ahmido
210cf5ce8b
Implements 064-auth-structure (Auth Structure v1.0): Adds platform_users + PlatformUser identity (factory + seeder) for platform operators Introduces platform auth guard/provider in auth.php Adds a dedicated Filament v5 System panel at system using guard platform (custom login + dashboard) Enforces strict cross-scope isolation between /admin and system (deny-as-404) Adds platform capability gating (platform.access_system_panel, platform.use_break_glass) + gates in AuthServiceProvider Implements audited break-glass mode (enter/exit/expire), banner via render hook, feature flag + TTL config Removes legacy users.is_platform_superadmin runtime usage and adds an architecture test to prevent regressions Updates tenant membership pivot usage where needed (tenant_memberships) Testing: vendor/bin/sail artisan test --compact tests/Feature/Auth (28 passed) vendor/bin/sail bin pint --dirty Notes: Filament v5 / Livewire v4 compatible. Panel providers registered in providers.php. Destructive actions use ->action(...) + ->requiresConfirmation() where applicable. Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #77
83 lines
2.0 KiB
PHP
83 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantMembership;
|
|
use App\Models\User;
|
|
use App\Support\TenantRole;
|
|
|
|
/**
|
|
* Capability Resolver
|
|
*
|
|
* Resolves user memberships and capabilities for a given tenant.
|
|
* Caches results per request to avoid N+1 queries.
|
|
*/
|
|
class CapabilityResolver
|
|
{
|
|
private array $resolvedMemberships = [];
|
|
|
|
/**
|
|
* Get the user's role for a tenant
|
|
*/
|
|
public function getRole(User $user, Tenant $tenant): ?TenantRole
|
|
{
|
|
$membership = $this->getMembership($user, $tenant);
|
|
|
|
if ($membership === null) {
|
|
return null;
|
|
}
|
|
|
|
return TenantRole::tryFrom($membership['role']);
|
|
}
|
|
|
|
/**
|
|
* Check if user can perform a capability on a tenant
|
|
*/
|
|
public function can(User $user, Tenant $tenant, string $capability): bool
|
|
{
|
|
$role = $this->getRole($user, $tenant);
|
|
|
|
if ($role === null) {
|
|
return false;
|
|
}
|
|
|
|
return RoleCapabilityMap::hasCapability($role, $capability);
|
|
}
|
|
|
|
/**
|
|
* Check if user has any membership for a tenant
|
|
*/
|
|
public function isMember(User $user, Tenant $tenant): bool
|
|
{
|
|
return $this->getMembership($user, $tenant) !== null;
|
|
}
|
|
|
|
/**
|
|
* Get membership details (cached per request)
|
|
*/
|
|
private function getMembership(User $user, Tenant $tenant): ?array
|
|
{
|
|
$cacheKey = "membership_{$user->id}_{$tenant->id}";
|
|
|
|
if (! isset($this->resolvedMemberships[$cacheKey])) {
|
|
$membership = TenantMembership::query()
|
|
->where('user_id', $user->id)
|
|
->where('tenant_id', $tenant->id)
|
|
->first(['role', 'source', 'source_ref']);
|
|
|
|
$this->resolvedMemberships[$cacheKey] = $membership?->toArray();
|
|
}
|
|
|
|
return $this->resolvedMemberships[$cacheKey];
|
|
}
|
|
|
|
/**
|
|
* Clear cached memberships (useful for testing or after membership changes)
|
|
*/
|
|
public function clearCache(): void
|
|
{
|
|
$this->resolvedMemberships = [];
|
|
}
|
|
}
|