament v5 / Livewire v4 compatible.
- Panel provider registration stays in `bootstrap/providers.php` (Laravel 11+ rule).
- No new heavy frontend assets added.
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #85
101 lines
2.7 KiB
PHP
101 lines
2.7 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\WorkspaceRole;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
/**
|
|
* Workspace Capability Resolver
|
|
*
|
|
* Resolves user memberships and capabilities for a given workspace.
|
|
* Caches results per request to avoid N+1 queries.
|
|
*/
|
|
class WorkspaceCapabilityResolver
|
|
{
|
|
private array $resolvedMemberships = [];
|
|
|
|
private array $loggedDenials = [];
|
|
|
|
public function getRole(User $user, Workspace $workspace): ?WorkspaceRole
|
|
{
|
|
$membership = $this->getMembership($user, $workspace);
|
|
|
|
if ($membership === null) {
|
|
return null;
|
|
}
|
|
|
|
return WorkspaceRole::tryFrom($membership['role']);
|
|
}
|
|
|
|
public function can(User $user, Workspace $workspace, string $capability): bool
|
|
{
|
|
if (! Capabilities::isKnown($capability)) {
|
|
throw new \InvalidArgumentException("Unknown capability: {$capability}");
|
|
}
|
|
|
|
$role = $this->getRole($user, $workspace);
|
|
|
|
if ($role === null) {
|
|
$this->logDenial($user, $workspace, $capability);
|
|
|
|
return false;
|
|
}
|
|
|
|
$allowed = WorkspaceRoleCapabilityMap::hasCapability($role, $capability);
|
|
|
|
if (! $allowed) {
|
|
$this->logDenial($user, $workspace, $capability);
|
|
}
|
|
|
|
return $allowed;
|
|
}
|
|
|
|
public function isMember(User $user, Workspace $workspace): bool
|
|
{
|
|
return $this->getMembership($user, $workspace) !== null;
|
|
}
|
|
|
|
public function clearCache(): void
|
|
{
|
|
$this->resolvedMemberships = [];
|
|
}
|
|
|
|
private function logDenial(User $user, Workspace $workspace, string $capability): void
|
|
{
|
|
$key = implode(':', [(string) $user->getKey(), (string) $workspace->getKey(), $capability]);
|
|
|
|
if (isset($this->loggedDenials[$key])) {
|
|
return;
|
|
}
|
|
|
|
$this->loggedDenials[$key] = true;
|
|
|
|
Log::warning('rbac.workspace.denied', [
|
|
'capability' => $capability,
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'actor_user_id' => (int) $user->getKey(),
|
|
]);
|
|
}
|
|
|
|
private function getMembership(User $user, Workspace $workspace): ?array
|
|
{
|
|
$cacheKey = "workspace_membership_{$user->id}_{$workspace->id}";
|
|
|
|
if (! isset($this->resolvedMemberships[$cacheKey])) {
|
|
$membership = WorkspaceMembership::query()
|
|
->where('user_id', $user->id)
|
|
->where('workspace_id', $workspace->id)
|
|
->first(['role']);
|
|
|
|
$this->resolvedMemberships[$cacheKey] = $membership?->toArray();
|
|
}
|
|
|
|
return $this->resolvedMemberships[$cacheKey];
|
|
}
|
|
}
|