feat(authz): per-route permission gating for /admin (granular admin roles)
Finishes Phase 2: the /admin route group no longer requires 'manage all'
globally. Each route is gated by its specific permission so a non-super-admin
role can be granted partial admin access:
- /admin/users (+show) -> can:view users; create -> can:create users;
edit -> can:edit users
- /admin/roles, roles/*, permissions -> can:manage roles
- Aligned the role screens' mount checks (RoleForm/RoleView/RolePermissionManager)
from 'manage all' to 'manage roles'.
- Nav 'Administrator' link now shows on can('view users').
Admins keep full access via Gate::before (manage all). Closure routes
(users/roles lists) are now protected at the route level.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -23,7 +23,7 @@ class RoleView extends Component
|
||||
|
||||
public function mount(Role $role): void
|
||||
{
|
||||
abort_unless(Auth::user()?->can(self::CORE_PERMISSION), 403);
|
||||
abort_unless(Auth::user()?->can('manage roles'), 403);
|
||||
$this->role = $role;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user