feat(auth): refine authorization checks for S3 storage and service management

2025-08-23 18:50:50 +02:00
parent adb8f9d88e
commit b5fe5dd909
4 changed files with 146 additions and 100 deletions
--- a/app/Policies/S3StoragePolicy.php
+++ b/app/Policies/S3StoragePolicy.php
@@ -29,7 +29,7 @@ class S3StoragePolicy
     */
    public function create(User $user): bool
    {
-        return true;
+        return $user->isAdmin();
    }

    /**
--- a/app/Policies/ServicePolicy.php
+++ b/app/Policies/ServicePolicy.php
@@ -28,7 +28,7 @@ class ServicePolicy
     */
    public function create(User $user): bool
    {
-        return true;
+        return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
    }

    /**
@@ -36,7 +36,7 @@ class ServicePolicy
     */
    public function update(User $user, Service $service): bool
    {
-        return true;
+        return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
    }

    /**
@@ -73,10 +73,22 @@ class ServicePolicy

    public function stop(User $user, Service $service): bool
    {
-        if ($user->isAdmin()) {
-            return true;
-        }
+        return $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
+    }

-        return false;
+    /**
+     * Determine whether the user can manage environment variables.
+     */
+    public function manageEnvironment(User $user, Service $service): bool
+    {
+        return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
+    }
+
+    /**
+     * Determine whether the user can deploy the service.
+     */
+    public function deploy(User $user, Service $service): bool
+    {
+        return $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null;
    }
 }
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -20,6 +20,15 @@ class AuthServiceProvider extends ServiceProvider
        \App\Models\Application::class => \App\Policies\ApplicationPolicy::class,
        \App\Models\ApplicationPreview::class => \App\Policies\ApplicationPreviewPolicy::class,
        \App\Models\ApplicationSetting::class => \App\Policies\ApplicationSettingPolicy::class,
+        // Database policies - all use the shared DatabasePolicy
+        \App\Models\StandalonePostgresql::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneMysql::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneMariadb::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneMongodb::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneRedis::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneKeydb::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneDragonfly::class => \App\Policies\DatabasePolicy::class,
+        \App\Models\StandaloneClickhouse::class => \App\Policies\DatabasePolicy::class,
    ];

    /**