javier
828e70fbe2
Phase 1 (additive, doesn't touch existing checks): - Gate::before grants everything to holders of 'manage all' (the Admin role), robustly (returns true/null, never false; swallows missing-permission). - New RolePermissionManager Livewire component + view at /admin/permissions: editable Roles x Permissions matrix (toggle saves instantly), create/delete roles, create/delete permissions. Admin role and 'manage all' are protected. - Link to the screen from /admin/users header. Roles are editable from the UI as chosen. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
35 lines
846 B
PHP
35 lines
846 B
PHP
<?php
|
|
|
|
namespace App\Providers;
|
|
|
|
use Illuminate\Support\ServiceProvider;
|
|
use Illuminate\Support\Facades\Gate;
|
|
|
|
class AppServiceProvider extends ServiceProvider
|
|
{
|
|
/**
|
|
* Register any application services.
|
|
*/
|
|
public function register(): void
|
|
{
|
|
//
|
|
}
|
|
|
|
/**
|
|
* Bootstrap any application services.
|
|
*/
|
|
public function boot(): void
|
|
{
|
|
// Super-admin bypass: anyone with the "manage all" permission
|
|
// (the Admin role has it) passes every authorization check.
|
|
// Return true to allow, or null to let normal checks run — never false.
|
|
Gate::before(function ($user, $ability) {
|
|
try {
|
|
return $user->hasPermissionTo('manage all') ? true : null;
|
|
} catch (\Throwable $e) {
|
|
return null;
|
|
}
|
|
});
|
|
}
|
|
}
|