feat: implement multi-tenancy and super admin impersonation with security banner

2026-02-21 20:15:47 +01:00
parent a0e904d69d
commit 63e448ef22
31 changed files with 819 additions and 51 deletions
--- a/app/Models/Agent.php
+++ b/app/Models/Agent.php
@@ -3,9 +3,11 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class Agent extends Model
 {
+    use BelongsToStructure;
    protected $fillable = [
        'first_name',
        'last_name',
--- a/app/Models/Attachment.php
+++ b/app/Models/Attachment.php
@@ -3,9 +3,11 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class Attachment extends Model
 {
+    use BelongsToStructure;
    protected $fillable = [
        'service_task_id', 
        'filename', 
--- a/app/Models/Comment.php
+++ b/app/Models/Comment.php
@@ -3,9 +3,11 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class Comment extends Model
 {
+    use BelongsToStructure;
    protected $fillable = ['user_id', 'content', 'commentable_id', 'commentable_type'];

    public function user()
--- a/app/Models/IntegrationRequest.php
+++ b/app/Models/IntegrationRequest.php
@@ -5,10 +5,11 @@ namespace App\Models;
 use Illuminate\Database\Eloquent\Model;
 use Spatie\Activitylog\Traits\LogsActivity;
 use Spatie\Activitylog\LogOptions;
+use App\Traits\BelongsToStructure;

 class IntegrationRequest extends Model
 {
-    use LogsActivity;
+    use LogsActivity, BelongsToStructure;

    public function getActivitylogOptions(): LogOptions
    {
--- a/app/Models/IntegrationTemplate.php
+++ b/app/Models/IntegrationTemplate.php
@@ -3,9 +3,12 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class IntegrationTemplate extends Model
 {
+    use BelongsToStructure;
+
    protected $fillable = [
        'name',
        'description',
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -3,9 +3,12 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class Service extends Model
 {
+    use BelongsToStructure;
+
    protected $fillable = [
        'name',
        'code',
--- a/app/Models/ServiceTask.php
+++ b/app/Models/ServiceTask.php
@@ -5,10 +5,11 @@ namespace App\Models;
 use Illuminate\Database\Eloquent\Model;
 use Spatie\Activitylog\Traits\LogsActivity;
 use Spatie\Activitylog\LogOptions;
+use App\Traits\BelongsToStructure;

 class ServiceTask extends Model
 {
-    use LogsActivity;
+    use LogsActivity, BelongsToStructure;

    public function getActivitylogOptions(): LogOptions
    {
--- a/app/Models/TaskItem.php
+++ b/app/Models/TaskItem.php
@@ -3,9 +3,11 @@
 namespace App\Models;

 use Illuminate\Database\Eloquent\Model;
+use App\Traits\BelongsToStructure;

 class TaskItem extends Model
 {
+    use BelongsToStructure;
    protected $fillable = [
        'service_task_id',
        'label',
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -8,11 +8,14 @@ use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;

 use Spatie\Permission\Traits\HasRoles;
+use App\Traits\BelongsToStructure;

 class User extends Authenticatable
 {
-    /** @use HasFactory<\Database\Factories\UserFactory> */
-    use HasFactory, Notifiable, HasRoles;
+    use HasFactory, Notifiable, BelongsToStructure;
+    use HasRoles {
+        hasRole as traitHasRole;
+    }

    /**
     * The attributes that are mass assignable.
@@ -23,6 +26,7 @@ class User extends Authenticatable
        'name',
        'email',
        'password',
+        'structure_id',
    ];

    /**
@@ -47,4 +51,29 @@ class User extends Authenticatable
            'password' => 'hashed',
        ];
    }
+
+    /**
+     * Override de Spatie HasRoles pour qu'un SuperAdmin valide toutes les vérifications de rôle
+     * Cela permet notamment de parcourir les locataires (Tenant) sans être bloqué par les "hasRole('Admin')"
+     */
+    public function hasRole($roles, string $guard = null): bool
+    {
+        // Si on ne demande pas explicitement le rôle SuperAdmin, on vérifie si l'utilisateur l'a globalement.
+        // On passe par DB::table pour éviter que le GlobalScope 'structure' ne filtre nos propres rôles
+        // lorsqu'on est en train de simuler une autre structure.
+        if ($roles !== 'SuperAdmin') {
+            $isSuperAdmin = \Illuminate\Support\Facades\DB::table('model_has_roles')
+                ->join('roles', 'roles.id', '=', 'model_has_roles.role_id')
+                ->where('model_has_roles.model_id', $this->id)
+                ->where('model_has_roles.model_type', self::class)
+                ->where('roles.name', 'SuperAdmin')
+                ->exists();
+
+            if ($isSuperAdmin) {
+                return true;
+            }
+        }
+        
+        return $this->traitHasRole($roles, $guard);
+    }
 }