feat(permissions): admin role/permission matrix + Gate::before super-admin
Phase 1 (additive, doesn't touch existing checks): - Gate::before grants everything to holders of 'manage all' (the Admin role), robustly (returns true/null, never false; swallows missing-permission). - New RolePermissionManager Livewire component + view at /admin/permissions: editable Roles x Permissions matrix (toggle saves instantly), create/delete roles, create/delete permissions. Admin role and 'manage all' are protected. - Link to the screen from /admin/users header. Roles are editable from the UI as chosen. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,110 @@
|
||||
<?php
|
||||
|
||||
namespace App\Livewire;
|
||||
|
||||
use Livewire\Component;
|
||||
use Livewire\Attributes\Layout;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
use Spatie\Permission\Models\Role;
|
||||
use Spatie\Permission\Models\Permission;
|
||||
use Spatie\Permission\PermissionRegistrar;
|
||||
|
||||
#[Layout('layouts.app')]
|
||||
class RolePermissionManager extends Component
|
||||
{
|
||||
public string $newRole = '';
|
||||
public string $newPermission = '';
|
||||
|
||||
/** Roles that must not be deleted or stripped of core powers. */
|
||||
private const PROTECTED_ROLES = ['Admin'];
|
||||
private const CORE_PERMISSION = 'manage all';
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
abort_unless(Auth::user()?->can(self::CORE_PERMISSION), 403);
|
||||
}
|
||||
|
||||
private function flushCache(): void
|
||||
{
|
||||
app(PermissionRegistrar::class)->forgetCachedPermissions();
|
||||
}
|
||||
|
||||
public function togglePermission(int $roleId, string $permissionName): void
|
||||
{
|
||||
$role = Role::findOrFail($roleId);
|
||||
|
||||
if ($role->hasPermissionTo($permissionName)) {
|
||||
// Admin must always keep the core permission
|
||||
if ($role->name === 'Admin' && $permissionName === self::CORE_PERMISSION) {
|
||||
$this->dispatch('notify', "El rol Admin no puede perder '" . self::CORE_PERMISSION . "'.");
|
||||
return;
|
||||
}
|
||||
$role->revokePermissionTo($permissionName);
|
||||
} else {
|
||||
$role->givePermissionTo($permissionName);
|
||||
}
|
||||
|
||||
$this->flushCache();
|
||||
$this->dispatch('notify', 'Permisos actualizados');
|
||||
}
|
||||
|
||||
public function addRole(): void
|
||||
{
|
||||
$this->validate([
|
||||
'newRole' => 'required|string|max:50|unique:roles,name',
|
||||
], [], ['newRole' => 'nombre de rol']);
|
||||
|
||||
Role::create(['name' => trim($this->newRole)]);
|
||||
$this->newRole = '';
|
||||
$this->flushCache();
|
||||
$this->dispatch('notify', 'Rol creado');
|
||||
}
|
||||
|
||||
public function deleteRole(int $roleId): void
|
||||
{
|
||||
$role = Role::findOrFail($roleId);
|
||||
|
||||
if (in_array($role->name, self::PROTECTED_ROLES, true)) {
|
||||
$this->dispatch('notify', "El rol '{$role->name}' está protegido y no se puede borrar.");
|
||||
return;
|
||||
}
|
||||
|
||||
$role->delete();
|
||||
$this->flushCache();
|
||||
$this->dispatch('notify', 'Rol eliminado');
|
||||
}
|
||||
|
||||
public function addPermission(): void
|
||||
{
|
||||
$this->validate([
|
||||
'newPermission' => 'required|string|max:50|unique:permissions,name',
|
||||
], [], ['newPermission' => 'nombre de permiso']);
|
||||
|
||||
Permission::create(['name' => trim($this->newPermission)]);
|
||||
$this->newPermission = '';
|
||||
$this->flushCache();
|
||||
$this->dispatch('notify', 'Permiso creado');
|
||||
}
|
||||
|
||||
public function deletePermission(int $permissionId): void
|
||||
{
|
||||
$permission = Permission::findOrFail($permissionId);
|
||||
|
||||
if ($permission->name === self::CORE_PERMISSION) {
|
||||
$this->dispatch('notify', "El permiso '" . self::CORE_PERMISSION . "' está protegido y no se puede borrar.");
|
||||
return;
|
||||
}
|
||||
|
||||
$permission->delete();
|
||||
$this->flushCache();
|
||||
$this->dispatch('notify', 'Permiso eliminado');
|
||||
}
|
||||
|
||||
public function render()
|
||||
{
|
||||
return view('livewire.role-permission-manager', [
|
||||
'roles' => Role::with('permissions')->orderBy('name')->get(),
|
||||
'permissions' => Permission::orderBy('name')->get(),
|
||||
]);
|
||||
}
|
||||
}
|
||||
@@ -3,6 +3,7 @@
|
||||
namespace App\Providers;
|
||||
|
||||
use Illuminate\Support\ServiceProvider;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
|
||||
class AppServiceProvider extends ServiceProvider
|
||||
{
|
||||
@@ -19,6 +20,15 @@ class AppServiceProvider extends ServiceProvider
|
||||
*/
|
||||
public function boot(): void
|
||||
{
|
||||
//
|
||||
// Super-admin bypass: anyone with the "manage all" permission
|
||||
// (the Admin role has it) passes every authorization check.
|
||||
// Return true to allow, or null to let normal checks run — never false.
|
||||
Gate::before(function ($user, $ability) {
|
||||
try {
|
||||
return $user->hasPermissionTo('manage all') ? true : null;
|
||||
} catch (\Throwable $e) {
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user