From d8d01e6886faf95acb4ccd361316867f0d8f3c29 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 22 Aug 2025 13:02:20 +0200
Subject: [PATCH] feat(auth): implement authorization for PrivateKey management

- Added authorization checks in the Create and Show Livewire components to ensure only authorized users can create, update, and delete PrivateKey instances.
- Introduced a new PrivateKeyPolicy to define access control rules for viewing, creating, updating, and deleting PrivateKey models based on user roles and team associations.
- Updated AuthServiceProvider to register the new PrivateKeyPolicy, enhancing security and access control for PrivateKey functionalities.
---
 app/Livewire/Security/PrivateKey/Create.php |  4 ++
 app/Livewire/Security/PrivateKey/Show.php   |  5 ++
 app/Policies/PrivateKeyPolicy.php           | 65 +++++++++++++++++++++
 app/Providers/AuthServiceProvider.php       |  3 +-
 4 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 app/Policies/PrivateKeyPolicy.php

diff --git a/app/Livewire/Security/PrivateKey/Create.php b/app/Livewire/Security/PrivateKey/Create.php
index ff196bd35..0f36037ff 100644
--- a/app/Livewire/Security/PrivateKey/Create.php
+++ b/app/Livewire/Security/PrivateKey/Create.php
@@ -4,10 +4,13 @@ namespace App\Livewire\Security\PrivateKey;
 
 use App\Models\PrivateKey;
 use App\Support\ValidationPatterns;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
 class Create extends Component
 {
+    use AuthorizesRequests;
+
     public string $name = '';
 
     public string $value = '';
@@ -66,6 +69,7 @@ class Create extends Component
         $this->validate();
 
         try {
+            $this->authorize('create', PrivateKey::class);
             $privateKey = PrivateKey::createAndStore([
                 'name' => $this->name,
                 'description' => $this->description,
diff --git a/app/Livewire/Security/PrivateKey/Show.php b/app/Livewire/Security/PrivateKey/Show.php
index b78367464..2ff06c349 100644
--- a/app/Livewire/Security/PrivateKey/Show.php
+++ b/app/Livewire/Security/PrivateKey/Show.php
@@ -4,10 +4,13 @@ namespace App\Livewire\Security\PrivateKey;
 
 use App\Models\PrivateKey;
 use App\Support\ValidationPatterns;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
 class Show extends Component
 {
+    use AuthorizesRequests;
+
     public PrivateKey $private_key;
 
     public $public_key = 'Loading...';
@@ -62,6 +65,7 @@ class Show extends Component
     public function delete()
     {
         try {
+            $this->authorize('delete', $this->private_key);
             $this->private_key->safeDelete();
             currentTeam()->privateKeys = PrivateKey::where('team_id', currentTeam()->id)->get();
 
@@ -76,6 +80,7 @@ class Show extends Component
     public function changePrivateKey()
     {
         try {
+            $this->authorize('update', $this->private_key);
             $this->private_key->updatePrivateKey([
                 'private_key' => formatPrivateKey($this->private_key->private_key),
             ]);
diff --git a/app/Policies/PrivateKeyPolicy.php b/app/Policies/PrivateKeyPolicy.php
new file mode 100644
index 000000000..6b9fd2171
--- /dev/null
+++ b/app/Policies/PrivateKeyPolicy.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\PrivateKey;
+use App\Models\User;
+
+class PrivateKeyPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, PrivateKey $privateKey): bool
+    {
+        return $user->teams()->get()->firstWhere('id', $privateKey->team_id) !== null;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return $user->isAdmin();
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, PrivateKey $privateKey): bool
+    {
+        return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $privateKey->team_id) !== null;
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, PrivateKey $privateKey): bool
+    {
+        return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $privateKey->team_id) !== null;
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, PrivateKey $privateKey): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, PrivateKey $privateKey): bool
+    {
+        return false;
+    }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index dafcbee79..476e064d6 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -13,7 +13,8 @@ class AuthServiceProvider extends ServiceProvider
      * @var array<class-string, class-string>
      */
     protected $policies = [
-        // 'App\Models\Model' => 'App\Policies\ModelPolicy',
+        \App\Models\Server::class => \App\Policies\ServerPolicy::class,
+        \App\Models\PrivateKey::class => \App\Policies\PrivateKeyPolicy::class,
     ];
 
     /**