feat: implement multi-tenancy and super admin impersonation with security banner
This commit is contained in:
jeremy bayse
40
app/Console/Commands/MakeSuperAdmin.php
Normal file
40
app/Console/Commands/MakeSuperAdmin.php
Normal file
@@ -0,0 +1,40 @@
|
||||
<?php
|
||||
|
||||
namespace App\Console\Commands;
|
||||
|
||||
use App\Models\User;
|
||||
use App\Models\Role;
|
||||
use Illuminate\Console\Command;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
|
||||
class MakeSuperAdmin extends Command
|
||||
{
|
||||
protected $signature = 'make:superadmin {email}';
|
||||
protected $description = 'Promote a user to SuperAdmin';
|
||||
|
||||
public function handle()
|
||||
{
|
||||
$email = $this->argument('email');
|
||||
$user = User::withoutGlobalScope('structure')->where('email', $email)->first();
|
||||
|
||||
if (!$user) {
|
||||
$this->error("Utilisateur non trouvé.");
|
||||
return;
|
||||
}
|
||||
|
||||
// S'assurer que le rôle SuperAdmin existe (globalement)
|
||||
$role = Role::withoutGlobalScope('structure')->firstOrCreate(
|
||||
['name' => 'SuperAdmin', 'guard_name' => 'web'],
|
||||
['structure_id' => null] // Rôle global
|
||||
);
|
||||
|
||||
// Assigner le rôle sur le contexte de l'utilisateur (ou structure 1 par défaut pour le CABM)
|
||||
setPermissionsTeamId($user->structure_id ?? 1);
|
||||
|
||||
if (!$user->hasRole('SuperAdmin')) {
|
||||
$user->assignRole($role);
|
||||
}
|
||||
|
||||
$this->info("Félicitations ! L'utilisateur {$email} a été promu SuperAdmin.");
|
||||
}
|
||||
}
|
||||
@@ -31,17 +31,41 @@ class RegisteredUserController extends Controller
|
||||
public function store(Request $request): RedirectResponse
|
||||
{
|
||||
$request->validate([
|
||||
'structure_name' => 'required|string|max:255|unique:structures,name',
|
||||
'name' => 'required|string|max:255',
|
||||
'email' => 'required|string|lowercase|email|max:255|unique:'.User::class,
|
||||
'password' => ['required', 'confirmed', Rules\Password::defaults()],
|
||||
]);
|
||||
|
||||
$user = User::create([
|
||||
// 1. Créer la structure (Tenant)
|
||||
// Le slug est généré avec un uniqid() pour éviter les conflits si deux noms produisent le même slug.
|
||||
$structure = \App\Models\Structure::create([
|
||||
'name' => $request->structure_name,
|
||||
'slug' => \Illuminate\Support\Str::slug($request->structure_name) . '-' . substr(uniqid(), -5),
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
// 2. Définir le contexte Tenant pour que Spatie attache les rôles à cette structure-ci
|
||||
config(['tenant.structure_id' => $structure->id]);
|
||||
setPermissionsTeamId($structure->id);
|
||||
|
||||
// 3. Création des rôles par défaut pour le nouveau locataire
|
||||
$adminRole = \App\Models\Role::firstOrCreate(['name' => 'Admin']);
|
||||
\App\Models\Role::firstOrCreate(['name' => 'Agent']);
|
||||
\App\Models\Role::firstOrCreate(['name' => 'Manager']);
|
||||
\App\Models\Role::firstOrCreate(['name' => 'RH']);
|
||||
|
||||
// 4. Créer le premier compte Administrateur
|
||||
$user = User::withoutGlobalScope('structure')->create([
|
||||
'name' => $request->name,
|
||||
'email' => $request->email,
|
||||
'password' => Hash::make($request->password),
|
||||
'structure_id' => $structure->id,
|
||||
]);
|
||||
|
||||
// Affectation du rôle
|
||||
$user->assignRole($adminRole);
|
||||
|
||||
event(new Registered($user));
|
||||
|
||||
Auth::login($user);
|
||||
|
||||
@@ -4,7 +4,7 @@ namespace App\Http\Controllers;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Inertia\Inertia;
|
||||
use Spatie\Permission\Models\Role;
|
||||
use App\Models\Role;
|
||||
use Spatie\Permission\Models\Permission;
|
||||
|
||||
class RoleController extends Controller
|
||||
|
||||
@@ -5,7 +5,7 @@ namespace App\Http\Controllers;
|
||||
use App\Models\Service;
|
||||
use Illuminate\Http\Request;
|
||||
use Inertia\Inertia;
|
||||
use Spatie\Permission\Models\Role;
|
||||
use App\Models\Role;
|
||||
use Spatie\Permission\Models\Permission;
|
||||
|
||||
class ServiceController extends Controller
|
||||
|
||||
112
app/Http/Controllers/SuperAdminController.php
Normal file
112
app/Http/Controllers/SuperAdminController.php
Normal file
@@ -0,0 +1,112 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Inertia\Inertia;
|
||||
use App\Models\Structure;
|
||||
|
||||
class SuperAdminController extends Controller
|
||||
{
|
||||
public function index(Request $request)
|
||||
{
|
||||
// On s'assure que seul un SuperAdmin peut accéder ici
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) {
|
||||
abort(403, 'Accès refusé. Vous devez être SuperAdmin.');
|
||||
}
|
||||
|
||||
$structures = Structure::withCount(['users' => function ($query) {
|
||||
$query->withoutGlobalScope('structure');
|
||||
}])->get();
|
||||
|
||||
return Inertia::render('SuperAdmin/Index', [
|
||||
'structures' => $structures,
|
||||
'current_structure_id' => session('target_structure_id')
|
||||
]);
|
||||
}
|
||||
|
||||
public function create()
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) { abort(403); }
|
||||
|
||||
return Inertia::render('SuperAdmin/Create');
|
||||
}
|
||||
|
||||
public function store(Request $request)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) { abort(403); }
|
||||
|
||||
$validated = $request->validate([
|
||||
'name' => 'required|string|max:255',
|
||||
'slug' => 'required|string|max:255|unique:structures',
|
||||
'domain' => 'nullable|string|max:255|unique:structures',
|
||||
'is_active' => 'boolean'
|
||||
]);
|
||||
|
||||
Structure::create($validated);
|
||||
|
||||
return redirect()->route('superadmin.index')->with('success', 'Structure créée avec succès.');
|
||||
}
|
||||
|
||||
public function edit(Structure $structure)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) { abort(403); }
|
||||
|
||||
return Inertia::render('SuperAdmin/Edit', [
|
||||
'structure' => $structure
|
||||
]);
|
||||
}
|
||||
|
||||
public function update(Request $request, Structure $structure)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) { abort(403); }
|
||||
|
||||
$validated = $request->validate([
|
||||
'name' => 'required|string|max:255',
|
||||
'slug' => 'required|string|max:255|unique:structures,slug,' . $structure->id,
|
||||
'domain' => 'nullable|string|max:255|unique:structures,domain,' . $structure->id,
|
||||
'is_active' => 'boolean'
|
||||
]);
|
||||
|
||||
$structure->update($validated);
|
||||
|
||||
return redirect()->route('superadmin.index')->with('success', 'Structure mise à jour.');
|
||||
}
|
||||
|
||||
public function destroy(Structure $structure)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) { abort(403); }
|
||||
|
||||
if (Structure::count() <= 1) {
|
||||
return redirect()->back()->with('error', 'Impossible de supprimer la dernière structure.');
|
||||
}
|
||||
|
||||
$structure->delete();
|
||||
|
||||
return redirect()->route('superadmin.index')->with('success', 'Structure supprimée avec succès.');
|
||||
}
|
||||
|
||||
public function switchStructure(Request $request, Structure $structure)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
// On enregistre dans la session qu'on veut "impersonner" cette structure
|
||||
$request->session()->put('target_structure_id', $structure->id);
|
||||
|
||||
return redirect()->route('dashboard')->with('success', "Vous naviguez maintenant sur la structure : {$structure->name}.");
|
||||
}
|
||||
|
||||
public function resetStructure(Request $request)
|
||||
{
|
||||
if (!auth()->user()->hasRole('SuperAdmin')) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
// On retire l'impersonnation, on redevient un SuperAdmin "Global"
|
||||
$request->session()->forget('target_structure_id');
|
||||
|
||||
return redirect()->route('superadmin.index')->with('success', "Périmètre global restauré.");
|
||||
}
|
||||
}
|
||||
@@ -30,7 +30,7 @@ class UserController extends Controller implements \Illuminate\Routing\Controlle
|
||||
public function create()
|
||||
{
|
||||
return Inertia::render('User/Edit', [
|
||||
'roles' => \Spatie\Permission\Models\Role::all(),
|
||||
'roles' => \App\Models\Role::all(),
|
||||
]);
|
||||
}
|
||||
|
||||
@@ -60,7 +60,7 @@ class UserController extends Controller implements \Illuminate\Routing\Controlle
|
||||
{
|
||||
return Inertia::render('User/Edit', [
|
||||
'user' => $user->load('roles'),
|
||||
'roles' => \Spatie\Permission\Models\Role::all(),
|
||||
'roles' => \App\Models\Role::all(),
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
@@ -32,7 +32,22 @@ class HandleInertiaRequests extends Middleware
|
||||
return [
|
||||
...parent::share($request),
|
||||
'auth' => [
|
||||
'user' => $request->user() ? $request->user()->load('roles') : null,
|
||||
'user' => $request->user()
|
||||
? $request->user()->load([
|
||||
'roles' => function($q) { $q->withoutGlobalScope('structure'); },
|
||||
'structure'
|
||||
])
|
||||
: null,
|
||||
],
|
||||
'tenant' => [
|
||||
'current' => config('tenant.structure_id')
|
||||
? \App\Models\Structure::find(config('tenant.structure_id'))
|
||||
: null,
|
||||
'is_impersonating' => $request->session()->has('target_structure_id'),
|
||||
],
|
||||
'flash' => [
|
||||
'success' => $request->session()->get('success'),
|
||||
'error' => $request->session()->get('error'),
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
50
app/Http/Middleware/TenantContext.php
Normal file
50
app/Http/Middleware/TenantContext.php
Normal file
@@ -0,0 +1,50 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
|
||||
class TenantContext
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
if (Auth::check()) {
|
||||
$user = Auth::user();
|
||||
|
||||
// 1. Initialiser le contexte Spatie sur la propre structure de l'utilisateur
|
||||
// CELA NE DOIT JAMAIS CHANGER !
|
||||
// C'est ce qui permet à Laravel de toujours charger les rôles originels (Admin, SuperAdmin) du compte,
|
||||
// même s'il est en train d'ausculter les données d'un autre client.
|
||||
setPermissionsTeamId($user->structure_id);
|
||||
|
||||
// S'il s'agit d'un SuperAdmin, il peut avoir choisi une structure spécifique en session
|
||||
if ($user->hasRole('SuperAdmin')) {
|
||||
if ($request->session()->has('target_structure_id')) {
|
||||
$targetId = $request->session()->get('target_structure_id');
|
||||
// On modifie UNIQUEMENT la configuration globale pour filtrer les données (BelongsToStructure scope)
|
||||
config(['tenant.structure_id' => $targetId]);
|
||||
} else {
|
||||
// Par défaut, s'il n'a pas ciblé de structure, vue globale (tous les locataires)
|
||||
config(['tenant.structure_id' => null]);
|
||||
// Et par défaut on remet sa session sur son origine si elle était vide
|
||||
$request->session()->put('target_structure_id', null);
|
||||
}
|
||||
} else {
|
||||
// Utilisateur SaaS standard : on fixe la config globale à SA structure
|
||||
config(['tenant.structure_id' => $user->structure_id]);
|
||||
// On met de force cette valeur dans sa session
|
||||
$request->session()->put('target_structure_id', $user->structure_id);
|
||||
}
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -3,9 +3,11 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class Agent extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
protected $fillable = [
|
||||
'first_name',
|
||||
'last_name',
|
||||
|
||||
@@ -3,9 +3,11 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class Attachment extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
protected $fillable = [
|
||||
'service_task_id',
|
||||
'filename',
|
||||
|
||||
@@ -3,9 +3,11 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class Comment extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
protected $fillable = ['user_id', 'content', 'commentable_id', 'commentable_type'];
|
||||
|
||||
public function user()
|
||||
|
||||
@@ -5,10 +5,11 @@ namespace App\Models;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Spatie\Activitylog\Traits\LogsActivity;
|
||||
use Spatie\Activitylog\LogOptions;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class IntegrationRequest extends Model
|
||||
{
|
||||
use LogsActivity;
|
||||
use LogsActivity, BelongsToStructure;
|
||||
|
||||
public function getActivitylogOptions(): LogOptions
|
||||
{
|
||||
|
||||
@@ -3,9 +3,12 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class IntegrationTemplate extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
|
||||
protected $fillable = [
|
||||
'name',
|
||||
'description',
|
||||
|
||||
@@ -3,9 +3,12 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class Service extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
|
||||
protected $fillable = [
|
||||
'name',
|
||||
'code',
|
||||
|
||||
@@ -5,10 +5,11 @@ namespace App\Models;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Spatie\Activitylog\Traits\LogsActivity;
|
||||
use Spatie\Activitylog\LogOptions;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class ServiceTask extends Model
|
||||
{
|
||||
use LogsActivity;
|
||||
use LogsActivity, BelongsToStructure;
|
||||
|
||||
public function getActivitylogOptions(): LogOptions
|
||||
{
|
||||
|
||||
@@ -3,9 +3,11 @@
|
||||
namespace App\Models;
|
||||
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class TaskItem extends Model
|
||||
{
|
||||
use BelongsToStructure;
|
||||
protected $fillable = [
|
||||
'service_task_id',
|
||||
'label',
|
||||
|
||||
@@ -8,11 +8,14 @@ use Illuminate\Foundation\Auth\User as Authenticatable;
|
||||
use Illuminate\Notifications\Notifiable;
|
||||
|
||||
use Spatie\Permission\Traits\HasRoles;
|
||||
use App\Traits\BelongsToStructure;
|
||||
|
||||
class User extends Authenticatable
|
||||
{
|
||||
/** @use HasFactory<\Database\Factories\UserFactory> */
|
||||
use HasFactory, Notifiable, HasRoles;
|
||||
use HasFactory, Notifiable, BelongsToStructure;
|
||||
use HasRoles {
|
||||
hasRole as traitHasRole;
|
||||
}
|
||||
|
||||
/**
|
||||
* The attributes that are mass assignable.
|
||||
@@ -23,6 +26,7 @@ class User extends Authenticatable
|
||||
'name',
|
||||
'email',
|
||||
'password',
|
||||
'structure_id',
|
||||
];
|
||||
|
||||
/**
|
||||
@@ -47,4 +51,29 @@ class User extends Authenticatable
|
||||
'password' => 'hashed',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Override de Spatie HasRoles pour qu'un SuperAdmin valide toutes les vérifications de rôle
|
||||
* Cela permet notamment de parcourir les locataires (Tenant) sans être bloqué par les "hasRole('Admin')"
|
||||
*/
|
||||
public function hasRole($roles, string $guard = null): bool
|
||||
{
|
||||
// Si on ne demande pas explicitement le rôle SuperAdmin, on vérifie si l'utilisateur l'a globalement.
|
||||
// On passe par DB::table pour éviter que le GlobalScope 'structure' ne filtre nos propres rôles
|
||||
// lorsqu'on est en train de simuler une autre structure.
|
||||
if ($roles !== 'SuperAdmin') {
|
||||
$isSuperAdmin = \Illuminate\Support\Facades\DB::table('model_has_roles')
|
||||
->join('roles', 'roles.id', '=', 'model_has_roles.role_id')
|
||||
->where('model_has_roles.model_id', $this->id)
|
||||
->where('model_has_roles.model_type', self::class)
|
||||
->where('roles.name', 'SuperAdmin')
|
||||
->exists();
|
||||
|
||||
if ($isSuperAdmin) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return $this->traitHasRole($roles, $guard);
|
||||
}
|
||||
}
|
||||
|
||||
45
app/Traits/BelongsToStructure.php
Normal file
45
app/Traits/BelongsToStructure.php
Normal file
@@ -0,0 +1,45 @@
|
||||
<?php
|
||||
|
||||
namespace App\Traits;
|
||||
|
||||
use App\Models\Structure;
|
||||
use App\Models\Scopes\StructureScope;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
|
||||
trait BelongsToStructure
|
||||
{
|
||||
/**
|
||||
* Boot the trait to apply the GlobalScope.
|
||||
*/
|
||||
protected static function bootBelongsToStructure()
|
||||
{
|
||||
static::addGlobalScope('structure', function (Builder $builder) {
|
||||
// On utilise la configuration injectée par le middleware plutôt que d'appeler auth()->user()
|
||||
// Cela évite la boucle infinie d'authentification lorsque le scope s'applique à la table `users`.
|
||||
$structureId = config('tenant.structure_id');
|
||||
if ($structureId !== null) {
|
||||
// Dans le cas spécifique de SQLite en mode de test, il faut parfois préciser la table.
|
||||
// Par sécurité on gère la jointure si besoin, mas ici on reste simple.
|
||||
$builder->where($builder->getModel()->getTable() . '.structure_id', $structureId);
|
||||
}
|
||||
});
|
||||
|
||||
static::creating(function ($model) {
|
||||
// Assigner automatiquement la structure_id sur les nouveaux enregistrements
|
||||
if (!$model->structure_id) {
|
||||
$structureId = config('tenant.structure_id');
|
||||
if ($structureId) {
|
||||
$model->structure_id = $structureId;
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Define the relationship to Structure.
|
||||
*/
|
||||
public function structure()
|
||||
{
|
||||
return $this->belongsTo(Structure::class);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user