javier/construprogress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(authz): Phase 2 — replace hasRole('Admin') with permission checks

Browse Source 
Permissions now actually govern access instead of the hard-coded Admin role:
- Super-admin bypass (see all projects / full access) -> can('manage all')
  in Project::scopeAccessibleBy, ProjectMap, ProjectDashboard, PhaseGantt,
  LayerManager, ProjectReportController.
- Redundant '|| hasRole(Admin)' fallbacks dropped (Gate::before already lets
  manage-all through can()): LayerManager (upload/delete layers), MediaManager
  (upload), ProjectMap (update progress), ProjectUsers/ProjectCompanies
  (assign users).
- Admin-only screens now gated by the matching permission: AdminUsers/UserView
  -> can('view users'), UserForm -> can('create users')|can('edit users'),
  CompanyView -> can('view companies').
- MediaManager delete: can('delete media') OR owner.
- Kept UserForm's domain guard (can't remove your own Admin role).

Note: the /admin route group still has middleware can:manage all, so admin
screens stay super-admin-only until that group is relaxed per-route.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Javier Braña
2026-06-17 19:10:23 +02:00
parent efccb67635
commit 8025fa6d05
13 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/ProjectReportController.php
+1 -1
View File
@@ -10,7 +10,7 @@ class ProjectReportController extends Controller
public function show(Project $project)
{
$user = Auth::user();
if (!$user->hasRole('Admin') && !$project->users()->where('user_id', $user->id)->exists()) {
if (!$user->can('manage all') && !$project->users()->where('user_id', $user->id)->exists()) {
abort(403);
}
app/Livewire/AdminUsers.php
+1 -1
View File
@@ -14,7 +14,7 @@ class AdminUsers extends Component
public function mount(): void
{
if (!Auth::user()->hasRole('Admin')) abort(403);
abort_unless(Auth::user()->can('view users'), 403);
$this->roles = Role::orderBy('name')->get();
}
app/Livewire/CompanyView.php
+1 -1
View File
@@ -37,7 +37,7 @@ class CompanyView extends Component
public function mount(Company $company): void
{
if (!Auth::user()->hasRole('Admin')) abort(403);
abort_unless(Auth::user()->can('view companies'), 403);
$this->company = $company->load(['users.roles', 'projects.phases']);
$this->notes = $company->notes ?? '';
app/Livewire/LayerManager.php
+4 -4
View File
@@ -43,7 +43,7 @@ class LayerManager extends Component
if ($this->phase->project_id !== $this->project->id) abort(404);
$user = Auth::user();
if (!$user->hasRole('Admin') && !$project->users()->where('user_id', $user->id)->exists()) {
if (!$user->can('manage all') && !$project->users()->where('user_id', $user->id)->exists()) {
abort(403);
}
@@ -148,7 +148,7 @@ class LayerManager extends Component
public function importFile()
{
$user = Auth::user();
if (!$user->can('upload layers') && !$user->hasRole('Admin')) {
if (!$user->can('upload layers')) {
$this->dispatch('notify', 'Sin permisos para subir capas');
return;
}
@@ -228,7 +228,7 @@ class LayerManager extends Component
public function createEmptyLayer()
{
$user = Auth::user();
if (!$user->can('upload layers') && !$user->hasRole('Admin')) {
if (!$user->can('upload layers')) {
$this->dispatch('notify', 'Sin permisos para crear capas');
return;
}
@@ -308,7 +308,7 @@ class LayerManager extends Component
public function deleteLayer($layerId)
{
$user = Auth::user();
if (!$user->can('delete layers') && !$user->hasRole('Admin')) abort(403);
if (!$user->can('delete layers')) abort(403);
// Verify it belongs to this phase (prevents cross-project deletion)
$layer = Layer::where('id', $layerId)->where('phase_id', $this->phase->id)->first();
app/Livewire/MediaManager.php
+2 -2
View File
@@ -65,7 +65,7 @@ class MediaManager extends Component
public function upload()
{
$user = Auth::user();
if (!$user->can('upload layers') && !$user->hasRole('Admin')) {
if (!$user->can('upload layers')) {
session()->flash('error', 'Sin permisos.');
return;
}
@@ -130,7 +130,7 @@ class MediaManager extends Component
$media = Media::findOrFail($mediaId);
$user = Auth::user();
if (!$user->hasRole('Admin') && $media->uploaded_by !== $user->id) {
if (!$user->can('delete media') && $media->uploaded_by !== $user->id) {
session()->flash('error', 'No puedes borrar archivos de otro usuario.');
return;
}
app/Livewire/PhaseGantt.php
+1 -1
View File
@@ -14,7 +14,7 @@ class PhaseGantt extends Component
public function mount(Project $project)
{
$user = Auth::user();
if (!$user->hasRole('Admin') && !$project->users()->where('user_id', $user->id)->exists()) {
if (!$user->can('manage all') && !$project->users()->where('user_id', $user->id)->exists()) {
abort(403);
}
$this->project = $project;
app/Livewire/ProjectCompanies.php
+2 -2
View File
@@ -31,7 +31,7 @@ class ProjectCompanies extends Component
public function assignCompany()
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
if (!$user->can('assign users')) {
session()->flash('error', 'No tienes permisos para asignar compañías.');
return;
}
@@ -53,7 +53,7 @@ class ProjectCompanies extends Component
public function removeCompany($companyId)
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
if (!$user->can('assign users')) {
session()->flash('error', 'Sin permisos.');
return;
}
app/Livewire/ProjectDashboard.php
+1 -1
View File
@@ -34,7 +34,7 @@ class ProjectDashboard extends Component
private function checkAccess(): void
{
$user = Auth::user();
if ($user->hasRole('Admin')) return;
if ($user->can('manage all')) return;
if (!$this->project->users()->where('user_id', $user->id)->exists()) abort(403);
}
app/Livewire/ProjectMap.php
+2 -2
View File
@@ -96,7 +96,7 @@ class ProjectMap extends Component
private function authorizeProjectAccess(): void
{
$user = Auth::user();
if ($user->hasRole('Admin')) return;
if ($user->can('manage all')) return;
if (!$this->project->users()->where('user_id', $user->id)->exists()) abort(403);
}
@@ -184,7 +184,7 @@ class ProjectMap extends Component
{
$feature = Feature::with('layer.phase')->findOrFail($featureId);
$user = Auth::user();
if (!$user->can('update progress') && !$user->hasRole('Admin')) {
if (!$user->can('update progress')) {
$this->dispatch('notify', 'Sin permisos');
return;
}
app/Livewire/ProjectUsers.php
+2 -2
View File
@@ -31,7 +31,7 @@ class ProjectUsers extends Component
public function assignUser()
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
if (!$user->can('assign users')) {
session()->flash('error', 'No tienes permisos para asignar usuarios.');
return;
}
@@ -53,7 +53,7 @@ class ProjectUsers extends Component
public function removeUser($userId)
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
if (!$user->can('assign users')) {
session()->flash('error', 'Sin permisos.');
return;
}
app/Livewire/UserForm.php
+1 -1
View File
@@ -45,7 +45,7 @@ class UserForm extends Component
public function mount(?User $user = null): void
{
if (!Auth::user()->hasRole('Admin')) abort(403);
abort_unless(Auth::user()->can('create users') || Auth::user()->can('edit users'), 403);
$this->roles = Role::orderBy('name')->get();
$this->companies = Company::where('estado', 'activo')->orderBy('name')->get();
app/Livewire/UserView.php
+1 -1
View File
@@ -33,7 +33,7 @@ class UserView extends Component
public function mount(User $user): void
{
if (!Auth::user()->hasRole('Admin')) abort(403);
abort_unless(Auth::user()->can('view users'), 403);
$this->user = $user->load(['roles', 'company', 'projects.phases']);
$this->notes = $user->notes ?? '';
app/Models/Project.php
+1 -1
View File
@@ -66,7 +66,7 @@ class Project extends Model
// Scope to filter accessible projects for non-admin users
public function scopeAccessibleBy($query, User $user)
{
if ($user->hasRole('Admin')) {
if ($user->can('manage all')) {
return $query;
}
return $query->whereHas('users', function ($q) use ($user) {