Admin Roles (#502)

* add spatie/permissions * add policies * add role resource * add root admin role handling * replace some "root_admin" with function * add model specific permissions * make permission selection nicer * fix user creation * fix tests * add back subuser checks in server policy * add custom model for role * assign new users to role if root_admin is set * add api for roles * fix phpstan * add permissions for settings page * remove "restore" and "forceDelete" permissions * add user count to list * prevent deletion if role has users * update user list * fix server policy * remove old `root_admin` column * small refactor * fix tests * forgot can checks here * forgot use * disable editing own roles & disable assigning root admin * don't allow to rename root admin role * remove php bombing exception handler * fix role assignment when creating a user * fix disableOptionWhen * fix missing `root_admin` attribute on react frontend * add permission check for bulk delete * rename viewAny to viewList * improve canAccessPanel check * fix admin not displaying for non-root admins * make sure non root admins can't edit root admins * fix import * fix settings page permission check * fix server permissions for non-subusers * fix settings page permission check v2 * small cleanup * cleanup config file * move consts from resouce into enum & model * Update database/migrations/2024_08_01_114538_remove_root_admin_column.php Co-authored-by: Lance Pioch <lancepioch@gmail.com> * fix config * fix phpstan * fix phpstan 2.0 --------- Co-authored-by: Lance Pioch <lancepioch@gmail.com>
pelican-dev · Sep 21, 2024 · fc643f5 · fc643f5
1 parent 68a0cbb
commit fc643f5
Show file tree

Hide file tree

Showing 81 changed files with 1,336 additions and 220 deletions.
diff --git a/app/Console/Commands/User/MakeUserCommand.php b/app/Console/Commands/User/MakeUserCommand.php
@@ -52,7 +52,7 @@ public function handle(): int
             ['UUID', $user->uuid],
             ['Email', $user->email],
             ['Username', $user->username],
-            ['Admin', $user->root_admin ? 'Yes' : 'No'],
+            ['Admin', $user->isRootAdmin() ? 'Yes' : 'No'],
         ]);
 
         return 0;

diff --git a/app/Enums/RolePermissionModels.php b/app/Enums/RolePermissionModels.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Enums;
+
+enum RolePermissionModels: string
+{
+    case ApiKey = 'apikey';
+    case DatabaseHost = 'databasehost';
+    case Database = 'database';
+    case Egg = 'egg';
+    case Mount = 'mount';
+    case Node = 'node';
+    case Role = 'role';
+    case Server = 'server';
+    case User = 'user';
+}
diff --git a/app/Enums/RolePermissionPrefixes.php b/app/Enums/RolePermissionPrefixes.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace App\Enums;
+
+enum RolePermissionPrefixes: string
+{
+    case ViewAny = 'viewList';
+    case View = 'view';
+    case Create = 'create';
+    case Update = 'update';
+    case Delete = 'delete';
+}
diff --git a/app/Filament/Pages/Settings.php b/app/Filament/Pages/Settings.php
@@ -49,12 +49,18 @@ public function mount(): void
         $this->form->fill();
     }
 
+    public static function canAccess(): bool
+    {
+        return auth()->user()->can('view settings');
+    }
+
     protected function getFormSchema(): array
     {
         return [
             Tabs::make('Tabs')
                 ->columns()
                 ->persistTabInQueryString()
+                ->disabled(fn () => !auth()->user()->can('update settings'))
                 ->tabs([
                     Tab::make('general')
                         ->label('General')
@@ -147,10 +153,12 @@ private function generalSettings(): array
                         ->color('danger')
                         ->icon('tabler-trash')
                         ->requiresConfirmation()
+                        ->authorize(fn () => auth()->user()->can('update settings'))
                         ->action(fn (Set $set) => $set('TRUSTED_PROXIES', [])),
                     FormAction::make('cloudflare')
                         ->label('Set to Cloudflare IPs')
                         ->icon('tabler-brand-cloudflare')
+                        ->authorize(fn () => auth()->user()->can('update settings'))
                         ->action(fn (Set $set) => $set('TRUSTED_PROXIES', [
                             '173.245.48.0/20',
                             '103.21.244.0/22',
@@ -226,6 +234,7 @@ private function mailSettings(): array
                         ->label('Send Test Mail')
                         ->icon('tabler-send')
                         ->hidden(fn (Get $get) => $get('MAIL_MAILER') === 'log')
+                        ->authorize(fn () => auth()->user()->can('update settings'))
                         ->action(function () {
                             try {
                                 MailNotification::route('mail', auth()->user()->email)
@@ -561,12 +570,9 @@ protected function getHeaderActions(): array
         return [
             Action::make('save')
                 ->action('save')
+                ->authorize(fn () => auth()->user()->can('update settings'))
                 ->keyBindings(['mod+s']),
         ];
 
     }
-    protected function getFormActions(): array
-    {
-        return [];
-    }
 }
diff --git a/app/Filament/Resources/DatabaseHostResource/Pages/ListDatabaseHosts.php b/app/Filament/Resources/DatabaseHostResource/Pages/ListDatabaseHosts.php
@@ -42,7 +42,8 @@ public function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete databasehost')),
                 ]),
             ]);
     }

diff --git a/app/Filament/Resources/DatabaseResource/Pages/ListDatabases.php b/app/Filament/Resources/DatabaseResource/Pages/ListDatabases.php
@@ -4,10 +4,10 @@
 
 use App\Filament\Resources\DatabaseResource;
 use Filament\Actions;
-use Filament\Tables\Actions\EditAction;
 use Filament\Resources\Pages\ListRecords;
 use Filament\Tables\Actions\BulkActionGroup;
 use Filament\Tables\Actions\DeleteBulkAction;
+use Filament\Tables\Actions\EditAction;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
 
@@ -48,7 +48,8 @@ public function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete database')),
                 ]),
             ]);
     }

diff --git a/app/Filament/Resources/EggResource/Pages/EditEgg.php b/app/Filament/Resources/EggResource/Pages/EditEgg.php
@@ -2,12 +2,15 @@
 
 namespace App\Filament\Resources\EggResource\Pages;
 
+use AbdelhamidErrahmouni\FilamentMonacoEditor\MonacoEditor;
 use App\Filament\Resources\EggResource;
 use App\Filament\Resources\EggResource\RelationManagers\ServersRelationManager;
 use App\Models\Egg;
+use App\Services\Eggs\Sharing\EggExporterService;
 use App\Services\Eggs\Sharing\EggImporterService;
 use Exception;
 use Filament\Actions;
+use Filament\Forms;
 use Filament\Forms\Components\Checkbox;
 use Filament\Forms\Components\Fieldset;
 use Filament\Forms\Components\FileUpload;
@@ -22,12 +25,9 @@
 use Filament\Forms\Components\Textarea;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
+use Filament\Forms\Form;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\EditRecord;
-use AbdelhamidErrahmouni\FilamentMonacoEditor\MonacoEditor;
-use App\Services\Eggs\Sharing\EggExporterService;
-use Filament\Forms;
-use Filament\Forms\Form;
 
 class EditEgg extends EditRecord
 {
@@ -245,14 +245,13 @@ protected function getHeaderActions(): array
             Actions\DeleteAction::make('deleteEgg')
                 ->disabled(fn (Egg $egg): bool => $egg->servers()->count() > 0)
                 ->label(fn (Egg $egg): string => $egg->servers()->count() <= 0 ? 'Delete' : 'In Use'),
-
             Actions\Action::make('exportEgg')
                 ->label('Export')
                 ->color('primary')
                 ->action(fn (EggExporterService $service, Egg $egg) => response()->streamDownload(function () use ($service, $egg) {
                     echo $service->handle($egg->id);
-                }, 'egg-' . $egg->getKebabName() . '.json')),
-
+                }, 'egg-' . $egg->getKebabName() . '.json'))
+                ->authorize(fn () => auth()->user()->can('export egg')),
             Actions\Action::make('importEgg')
                 ->label('Import')
                 ->form([
@@ -321,8 +320,8 @@ protected function getHeaderActions(): array
                         ->title('Import Success')
                         ->success()
                         ->send();
-                }),
-
+                })
+                ->authorize(fn () => auth()->user()->can('import egg')),
             $this->getSaveFormAction()->formId('form'),
         ];
     }

diff --git a/app/Filament/Resources/EggResource/Pages/ListEggs.php b/app/Filament/Resources/EggResource/Pages/ListEggs.php
@@ -14,13 +14,13 @@
 use Filament\Forms\Components\TextInput;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ListRecords;
+use Filament\Tables;
 use Filament\Tables\Actions\BulkActionGroup;
 use Filament\Tables\Actions\DeleteBulkAction;
 use Filament\Tables\Actions\EditAction;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
 use Livewire\Features\SupportFileUploads\TemporaryUploadedFile;
-use Filament\Tables;
 
 class ListEggs extends ListRecords
 {
@@ -55,11 +55,13 @@ public function table(Table $table): Table
                     ->color('primary')
                     ->action(fn (EggExporterService $service, Egg $egg) => response()->streamDownload(function () use ($service, $egg) {
                         echo $service->handle($egg->id);
-                    }, 'egg-' . $egg->getKebabName() . '.json')),
+                    }, 'egg-' . $egg->getKebabName() . '.json'))
+                    ->authorize(fn () => auth()->user()->can('export egg')),
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete egg')),
                 ]),
             ]);
     }
@@ -138,7 +140,8 @@ protected function getHeaderActions(): array
                         ->title('Import Success')
                         ->success()
                         ->send();
-                }),
+                })
+                ->authorize(fn () => auth()->user()->can('import egg')),
         ];
     }
 }
diff --git a/app/Filament/Resources/MountResource/Pages/ListMounts.php b/app/Filament/Resources/MountResource/Pages/ListMounts.php
@@ -43,7 +43,8 @@ public function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete mount')),
                 ]),
             ])
             ->emptyStateIcon('tabler-layers-linked')

diff --git a/app/Filament/Resources/NodeResource/Pages/ListNodes.php b/app/Filament/Resources/NodeResource/Pages/ListNodes.php
@@ -84,7 +84,8 @@ public function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete node')),
                 ]),
             ])
             ->emptyStateIcon('tabler-server-2')

diff --git a/app/Filament/Resources/NodeResource/RelationManagers/AllocationsRelationManager.php b/app/Filament/Resources/NodeResource/RelationManagers/AllocationsRelationManager.php
@@ -7,12 +7,12 @@
 use App\Services\Allocations\AssignmentService;
 use Filament\Forms\Components\TagsInput;
 use Filament\Forms\Components\TextInput;
-use Filament\Forms\Set;
-use Filament\Tables\Actions\BulkActionGroup;
-use Filament\Tables\Actions\DeleteBulkAction;
 use Filament\Forms\Form;
+use Filament\Forms\Set;
 use Filament\Resources\RelationManagers\RelationManager;
 use Filament\Tables;
+use Filament\Tables\Actions\BulkActionGroup;
+use Filament\Tables\Actions\DeleteBulkAction;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Columns\TextInputColumn;
 use Filament\Tables\Table;
@@ -152,7 +152,8 @@ public function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    DeleteBulkAction::make(),
+                    DeleteBulkAction::make()
+                        ->authorize(fn () => auth()->user()->can('delete allocation')),
                 ]),
             ]);
     }