javier/construprogress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba363e7e18c85f336524c25123beea390ff536ee
construprogress/app/Livewire/RoleForm.php
T
javier 13f36e8ec0 feat(authz): per-route permission gating for /admin (granular admin roles) 
Finishes Phase 2: the /admin route group no longer requires 'manage all'
globally. Each route is gated by its specific permission so a non-super-admin
role can be granted partial admin access:
- /admin/users (+show) -> can:view users; create -> can:create users;
  edit -> can:edit users
- /admin/roles, roles/*, permissions -> can:manage roles
- Aligned the role screens' mount checks (RoleForm/RoleView/RolePermissionManager)
  from 'manage all' to 'manage roles'.
- Nav 'Administrator' link now shows on can('view users').
Admins keep full access via Gate::before (manage all). Closure routes
(users/roles lists) are now protected at the route level.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 19:15:58 +02:00

67 lines
2.0 KiB
PHP
Raw Blame History

<?php
namespace App\Livewire;
use Livewire\Component;
use Livewire\Attributes\Layout;
use Illuminate\Support\Facades\Auth;
use Spatie\Permission\Models\Role;
use Spatie\Permission\PermissionRegistrar;
#[Layout('layouts.app')]
class RoleForm extends Component
{
public ?Role $role = null;
public string $name = '';
public string $description = '';
private const PROTECTED_ROLES = ['Admin'];
private const CORE_PERMISSION = 'manage all';
public function mount(?Role $role = null): void
{
abort_unless(Auth::user()?->can('manage roles'), 403);
if ($role && $role->exists) {
$this->role = $role;
$this->name = $role->name;
$this->description = $role->description ?? '';
}
}
public function save()
{
$this->validate([
'name' => 'required|string|max:50|unique:roles,name' . ($this->role ? ',' . $this->role->id : ''),
'description' => 'nullable|string|max:255',
], [], ['name' => 'nombre', 'description' => 'descripción']);
if ($this->role) {
// Protected roles can't be renamed
if (! in_array($this->role->name, self::PROTECTED_ROLES, true)) {
$this->role->name = $this->name;
}
$this->role->description = $this->description ?: null;
$this->role->save();
} else {
Role::create([
'name' => $this->name,
'description' => $this->description ?: null,
]);
}
app(PermissionRegistrar::class)->forgetCachedPermissions();
session()->flash('message', 'Rol guardado correctamente.');
return $this->redirect(route('admin.roles'), navigate: true);
}
public function render()
{
return view('livewire.roles.role-form', [
'isProtected' => $this->role && in_array($this->role->name, self::PROTECTED_ROLES, true),
]);
}
}
Reference in New Issue View Git Blame Copy Permalink