ahmido
d1a9989037
Implementiert Feature 066: “RBAC UI Enforcement Helper v2” inkl. Migration der betroffenen Filament-Surfaces + Regression-Tests. Was ist drin Neuer Helper: UiEnforcement.php: mixed visibility (preserveVisibility, andVisibleWhen, andHiddenWhen), tenant resolver (tenantFromFilament, tenantFromRecord, tenantFrom(callable)), bulk preflight (preflightByCapability, preflightByTenantMembership, preflightSelection) + server-side authorizeOrAbort() / authorizeBulkSelectionOrAbort(). UiTooltips.php: standard Tooltip “Insufficient permission — ask a tenant Owner.” Filament migrations (weg von Gate::… / abort_* hin zu UiEnforcement): Backup/Restore (mixed visibility) TenantResource (record-scoped tenant actions + bulk preflight) Inventory/Entra/ProviderConnections (Tier-2 surfaces) Guardrails: NoAdHocFilamentAuthPatternsTest.php als CI-failing allowlist guard für app/Filament/**. Verhalten / Contract Non-member: deny-as-not-found (404) auf tenant routes; Actions hidden. Member ohne Capability: Action visible but disabled + standard tooltip; keine Ausführung. Member mit Capability: Action enabled; destructive/high-impact Actions bleiben confirmation-gated (->requiresConfirmation()). Server-side Enforcement bleibt vorhanden: Mutations/Operations rufen authorizeOrAbort() / authorizeBulkSelectionOrAbort(). Tests Neue/erweiterte Feature-Tests für RBAC UX inkl. Http::preventStrayRequests() (DB-only render): BackupSetUiEnforcementTest.php RestoreRunUiEnforcementTest.php ProviderConnectionsUiEnforcementTest.php diverse bestehende Filament Tests erweitert (Inventory/Entra/Tenant actions/bulk) Unit-Tests: UiEnforcementTest.php UiEnforcementBulkPreflightQueryCountTest.php Verification vendor/bin/sail bin pint --dirty ✅ vendor/bin/sail artisan test --compact tests/Unit/Auth tests/Feature/Filament tests/Feature/Guards tests/Feature/Rbac ✅ (185 passed, 5 skipped) Notes für Reviewer Filament v5 / Livewire v4 compliant. Destructive actions: weiterhin ->requiresConfirmation() + server-side auth. Bulk: authorization preflight ist set-based (Query-count test vorhanden). Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #83
37 lines
1.1 KiB
PHP
37 lines
1.1 KiB
PHP
<?php
|
|
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\UiEnforcement;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\DB;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('preflights bulk selections with a set-based tenant_memberships query (no N+1)', function () {
|
|
$tenants = Tenant::factory()->count(25)->create();
|
|
[$user] = createUserWithTenant($tenants->first(), role: 'owner');
|
|
|
|
foreach ($tenants->slice(1) as $tenant) {
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => ['role' => 'owner'],
|
|
]);
|
|
}
|
|
|
|
$enforcement = UiEnforcement::for(Capabilities::TENANT_SYNC)
|
|
->tenantFromRecord()
|
|
->preflightByCapability();
|
|
|
|
$membershipQueries = 0;
|
|
|
|
DB::listen(function ($query) use (&$membershipQueries): void {
|
|
if (str_contains($query->sql, 'tenant_memberships')) {
|
|
$membershipQueries++;
|
|
}
|
|
});
|
|
|
|
expect($enforcement->bulkSelectionIsAuthorized($user, $tenants))->toBeTrue();
|
|
expect($membershipQueries)->toBe(1);
|
|
});
|
|
|