added "members" for an event that help the admins to moderate. members must be invited via email.
This commit is contained in:
Codex Agent
@@ -3,6 +3,7 @@
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\ApiError;
|
||||
use Closure;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
@@ -30,12 +31,12 @@ class EnsureTenantAdminToken
|
||||
return $this->unauthorizedResponse('Missing personal access token context.');
|
||||
}
|
||||
|
||||
if (! in_array($user->role, ['tenant_admin', 'super_admin'], true)) {
|
||||
return $this->forbiddenResponse('Only tenant administrators may access this resource.');
|
||||
if (! in_array($user->role, $this->allowedRoles(), true)) {
|
||||
return $this->forbiddenResponse($this->forbiddenRoleMessage());
|
||||
}
|
||||
|
||||
if (! $accessToken->can('tenant-admin')) {
|
||||
return $this->forbiddenResponse('Access token does not include the tenant-admin ability.');
|
||||
if (! $this->hasRequiredAbilities($accessToken, $user)) {
|
||||
return $this->forbiddenResponse($this->abilityErrorMessage());
|
||||
}
|
||||
|
||||
/** @var Tenant|null $tenant */
|
||||
@@ -90,6 +91,40 @@ class EnsureTenantAdminToken
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string>
|
||||
*/
|
||||
protected function allowedRoles(): array
|
||||
{
|
||||
return ['tenant_admin', 'super_admin', 'admin'];
|
||||
}
|
||||
|
||||
protected function forbiddenRoleMessage(): string
|
||||
{
|
||||
return 'Only tenant administrators may access this resource.';
|
||||
}
|
||||
|
||||
protected function requiredAbilitiesForUser(User $user): array
|
||||
{
|
||||
return ['tenant-admin'];
|
||||
}
|
||||
|
||||
protected function abilityErrorMessage(): string
|
||||
{
|
||||
return 'Access token does not include the tenant-admin ability.';
|
||||
}
|
||||
|
||||
protected function hasRequiredAbilities(PersonalAccessToken $accessToken, User $user): bool
|
||||
{
|
||||
foreach ($this->requiredAbilitiesForUser($user) as $ability) {
|
||||
if (! $accessToken->can($ability)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
private function resolveRequestedTenantId(Request $request): ?int
|
||||
{
|
||||
$routeTenant = $request->route('tenant');
|
||||
|
||||
33
app/Http/Middleware/EnsureTenantCollaboratorToken.php
Normal file
33
app/Http/Middleware/EnsureTenantCollaboratorToken.php
Normal file
@@ -0,0 +1,33 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Models\User;
|
||||
use Laravel\Sanctum\PersonalAccessToken;
|
||||
|
||||
class EnsureTenantCollaboratorToken extends EnsureTenantAdminToken
|
||||
{
|
||||
protected function allowedRoles(): array
|
||||
{
|
||||
return ['tenant_admin', 'super_admin', 'admin', 'member'];
|
||||
}
|
||||
|
||||
protected function forbiddenRoleMessage(): string
|
||||
{
|
||||
return 'Only tenant collaborators may access this resource.';
|
||||
}
|
||||
|
||||
protected function abilityErrorMessage(): string
|
||||
{
|
||||
return 'Access token does not include the tenant-member ability.';
|
||||
}
|
||||
|
||||
protected function hasRequiredAbilities(PersonalAccessToken $accessToken, User $user): bool
|
||||
{
|
||||
if ($accessToken->can('tenant-admin')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return $accessToken->can('tenant-member');
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user