feat(auth): introduce resource creation authorization middleware and policies for enhanced access control
This commit is contained in:
Andras Bacsai
25
app/Http/Middleware/CanCreateResources.php
Normal file
25
app/Http/Middleware/CanCreateResources.php
Normal file
@@ -0,0 +1,25 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class CanCreateResources
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
if (! Gate::allows('createAnyResource')) {
|
||||
abort(403, 'You do not have permission to create resources.');
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -99,4 +99,12 @@ class ApplicationPolicy
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can cleanup deployment queue.
|
||||
*/
|
||||
public function cleanupDeploymentQueue(User $user): bool
|
||||
{
|
||||
return $user->isAdmin();
|
||||
}
|
||||
}
|
||||
|
||||
65
app/Policies/EnvironmentPolicy.php
Normal file
65
app/Policies/EnvironmentPolicy.php
Normal file
@@ -0,0 +1,65 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Environment;
|
||||
use App\Models\User;
|
||||
|
||||
class EnvironmentPolicy
|
||||
{
|
||||
/**
|
||||
* Determine whether the user can view any models.
|
||||
*/
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can view the model.
|
||||
*/
|
||||
public function view(User $user, Environment $environment): bool
|
||||
{
|
||||
return $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can create models.
|
||||
*/
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can update the model.
|
||||
*/
|
||||
public function update(User $user, Environment $environment): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can delete the model.
|
||||
*/
|
||||
public function delete(User $user, Environment $environment): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can restore the model.
|
||||
*/
|
||||
public function restore(User $user, Environment $environment): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can permanently delete the model.
|
||||
*/
|
||||
public function forceDelete(User $user, Environment $environment): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
|
||||
}
|
||||
}
|
||||
65
app/Policies/ProjectPolicy.php
Normal file
65
app/Policies/ProjectPolicy.php
Normal file
@@ -0,0 +1,65 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Project;
|
||||
use App\Models\User;
|
||||
|
||||
class ProjectPolicy
|
||||
{
|
||||
/**
|
||||
* Determine whether the user can view any models.
|
||||
*/
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can view the model.
|
||||
*/
|
||||
public function view(User $user, Project $project): bool
|
||||
{
|
||||
return $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can create models.
|
||||
*/
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can update the model.
|
||||
*/
|
||||
public function update(User $user, Project $project): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can delete the model.
|
||||
*/
|
||||
public function delete(User $user, Project $project): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can restore the model.
|
||||
*/
|
||||
public function restore(User $user, Project $project): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can permanently delete the model.
|
||||
*/
|
||||
public function forceDelete(User $user, Project $project): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
|
||||
}
|
||||
}
|
||||
62
app/Policies/ResourceCreatePolicy.php
Normal file
62
app/Policies/ResourceCreatePolicy.php
Normal file
@@ -0,0 +1,62 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Application;
|
||||
use App\Models\Service;
|
||||
use App\Models\StandaloneClickhouse;
|
||||
use App\Models\StandaloneDragonfly;
|
||||
use App\Models\StandaloneKeydb;
|
||||
use App\Models\StandaloneMariadb;
|
||||
use App\Models\StandaloneMongodb;
|
||||
use App\Models\StandaloneMysql;
|
||||
use App\Models\StandalonePostgresql;
|
||||
use App\Models\StandaloneRedis;
|
||||
use App\Models\User;
|
||||
|
||||
class ResourceCreatePolicy
|
||||
{
|
||||
/**
|
||||
* List of resource classes that can be created
|
||||
*/
|
||||
public const CREATABLE_RESOURCES = [
|
||||
StandalonePostgresql::class,
|
||||
StandaloneRedis::class,
|
||||
StandaloneMongodb::class,
|
||||
StandaloneMysql::class,
|
||||
StandaloneMariadb::class,
|
||||
StandaloneKeydb::class,
|
||||
StandaloneDragonfly::class,
|
||||
StandaloneClickhouse::class,
|
||||
Service::class,
|
||||
Application::class,
|
||||
];
|
||||
|
||||
/**
|
||||
* Determine whether the user can create any resource.
|
||||
*/
|
||||
public function createAny(User $user): bool
|
||||
{
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can create a specific resource type.
|
||||
*/
|
||||
public function create(User $user, string $resourceClass): bool
|
||||
{
|
||||
if (! in_array($resourceClass, self::CREATABLE_RESOURCES)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
* Authorize creation of all supported resource types.
|
||||
*/
|
||||
public function authorizeAllResourceCreation(User $user): bool
|
||||
{
|
||||
return $this->createAny($user);
|
||||
}
|
||||
}
|
||||
@@ -28,7 +28,7 @@ class ServicePolicy
|
||||
*/
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -3,7 +3,9 @@
|
||||
namespace App\Providers;
|
||||
|
||||
// use Illuminate\Support\Facades\Gate;
|
||||
use App\Policies\ResourceCreatePolicy;
|
||||
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
|
||||
class AuthServiceProvider extends ServiceProvider
|
||||
{
|
||||
@@ -20,6 +22,9 @@ class AuthServiceProvider extends ServiceProvider
|
||||
\App\Models\Application::class => \App\Policies\ApplicationPolicy::class,
|
||||
\App\Models\ApplicationPreview::class => \App\Policies\ApplicationPreviewPolicy::class,
|
||||
\App\Models\ApplicationSetting::class => \App\Policies\ApplicationSettingPolicy::class,
|
||||
\App\Models\Service::class => \App\Policies\ServicePolicy::class,
|
||||
\App\Models\Project::class => \App\Policies\ProjectPolicy::class,
|
||||
\App\Models\Environment::class => \App\Policies\EnvironmentPolicy::class,
|
||||
// Database policies - all use the shared DatabasePolicy
|
||||
\App\Models\StandalonePostgresql::class => \App\Policies\DatabasePolicy::class,
|
||||
\App\Models\StandaloneMysql::class => \App\Policies\DatabasePolicy::class,
|
||||
@@ -29,6 +34,7 @@ class AuthServiceProvider extends ServiceProvider
|
||||
\App\Models\StandaloneKeydb::class => \App\Policies\DatabasePolicy::class,
|
||||
\App\Models\StandaloneDragonfly::class => \App\Policies\DatabasePolicy::class,
|
||||
\App\Models\StandaloneClickhouse::class => \App\Policies\DatabasePolicy::class,
|
||||
|
||||
];
|
||||
|
||||
/**
|
||||
@@ -36,6 +42,7 @@ class AuthServiceProvider extends ServiceProvider
|
||||
*/
|
||||
public function boot(): void
|
||||
{
|
||||
//
|
||||
// Register gates for resource creation policy
|
||||
Gate::define('createAnyResource', [ResourceCreatePolicy::class, 'createAny']);
|
||||
}
|
||||
}
|
||||
|
||||
20
app/Traits/AuthorizesResourceCreation.php
Normal file
20
app/Traits/AuthorizesResourceCreation.php
Normal file
@@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
namespace App\Traits;
|
||||
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
|
||||
trait AuthorizesResourceCreation
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
/**
|
||||
* Authorize creation of all supported resources.
|
||||
*
|
||||
* @throws \Illuminate\Auth\Access\AuthorizationException
|
||||
*/
|
||||
protected function authorizeResourceCreation(): void
|
||||
{
|
||||
$this->authorize('createAnyResource');
|
||||
}
|
||||
}
|
||||
@@ -179,8 +179,8 @@ Route::middleware(['auth', 'verified'])->group(function () {
|
||||
});
|
||||
Route::prefix('project/{project_uuid}/environment/{environment_uuid}')->group(function () {
|
||||
Route::get('/', ResourceIndex::class)->name('project.resource.index');
|
||||
Route::get('/clone', ProjectCloneMe::class)->name('project.clone-me');
|
||||
Route::get('/new', ResourceCreate::class)->name('project.resource.create');
|
||||
Route::get('/clone', ProjectCloneMe::class)->name('project.clone-me')->middleware('can.create.resources');
|
||||
Route::get('/new', ResourceCreate::class)->name('project.resource.create')->middleware('can.create.resources');
|
||||
Route::get('/edit', EnvironmentEdit::class)->name('project.environment.edit');
|
||||
});
|
||||
Route::prefix('project/{project_uuid}/environment/{environment_uuid}/application/{application_uuid}')->group(function () {
|
||||
|
||||
Reference in New Issue
Block a user