ahmido
6a86c5901a
Kontext / Ziel Diese PR standardisiert Tenant‑RBAC Enforcement in der Filament‑UI: statt ad-hoc Gate::*, abort_if/abort_unless und kopierten ->visible()/->disabled()‑Closures gibt es jetzt eine zentrale, wiederverwendbare Implementierung für Actions (Header/Table/Bulk). Links zur Spec: spec.md plan.md quickstart.md Was ist drin Neue zentrale Helper-API: UiEnforcement (Tenant-plane RBAC‑UX “source of truth” für Filament Actions) Standardisierte Tooltip-Texte und Context-DTO (UiTooltips, TenantAccessContext) Migration vieler tenant‑scoped Filament Action-Surfaces auf das Standardpattern (ohne ad-hoc Auth-Patterns) CI‑Guard (Test) gegen neue ad-hoc Patterns in app/Filament/**: verbietet Gate::allows/denies/check/authorize, use Illuminate\Support\Facades\Gate, abort_if/abort_unless Legacy-Allowlist ist aktuell leer (neue Verstöße failen sofort) RBAC-UX Semantik (konsequent & testbar) Non-member: UI Actions hidden (kein Tenant‑Leak); Execution wird blockiert (Filament hidden→disabled chain), Defense‑in‑depth enthält zusätzlich serverseitige Guards. Member ohne Capability: Action visible aber disabled + Standard-Tooltip; Execution wird blockiert (keine Side Effects). Member mit Capability: Action enabled und ausführbar. Destructive actions: über ->destructive() immer mit ->requiresConfirmation() + klare Warntexte (Execution bleibt über ->action(...)). Wichtig: In Filament v5 sind hidden/disabled Actions typischerweise “silently blocked” (200, keine Ausführung). Die Tests prüfen daher UI‑State + “no side effects”, nicht nur HTTP‑Statuscodes. Sicherheit / Scope Keine neuen DB-Tabellen, keine Migrations, keine Microsoft Graph Calls (DB‑only bei Render; kein outbound HTTP). Tenant Isolation bleibt Isolation‑Boundary (deny-as-not-found auf Tenant‑Ebene, Capability erst nach Membership). Kein Asset-Setup erforderlich; keine neuen Filament Assets. Compliance Notes (Repo-Regeln) Filament v5 / Livewire v4.0+ kompatibel. Keine Änderungen an Provider‑Registrierung (Laravel 11+/12: providers.php bleibt der Ort; hier unverändert). Global Search: keine gezielte Änderung am Global‑Search-Verhalten in dieser PR. Tests / Qualität Pest Feature/Unit Tests für Member/Non-member/Tooltip/Destructive/Regression‑Guard. Guard-Test: “No ad-hoc Filament auth patterns”. Full suite laut Tasks: vendor/bin/sail artisan test --compact → 837 passed, 5 skipped. Checklist: requirements.md vollständig (16/16). Review-Fokus API‑Usage in neuen/angepassten Filament Actions: UiEnforcement::forAction/forTableAction/forBulkAction(...)->requireCapability(...)->apply() Guard-Test soll “red” werden, sobald jemand neue ad-hoc Auth‑Patterns einführt (by design). Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #81
99 lines
3.3 KiB
PHP
99 lines
3.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* CI guard: prevent new ad-hoc auth patterns in Filament.
|
|
*
|
|
* Rationale:
|
|
* - We want UiEnforcement (and centralized RBAC services) to be the default.
|
|
* - Gate::allows/denies, abort_if/unless, and similar ad-hoc patterns tend to drift.
|
|
* - We allowlist legacy files so CI only fails on NEW violations.
|
|
*
|
|
* If you migrate a legacy file to UiEnforcement, remove it from the allowlist.
|
|
*/
|
|
describe('Filament auth guard (no new ad-hoc patterns)', function () {
|
|
it('fails if new files introduce forbidden auth patterns under app/Filament/**', function () {
|
|
$filamentDir = base_path('app/Filament');
|
|
|
|
expect(is_dir($filamentDir))->toBeTrue("Filament directory not found: {$filamentDir}");
|
|
|
|
/**
|
|
* Legacy allowlist: these files currently contain forbidden patterns.
|
|
*
|
|
* IMPORTANT:
|
|
* - Do NOT add new entries casually.
|
|
* - The goal is to shrink this list over time.
|
|
*
|
|
* Paths are workspace-relative (e.g. app/Filament/Resources/Foo.php).
|
|
*/
|
|
$legacyAllowlist = [
|
|
// Pages (page-level authorization or legacy patterns)
|
|
];
|
|
|
|
$patterns = [
|
|
// Gate facade usage
|
|
'/\\bGate::(allows|denies|check|authorize)\\b/',
|
|
'/^\\s*use\\s+Illuminate\\\\Support\\\\Facades\\\\Gate\\s*;\\s*$/m',
|
|
|
|
// Ad-hoc abort helpers
|
|
'/\\babort_(if|unless)\\s*\\(/',
|
|
];
|
|
|
|
$iterator = new RecursiveIteratorIterator(
|
|
new RecursiveDirectoryIterator($filamentDir, RecursiveDirectoryIterator::SKIP_DOTS)
|
|
);
|
|
|
|
/** @var array<string, array<int, string>> $violations */
|
|
$violations = [];
|
|
|
|
foreach ($iterator as $file) {
|
|
if ($file->getExtension() !== 'php') {
|
|
continue;
|
|
}
|
|
|
|
$absolutePath = $file->getPathname();
|
|
$relativePath = str_replace(base_path().DIRECTORY_SEPARATOR, '', $absolutePath);
|
|
$relativePath = str_replace(DIRECTORY_SEPARATOR, '/', $relativePath);
|
|
|
|
if (in_array($relativePath, $legacyAllowlist, true)) {
|
|
continue;
|
|
}
|
|
|
|
$content = file_get_contents($absolutePath);
|
|
if (! is_string($content)) {
|
|
continue;
|
|
}
|
|
|
|
$lines = preg_split('/\\R/', $content) ?: [];
|
|
|
|
foreach ($lines as $lineNumber => $line) {
|
|
foreach ($patterns as $pattern) {
|
|
if (preg_match($pattern, $line) === 1) {
|
|
$violations[$relativePath][] = ($lineNumber + 1).': '.trim($line);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($violations !== []) {
|
|
$messageLines = [
|
|
'Forbidden ad-hoc auth patterns detected in app/Filament/**.',
|
|
'Migrate to UiEnforcement (preferred) or add a justified temporary entry to the legacy allowlist.',
|
|
'',
|
|
];
|
|
|
|
foreach ($violations as $path => $hits) {
|
|
$messageLines[] = $path;
|
|
foreach ($hits as $hit) {
|
|
$messageLines[] = ' - '.$hit;
|
|
}
|
|
}
|
|
|
|
expect($violations)->toBeEmpty(implode("\n", $messageLines));
|
|
}
|
|
|
|
expect(true)->toBeTrue();
|
|
});
|
|
});
|