#63 - permissions
This commit is contained in:
Adrian Hopek
@@ -5,17 +5,31 @@ declare(strict_types=1);
|
||||
namespace Toby\Architecture\Providers;
|
||||
|
||||
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
|
||||
use Toby\Domain\Policies\HolidayPolicy;
|
||||
use Toby\Eloquent\Models\Holiday;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
use Toby\Domain\Enums\Role;
|
||||
use Toby\Domain\Policies\VacationRequestPolicy;
|
||||
use Toby\Eloquent\Models\User;
|
||||
use Toby\Eloquent\Models\VacationRequest;
|
||||
|
||||
class AuthServiceProvider extends ServiceProvider
|
||||
{
|
||||
protected $policies = [
|
||||
Holiday::class => HolidayPolicy::class
|
||||
VacationRequest::class => VacationRequestPolicy::class,
|
||||
];
|
||||
|
||||
public function boot(): void
|
||||
{
|
||||
$this->registerPolicies();
|
||||
|
||||
Gate::before(function (User $user) {
|
||||
if ($user->role === Role::Administrator) {
|
||||
return true;
|
||||
}
|
||||
});
|
||||
|
||||
Gate::define("manageUsers", fn(User $user) => $user->role === Role::AdministrativeApprover);
|
||||
Gate::define("manageHolidays", fn(User $user) => $user->role === Role::AdministrativeApprover);
|
||||
Gate::define("manageVacationLimits", fn(User $user) => $user->role === Role::AdministrativeApprover);
|
||||
Gate::define("generateTimesheet", fn(User $user) => $user->role === Role::AdministrativeApprover);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Toby\Domain\Policies;
|
||||
|
||||
use Toby\Domain\Enums\Role;
|
||||
use Toby\Eloquent\Models\User;
|
||||
|
||||
class HolidayPolicy
|
||||
{
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return $user->role == Role::AdministrativeApprover || $user->role == Role::Administrator;
|
||||
}
|
||||
}
|
||||
51
app/Domain/Policies/VacationRequestPolicy.php
Normal file
51
app/Domain/Policies/VacationRequestPolicy.php
Normal file
@@ -0,0 +1,51 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Toby\Domain\Policies;
|
||||
|
||||
use Toby\Domain\Enums\Role;
|
||||
use Toby\Eloquent\Models\User;
|
||||
use Toby\Eloquent\Models\VacationRequest;
|
||||
|
||||
class VacationRequestPolicy
|
||||
{
|
||||
public function createOnBehalfOfEmployee(User $user): bool
|
||||
{
|
||||
return $user->role === Role::AdministrativeApprover;
|
||||
}
|
||||
|
||||
public function acceptAsAdminApprover(User $user): bool
|
||||
{
|
||||
return $user->role === Role::AdministrativeApprover;
|
||||
}
|
||||
|
||||
public function acceptAsTechApprover(User $user): bool
|
||||
{
|
||||
return $user->role === Role::TechnicalApprover;
|
||||
}
|
||||
|
||||
public function skipFlow(User $user): bool
|
||||
{
|
||||
return $user->role === Role::AdministrativeApprover;
|
||||
}
|
||||
|
||||
public function reject(User $user): bool
|
||||
{
|
||||
return in_array($user->role, [Role::AdministrativeApprover, Role::TechnicalApprover], true);
|
||||
}
|
||||
|
||||
public function cancel(User $user): bool
|
||||
{
|
||||
return $user->role === Role::AdministrativeApprover;
|
||||
}
|
||||
|
||||
public function show(User $user, VacationRequest $vacationRequest): bool
|
||||
{
|
||||
if ($vacationRequest->user->is($user)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return in_array($user->role, [Role::TechnicalApprover, Role::AdministrativeApprover], true);
|
||||
}
|
||||
}
|
||||
@@ -4,10 +4,10 @@ declare(strict_types=1);
|
||||
|
||||
namespace Toby\Infrastructure\Http\Controllers;
|
||||
|
||||
use Illuminate\Auth\Access\AuthorizationException;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Inertia\Response;
|
||||
use Toby\Domain\Policies\HolidayPolicy;
|
||||
use Toby\Eloquent\Models\Holiday;
|
||||
use Toby\Infrastructure\Http\Requests\HolidayRequest;
|
||||
use Toby\Infrastructure\Http\Resources\HolidayFormDataResource;
|
||||
@@ -21,22 +21,31 @@ class HolidayController extends Controller
|
||||
->orderBy("date")
|
||||
->get();
|
||||
|
||||
$user = $request->user();
|
||||
return inertia("Holidays/Index", [
|
||||
"holidays" => HolidayResource::collection($holidays),
|
||||
"can" => [
|
||||
"create" => $user->can("create", Holiday::class)
|
||||
"manageHolidays" => $request->user()->can("manageHolidays"),
|
||||
],
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function create(): Response
|
||||
{
|
||||
$this->authorize("manageHolidays");
|
||||
|
||||
return inertia("Holidays/Create");
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function store(HolidayRequest $request): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageHolidays");
|
||||
|
||||
Holiday::query()->create($request->data());
|
||||
|
||||
return redirect()
|
||||
@@ -44,15 +53,25 @@ class HolidayController extends Controller
|
||||
->with("success", __("Holiday has been created."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function edit(Holiday $holiday): Response
|
||||
{
|
||||
$this->authorize("manageHolidays");
|
||||
|
||||
return inertia("Holidays/Edit", [
|
||||
"holiday" => new HolidayFormDataResource($holiday),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function update(HolidayRequest $request, Holiday $holiday): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageHolidays");
|
||||
|
||||
$holiday->update($request->data());
|
||||
|
||||
return redirect()
|
||||
@@ -60,8 +79,13 @@ class HolidayController extends Controller
|
||||
->with("success", __("Holiday has been updated."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function destroy(Holiday $holiday): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageHolidays");
|
||||
|
||||
$holiday->delete();
|
||||
|
||||
return redirect()
|
||||
|
||||
@@ -16,6 +16,8 @@ class TimesheetController extends Controller
|
||||
{
|
||||
public function __invoke(Month $month, YearPeriodRetriever $yearPeriodRetriever): BinaryFileResponse
|
||||
{
|
||||
$this->authorize("generateTimesheet");
|
||||
|
||||
$yearPeriod = $yearPeriodRetriever->selected();
|
||||
$carbonMonth = Carbon::create($yearPeriod->year, $month->toCarbonNumber());
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace Toby\Infrastructure\Http\Controllers;
|
||||
|
||||
use Illuminate\Auth\Access\AuthorizationException;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Inertia\Response;
|
||||
@@ -16,8 +17,13 @@ use Toby\Infrastructure\Http\Resources\UserResource;
|
||||
|
||||
class UserController extends Controller
|
||||
{
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function index(Request $request): Response
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
$users = User::query()
|
||||
->withTrashed()
|
||||
->search($request->query("search"))
|
||||
@@ -32,16 +38,26 @@ class UserController extends Controller
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function create(): Response
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
return inertia("Users/Create", [
|
||||
"employmentForms" => EmploymentForm::casesToSelect(),
|
||||
"roles" => Role::casesToSelect(),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function store(UserRequest $request): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
User::query()->create($request->data());
|
||||
|
||||
return redirect()
|
||||
@@ -49,8 +65,13 @@ class UserController extends Controller
|
||||
->with("success", __("User has been created."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function edit(User $user): Response
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
return inertia("Users/Edit", [
|
||||
"user" => new UserFormDataResource($user),
|
||||
"employmentForms" => EmploymentForm::casesToSelect(),
|
||||
@@ -58,8 +79,13 @@ class UserController extends Controller
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function update(UserRequest $request, User $user): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
$user->update($request->data());
|
||||
|
||||
return redirect()
|
||||
@@ -67,8 +93,13 @@ class UserController extends Controller
|
||||
->with("success", __("User has been updated."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function destroy(User $user): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
$user->delete();
|
||||
|
||||
return redirect()
|
||||
@@ -76,8 +107,13 @@ class UserController extends Controller
|
||||
->with("success", __("User has been deleted."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function restore(User $user): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageUsers");
|
||||
|
||||
$user->restore();
|
||||
|
||||
return redirect()
|
||||
|
||||
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace Toby\Infrastructure\Http\Controllers;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Carbon;
|
||||
use Inertia\Response;
|
||||
use Toby\Domain\CalendarGenerator;
|
||||
@@ -15,6 +16,7 @@ use Toby\Infrastructure\Http\Resources\UserResource;
|
||||
class VacationCalendarController extends Controller
|
||||
{
|
||||
public function index(
|
||||
Request $request,
|
||||
YearPeriodRetriever $yearPeriodRetriever,
|
||||
CalendarGenerator $calendarGenerator,
|
||||
?string $month = null,
|
||||
@@ -35,6 +37,9 @@ class VacationCalendarController extends Controller
|
||||
"calendar" => $calendar,
|
||||
"currentMonth" => $month->value,
|
||||
"users" => UserResource::collection($users),
|
||||
"can" => [
|
||||
"generateTimesheet" => $request->user()->can("generateTimesheet"),
|
||||
],
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,6 +14,8 @@ class VacationLimitController extends Controller
|
||||
{
|
||||
public function edit(): Response
|
||||
{
|
||||
$this->authorize("manageVacationLimits");
|
||||
|
||||
$limits = VacationLimit::query()
|
||||
->with("user")
|
||||
->orderByUserField("last_name")
|
||||
@@ -27,6 +29,8 @@ class VacationLimitController extends Controller
|
||||
|
||||
public function update(VacationLimitRequest $request): RedirectResponse
|
||||
{
|
||||
$this->authorize("manageVacationLimits");
|
||||
|
||||
$data = $request->data();
|
||||
|
||||
foreach ($request->vacationLimits() as $limit) {
|
||||
|
||||
@@ -5,11 +5,12 @@ declare(strict_types=1);
|
||||
namespace Toby\Infrastructure\Http\Controllers;
|
||||
|
||||
use Barryvdh\DomPDF\Facade\Pdf;
|
||||
use Illuminate\Auth\Access\AuthorizationException;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Http\Response as LaravelResponse;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Inertia\Response;
|
||||
use Toby\Domain\Enums\Role;
|
||||
use Toby\Domain\Enums\VacationType;
|
||||
use Toby\Domain\States\VacationRequest\AcceptedByAdministrative;
|
||||
use Toby\Domain\States\VacationRequest\AcceptedByTechnical;
|
||||
@@ -49,8 +50,12 @@ class VacationRequestController extends Controller
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function show(Request $request, VacationRequest $vacationRequest): Response
|
||||
{
|
||||
$this->authorize("show", $vacationRequest);
|
||||
$user = $request->user();
|
||||
|
||||
return inertia("VacationRequest/Show", [
|
||||
@@ -58,19 +63,24 @@ class VacationRequestController extends Controller
|
||||
"activities" => VacationRequestActivityResource::collection($vacationRequest->activities),
|
||||
"can" => [
|
||||
"acceptAsTechnical" => $vacationRequest->state->canTransitionTo(AcceptedByTechnical::class)
|
||||
&& $user === Role::TechnicalApprover,
|
||||
&& $user->can("acceptAsTechApprover", $vacationRequest),
|
||||
"acceptAsAdministrative" => $vacationRequest->state->canTransitionTo(AcceptedByAdministrative::class)
|
||||
&& $user === Role::AdministrativeApprover,
|
||||
&& $user->can("acceptAsAdminApprover", $vacationRequest),
|
||||
"reject" => $vacationRequest->state->canTransitionTo(Rejected::class)
|
||||
&& in_array($user->role, [Role::TechnicalApprover, Role::AdministrativeApprover], true),
|
||||
&& $user->can("reject", $vacationRequest),
|
||||
"cancel" => $vacationRequest->state->canTransitionTo(Cancelled::class)
|
||||
&& $user === Role::AdministrativeApprover,
|
||||
&& $user->can("cancel", $vacationRequest),
|
||||
],
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function download(VacationRequest $vacationRequest): LaravelResponse
|
||||
{
|
||||
$this->authorize("show", $vacationRequest);
|
||||
|
||||
$pdf = PDF::loadView("pdf.vacation-request", [
|
||||
"vacationRequest" => $vacationRequest,
|
||||
]);
|
||||
@@ -78,7 +88,7 @@ class VacationRequestController extends Controller
|
||||
return $pdf->stream();
|
||||
}
|
||||
|
||||
public function create(): Response
|
||||
public function create(Request $request): Response
|
||||
{
|
||||
$users = User::query()
|
||||
->orderBy("last_name")
|
||||
@@ -88,15 +98,31 @@ class VacationRequestController extends Controller
|
||||
return inertia("VacationRequest/Create", [
|
||||
"vacationTypes" => VacationType::casesToSelect(),
|
||||
"users" => UserResource::collection($users),
|
||||
"can" => [
|
||||
"createOnBehalfOfEmployee" => $request->user()->can("createOnBehalfOfEmployee", VacationRequest::class),
|
||||
"skipFlow" => $request->user()->can("skipFlow", VacationRequest::class),
|
||||
],
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
* @throws ValidationException
|
||||
*/
|
||||
public function store(
|
||||
VacationRequestRequest $request,
|
||||
VacationRequestValidator $vacationRequestValidator,
|
||||
VacationRequestStateManager $stateManager,
|
||||
VacationDaysCalculator $vacationDaysCalculator,
|
||||
): RedirectResponse {
|
||||
if ($request->createsOnBehalfOfEmployee()) {
|
||||
$this->authorize("createOnBehalfOfEmployee", VacationRequest::class);
|
||||
}
|
||||
|
||||
if ($request->wantsSkipFlow()) {
|
||||
$this->authorize("skipFlow", VacationRequest::class);
|
||||
}
|
||||
|
||||
/** @var VacationRequest $vacationRequest */
|
||||
$vacationRequest = $request->user()->createdVacationRequests()->make($request->data());
|
||||
$vacationRequestValidator->validate($vacationRequest);
|
||||
@@ -124,44 +150,64 @@ class VacationRequestController extends Controller
|
||||
->with("success", __("Vacation request has been created."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function reject(
|
||||
Request $request,
|
||||
VacationRequest $vacationRequest,
|
||||
VacationRequestStateManager $stateManager,
|
||||
): RedirectResponse {
|
||||
$this->authorize("reject", $vacationRequest);
|
||||
|
||||
$stateManager->reject($vacationRequest, $request->user());
|
||||
|
||||
return redirect()->back()
|
||||
->with("success", __("Vacation request has been rejected."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function cancel(
|
||||
Request $request,
|
||||
VacationRequest $vacationRequest,
|
||||
VacationRequestStateManager $stateManager,
|
||||
): RedirectResponse {
|
||||
$this->authorize("cancel", $vacationRequest);
|
||||
|
||||
$stateManager->cancel($vacationRequest, $request->user());
|
||||
|
||||
return redirect()->back()
|
||||
->with("success", __("Vacation request has been cancelled."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function acceptAsTechnical(
|
||||
Request $request,
|
||||
VacationRequest $vacationRequest,
|
||||
VacationRequestStateManager $stateManager,
|
||||
): RedirectResponse {
|
||||
$this->authorize("acceptAsTechApprover", $vacationRequest);
|
||||
|
||||
$stateManager->acceptAsTechnical($vacationRequest, $request->user());
|
||||
|
||||
return redirect()->back()
|
||||
->with("success", __("Vacation request has been accepted."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws AuthorizationException
|
||||
*/
|
||||
public function acceptAsAdministrative(
|
||||
Request $request,
|
||||
VacationRequest $vacationRequest,
|
||||
VacationRequestStateManager $stateManager,
|
||||
): RedirectResponse {
|
||||
$this->authorize("acceptAsAdminApprover", $vacationRequest);
|
||||
|
||||
$stateManager->acceptAsAdministrative($vacationRequest, $request->user());
|
||||
|
||||
return redirect()->back()
|
||||
|
||||
@@ -23,6 +23,10 @@ class HandleInertiaRequests extends Middleware
|
||||
return array_merge(parent::share($request), [
|
||||
"auth" => fn() => [
|
||||
"user" => $user ? new UserResource($user) : null,
|
||||
"can" => [
|
||||
"manageVacationLimits" => $user ? $user->can("manageVacationLimits") : false,
|
||||
"manageUsers" => $user ? $user->can("manageUsers") : false,
|
||||
],
|
||||
],
|
||||
"flash" => fn() => [
|
||||
"success" => $request->session()->get("success"),
|
||||
|
||||
@@ -27,16 +27,29 @@ class VacationRequestRequest extends FormRequest
|
||||
|
||||
public function data(): array
|
||||
{
|
||||
$from = $this->get("from");
|
||||
|
||||
return [
|
||||
"user_id" => $this->get("user"),
|
||||
"type" => $this->get("type"),
|
||||
"from" => $from,
|
||||
"from" => $this->get("from"),
|
||||
"to" => $this->get("to"),
|
||||
"year_period_id" => YearPeriod::findByYear(Carbon::create($from)->year)->id,
|
||||
"year_period_id" => $this->yearPeriod()->id,
|
||||
"comment" => $this->get("comment"),
|
||||
"flow_skipped" => $this->boolean("flowSkipped"),
|
||||
];
|
||||
}
|
||||
|
||||
public function yearPeriod(): YearPeriod
|
||||
{
|
||||
return YearPeriod::findByYear(Carbon::create($this->get("from"))->year);
|
||||
}
|
||||
|
||||
public function createsOnBehalfOfEmployee(): bool
|
||||
{
|
||||
return $this->user()->id !== $this->get("user");
|
||||
}
|
||||
|
||||
public function wantsSkipFlow(): bool
|
||||
{
|
||||
return $this->boolean("flowSkipped");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user