ahmido
c7b38606a9
Implements platform feature branch `285-workspace-rbac-environment-access`. Summary: - switch managed environment authorization to workspace-first role resolution with explicit environment-scope narrowing - rewire Filament pages, resources, policies, and user tenant access helpers to the shared access-scope resolver - add Spec 285 coverage across unit, feature, and browser tests plus full spec artifacts Validation: - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceFirstCapabilityResolverTest.php tests/Unit/Auth/ManagedEnvironmentAccessScopeResolverTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Filament/WorkspaceMembershipRoleManagementTest.php tests/Feature/Rbac/GovernanceArtifactsWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php tests/Feature/ProviderConnections/ProviderConnectionHealthCheckStartSurfaceTest.php tests/Feature/Tenants/TenantProviderBackedActionStartTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Audit/TenantMembershipAuditLogTest.php tests/Feature/Filament/TenantMembersTest.php tests/Feature/TenantRBAC/TenantMembershipCrudTest.php tests/Feature/TenantRBAC/TenantSwitcherScopeTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` Target branch: `platform-dev`. Follow-up integration path after merge: - `platform-dev` -> `dev`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #344
40 lines
1.0 KiB
PHP
40 lines
1.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
final readonly class ManagedEnvironmentAccessDecision
|
|
{
|
|
public function __construct(
|
|
public int $workspaceId,
|
|
public int $managedEnvironmentId,
|
|
public int $userId,
|
|
public bool $workspaceMember,
|
|
public ?string $workspaceRole,
|
|
public bool $explicitScopeRowsPresent,
|
|
public bool $managedEnvironmentAllowed,
|
|
public ?string $failedBoundary = null,
|
|
public ?string $requiredCapability = null,
|
|
public bool $capabilityAllowed = true,
|
|
public ?int $denialHttpStatus = null,
|
|
) {}
|
|
|
|
public function allowed(): bool
|
|
{
|
|
return $this->workspaceMember
|
|
&& $this->managedEnvironmentAllowed
|
|
&& $this->capabilityAllowed;
|
|
}
|
|
|
|
public function shouldDenyAsNotFound(): bool
|
|
{
|
|
return $this->denialHttpStatus === 404;
|
|
}
|
|
|
|
public function shouldDenyAsForbidden(): bool
|
|
{
|
|
return $this->denialHttpStatus === 403;
|
|
}
|
|
}
|