feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled.

app/Livewire/Security/ApiTokens.php

@@ -3,10 +3,14 @@
 namespace App\Livewire\Security;
 
 use App\Models\InstanceSettings;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Laravel\Sanctum\PersonalAccessToken;
 use Livewire\Component;
 
 class ApiTokens extends Component
 {
+    use AuthorizesRequests;
+
     public ?string $description = null;
 
     public $tokens = [];
@@ -15,6 +19,10 @@ class ApiTokens extends Component
 
     public $isApiEnabled;
 
+    public bool $canUseRootPermissions = false;
+
+    public bool $canUseWritePermissions = false;
+
     public function render()
     {
         return view('livewire.security.api-tokens');
@@ -23,6 +31,8 @@ class ApiTokens extends Component
     public function mount()
     {
         $this->isApiEnabled = InstanceSettings::get()->is_api_enabled;
+        $this->canUseRootPermissions = auth()->user()->can('useRootPermissions', PersonalAccessToken::class);
+        $this->canUseWritePermissions = auth()->user()->can('useWritePermissions', PersonalAccessToken::class);
         $this->getTokens();
     }
 
@@ -33,6 +43,23 @@ class ApiTokens extends Component
 
     public function updatedPermissions($permissionToUpdate)
     {
+        // Check if user is trying to use restricted permissions
+        if ($permissionToUpdate == 'root' && ! $this->canUseRootPermissions) {
+            $this->dispatch('error', 'You do not have permission to use root permissions.');
+            // Remove root from permissions if it was somehow added
+            $this->permissions = array_diff($this->permissions, ['root']);
+
+            return;
+        }
+
+        if (in_array($permissionToUpdate, ['write', 'write:sensitive']) && ! $this->canUseWritePermissions) {
+            $this->dispatch('error', 'You do not have permission to use write permissions.');
+            // Remove write permissions if they were somehow added
+            $this->permissions = array_diff($this->permissions, ['write', 'write:sensitive']);
+
+            return;
+        }
+
         if ($permissionToUpdate == 'root') {
             $this->permissions = ['root'];
         } elseif ($permissionToUpdate == 'read:sensitive' && ! in_array('read', $this->permissions)) {
@@ -50,6 +77,17 @@ class ApiTokens extends Component
     public function addNewToken()
     {
         try {
+            $this->authorize('create', PersonalAccessToken::class);
+
+            // Validate permissions based on user role
+            if (in_array('root', $this->permissions) && ! $this->canUseRootPermissions) {
+                throw new \Exception('You do not have permission to create tokens with root permissions.');
+            }
+
+            if (array_intersect(['write', 'write:sensitive'], $this->permissions) && ! $this->canUseWritePermissions) {
+                throw new \Exception('You do not have permission to create tokens with write permissions.');
+            }
+
             $this->validate([
                 'description' => 'required|min:3|max:255',
             ]);
@@ -65,6 +103,7 @@ class ApiTokens extends Component
     {
         try {
             $token = auth()->user()->tokens()->where('id', $id)->firstOrFail();
+            $this->authorize('delete', $token);
             $token->delete();
             $this->getTokens();
         } catch (\Exception $e) {