ahmido
a4f2629493
## Summary - add the tenant review domain with tenant-scoped review library, canonical workspace review register, lifecycle actions, and review-derived executive pack export - extend review pack, operations, audit, capability, and badge infrastructure to support review composition, publication, export, and recurring review cycles - add product backlog and audit documentation updates for tenant review and semantic-clarity follow-up candidates ## Testing - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact --filter="TenantReview"` - `CI=1 vendor/bin/sail artisan test --compact` ## Notes - Livewire v4+ compliant via existing Filament v5 stack - panel providers remain in `bootstrap/providers.php` via existing Laravel 12 structure; no provider registration moved to `bootstrap/app.php` - `TenantReviewResource` is not globally searchable, so the Filament edit/view global-search constraint does not apply - destructive review actions use action handlers with confirmation and policy enforcement Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #185
53 lines
2.0 KiB
PHP
53 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace App\Support\Operations;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
|
|
final class OperationRunCapabilityResolver
|
|
{
|
|
public function requiredCapabilityForType(string $operationType): ?string
|
|
{
|
|
$operationType = trim($operationType);
|
|
|
|
if ($operationType === '') {
|
|
return null;
|
|
}
|
|
|
|
return match ($operationType) {
|
|
'inventory_sync' => Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
'entra_group_sync' => Capabilities::TENANT_SYNC,
|
|
'backup_schedule_run', 'backup_schedule_retention', 'backup_schedule_purge' => Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
'restore.execute' => Capabilities::TENANT_MANAGE,
|
|
'directory_role_definitions.sync' => Capabilities::TENANT_MANAGE,
|
|
'alerts.evaluate', 'alerts.deliver' => Capabilities::ALERTS_VIEW,
|
|
'tenant.review.compose' => Capabilities::TENANT_REVIEW_VIEW,
|
|
|
|
// Viewing verification reports should be possible for readonly members.
|
|
// Starting verification is separately guarded by the verification service.
|
|
'provider.connection.check' => Capabilities::PROVIDER_VIEW,
|
|
|
|
// Keep legacy / unknown types viewable by membership+entitlement only.
|
|
default => null,
|
|
};
|
|
}
|
|
|
|
public function requiredExecutionCapabilityForType(string $operationType): ?string
|
|
{
|
|
$operationType = trim($operationType);
|
|
|
|
if ($operationType === '') {
|
|
return null;
|
|
}
|
|
|
|
return match ($operationType) {
|
|
'provider.connection.check', 'provider.inventory.sync', 'provider.compliance.snapshot' => Capabilities::PROVIDER_RUN,
|
|
'policy.sync', 'policy.sync_one', 'tenant.sync' => Capabilities::TENANT_SYNC,
|
|
'policy.delete' => Capabilities::TENANT_MANAGE,
|
|
'assignments.restore', 'restore.execute' => Capabilities::TENANT_MANAGE,
|
|
'tenant.review.compose' => Capabilities::TENANT_REVIEW_MANAGE,
|
|
default => $this->requiredCapabilityForType($operationType),
|
|
};
|
|
}
|
|
}
|