ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
eef85af990
TenantAtlas/app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php
ahmido eef85af990 062-tenant-rbac-v1 (#74) 
Kurzbeschreibung

Implementiert Tenant RBAC v1 (specs/062-tenant-rbac-v1): tenant_memberships, Capability registry/resolver, gates, Filament RelationManager für Tenant→Members, Last‑Owner‑Guard, bootstrap assign/recover (break‑glass), Audit-Logging.
Wichtige Änderungen

Migration: create_tenant_memberships_table (T004) — ausgeführt
Models/Services: TenantMembership, Capabilities, RoleCapabilityMap, CapabilityResolver (T008–T013)
Auth: Gates registriert in AuthServiceProvider.php (T011)
Filament: RelationManager unter Settings → Tenants (Members CRUD + Last‑Owner‑Guard) (T017–T018)
Break‑glass: lokale platform superadmin + persistent banner + bootstrap_recover action (T024–T026)
Audit: Audit‑Einträge für membership actions mit canonical action_ids (T022)
Tests: neue/aktualisierte Feature- und Unit‑Tests (siehe Test‑Abschnitt)
Migrations / Deploy

Run migrations: vendor/bin/sail artisan migrate
Keine neuen Panel‑Assets registriert (kein php artisan filament:assets nötig)
Wenn Frontend nicht sichtbar: vendor/bin/sail npm run dev oder vendor/bin/sail npm run build
Tests (geprüft / neu)

Fokus-Suite ausgeführt für Tenant RBAC (T031).
Neu / aktualisiert:
CapabilitiesRegistryTest
CapabilityResolverTest
TenantSwitcherScopeTest
TenantRouteDenyAsNotFoundTest
TenantMembershipCrudTest
LastOwnerGuardTest
TenantBootstrapAssignTest
MembershipAuditLogTest
BreakGlassRecoveryTest
Befehl zum lokalen Ausführen (minimal): vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure
Filament / Sicherheits‑Contract (erforderliche Punkte)

Livewire v4.0+ compliance: bestätigt (Filament v5 target).
Provider registration: keine neue Panel‑Provider-Änderung; falls nötig: providers.php (Laravel 11+).
Globale Suche: keine neuen Ressourcen für Global Search hinzugefügt; vorhandene Ressourcen behalten Edit/View‑Pages unverändert.
Destructive actions: tenant_membership.remove und role‑demote sind destruktive — implemented via Action::make(...)->action(...)->requiresConfirmation() + policy checks.
Asset strategy: keine globalen Assets; on‑demand/load as before. Deployment: filament:assets nicht erforderlich für diese PR.
Testing plan: Livewire/Filament Komponenten + actions abgedeckt — RelationManager CRUD, Last‑Owner‑Guard, BreakGlassRecovery, CapabilityResolver/Registry, Tenant switcher + deny‑as‑not‑found route tests.
Offene/optionale Punkte

T005/T028/T029 (tenant_role_mappings migration + UI + Tests) sind optional und noch nicht umgesetzt.
Checklist (aus tasks.md)

 T001–T003 Discovery
 T004, T006–T007 Migrations (T005 optional)
 T008–T013 Models/Capabilities/Gates
 T014–T016 Tenant isolation & route enforcement
 T017–T021 Membership UI + bootstrap flows
 T022–T023 Audit logging + tests
 T024–T027 Break‑glass flows & tests
 T005, T028, T029 Optional mappings
 T030–T031 Formatting + focused tests
Migration / Test commands to run locally

vendor/bin/sail up -d
vendor/bin/sail artisan migrate
vendor/bin/sail artisan tinker (falls manuell Benutzer/Flags setzen)
vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure
Wenn du einen PR‑Titel und Labels willst, schlage ich vor:

Title: feat(062): Tenant RBAC v1 — memberships, capability resolver, break‑glass recovery
Labels: feature, tests, migration

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #74
2026-01-25 15:27:39 +00:00

225 lines
8.9 KiB
PHP
Raw Blame History

<?php
namespace App\Filament\Resources\TenantResource\RelationManagers;
use App\Models\Tenant;
use App\Models\TenantMembership;
use App\Models\User;
use App\Services\Auth\TenantMembershipManager;
use App\Support\TenantRole;
use Filament\Actions;
use Filament\Forms;
use Filament\Notifications\Notification;
use Filament\Resources\RelationManagers\RelationManager;
use Filament\Tables;
use Filament\Tables\Table;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Support\Facades\Gate;
class TenantMembershipsRelationManager extends RelationManager
{
protected static string $relationship = 'memberships';
public function table(Table $table): Table
{
return $table
->modifyQueryUsing(fn (Builder $query) => $query->with('user'))
->columns([
Tables\Columns\TextColumn::make('user.name')
->label('User')
->searchable(),
Tables\Columns\TextColumn::make('user.email')
->label('Email')
->toggleable(isToggledHiddenByDefault: true),
Tables\Columns\TextColumn::make('role')
->badge()
->sortable(),
Tables\Columns\TextColumn::make('source')
->badge()
->toggleable(isToggledHiddenByDefault: true),
Tables\Columns\TextColumn::make('created_at')->since(),
])
->headerActions([
Actions\Action::make('add_member')
->label('Add member')
->icon('heroicon-o-plus')
->visible(function (): bool {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
return false;
}
return Gate::allows('tenant_membership.manage', $tenant);
})
->form([
Forms\Components\Select::make('user_id')
->label('User')
->required()
->searchable()
->options(fn () => User::query()->orderBy('name')->pluck('name', 'id')->all()),
Forms\Components\Select::make('role')
->label('Role')
->required()
->options([
TenantRole::Owner->value => 'Owner',
TenantRole::Manager->value => 'Manager',
TenantRole::Operator->value => 'Operator',
TenantRole::Readonly->value => 'Readonly',
]),
])
->action(function (array $data, TenantMembershipManager $manager): void {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
abort(404);
}
$actor = auth()->user();
if (! $actor instanceof User) {
abort(403);
}
if (! Gate::allows('tenant_membership.manage', $tenant)) {
abort(403);
}
$member = User::query()->find((int) $data['user_id']);
if (! $member) {
Notification::make()->title('User not found')->danger()->send();
return;
}
try {
$manager->addMember(
tenant: $tenant,
actor: $actor,
member: $member,
role: TenantRole::from((string) $data['role']),
source: 'manual',
);
} catch (\Throwable $throwable) {
Notification::make()
->title('Failed to add member')
->body($throwable->getMessage())
->danger()
->send();
return;
}
Notification::make()->title('Member added')->success()->send();
$this->resetTable();
}),
])
->actions([
Actions\Action::make('change_role')
->label('Change role')
->icon('heroicon-o-pencil')
->visible(function (): bool {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
return false;
}
return Gate::allows('tenant_membership.manage', $tenant);
})
->form([
Forms\Components\Select::make('role')
->label('Role')
->required()
->options([
TenantRole::Owner->value => 'Owner',
TenantRole::Manager->value => 'Manager',
TenantRole::Operator->value => 'Operator',
TenantRole::Readonly->value => 'Readonly',
]),
])
->action(function (TenantMembership $record, array $data, TenantMembershipManager $manager): void {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
abort(404);
}
$actor = auth()->user();
if (! $actor instanceof User) {
abort(403);
}
if (! Gate::allows('tenant_membership.manage', $tenant)) {
abort(403);
}
try {
$manager->changeRole(
tenant: $tenant,
actor: $actor,
membership: $record,
newRole: TenantRole::from((string) $data['role']),
);
} catch (\Throwable $throwable) {
Notification::make()
->title('Failed to change role')
->body($throwable->getMessage())
->danger()
->send();
return;
}
Notification::make()->title('Role updated')->success()->send();
$this->resetTable();
}),
Actions\Action::make('remove')
->label('Remove')
->color('danger')
->icon('heroicon-o-x-mark')
->requiresConfirmation()
->visible(function (): bool {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
return false;
}
return Gate::allows('tenant_membership.manage', $tenant);
})
->action(function (TenantMembership $record, TenantMembershipManager $manager): void {
$tenant = $this->getOwnerRecord();
if (! $tenant instanceof Tenant) {
abort(404);
}
$actor = auth()->user();
if (! $actor instanceof User) {
abort(403);
}
if (! Gate::allows('tenant_membership.manage', $tenant)) {
abort(403);
}
try {
$manager->removeMember($tenant, $actor, $record);
} catch (\Throwable $throwable) {
Notification::make()
->title('Failed to remove member')
->body($throwable->getMessage())
->danger()
->send();
return;
}
Notification::make()->title('Member removed')->success()->send();
$this->resetTable();
}),
])
->bulkActions([]);
}
}
Reference in New Issue View Git Blame Copy Permalink