implemented operation based permissions
This commit is contained in:
root
@@ -4,6 +4,7 @@ namespace KTXC\Controllers;
|
||||
|
||||
use KTXC\Http\Response\JsonResponse;
|
||||
use KTXC\Module\ModuleManager;
|
||||
use KTXC\Security\Authorization\PermissionChecker;
|
||||
use KTXC\Service\UserService;
|
||||
use KTXC\SessionIdentity;
|
||||
use KTXF\Controller\ControllerAbstract;
|
||||
@@ -17,20 +18,33 @@ class InitController extends ControllerAbstract
|
||||
private readonly SessionIdentity $userIdentity,
|
||||
private readonly ModuleManager $moduleManager,
|
||||
private readonly UserService $userService,
|
||||
private readonly PermissionChecker $permissionChecker,
|
||||
) {}
|
||||
|
||||
#[AuthenticatedRoute('/init', name: 'init', methods: ['GET'])]
|
||||
#[AuthenticatedRoute(
|
||||
'/init',
|
||||
name: 'init',
|
||||
methods: ['GET']
|
||||
)]
|
||||
public function index(): JsonResponse {
|
||||
|
||||
$configuration = [];
|
||||
|
||||
// modules
|
||||
// modules - filter by permissions
|
||||
$configuration['modules'] = [];
|
||||
foreach ($this->moduleManager->list() as $module) {
|
||||
if (!method_exists($module, 'bootUi')) {
|
||||
continue;
|
||||
}
|
||||
$configuration['modules'][$module->handle()] = $module->bootUi();
|
||||
|
||||
// Check if user has permission to view this module
|
||||
// Allow access if user has: {module_handle}, {module_handle}.*, or * permission
|
||||
$handle = $module->handle();
|
||||
if (!$this->hasModuleViewPermission($handle)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$configuration['modules'][$handle] = $module->bootUi();
|
||||
}
|
||||
|
||||
// tenant
|
||||
@@ -46,7 +60,8 @@ class InitController extends ControllerAbstract
|
||||
'identifier' => $this->userIdentity->identifier(),
|
||||
'identity' => $this->userIdentity->identity()->getIdentity(),
|
||||
'label' => $this->userIdentity->label(),
|
||||
'permissions' => [], // TODO: Implement permissions
|
||||
'roles' => $this->userIdentity->identity()->getRoles(),
|
||||
'permissions' => $this->userIdentity->identity()->getPermissions(),
|
||||
],
|
||||
'profile' => $this->userService->getEditableFields($this->userIdentity->identifier()),
|
||||
'settings' => $this->userService->fetchSettings(),
|
||||
@@ -56,4 +71,29 @@ class InitController extends ControllerAbstract
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user has permission to view a module
|
||||
*
|
||||
* Checks for the following permissions (in order):
|
||||
* 1. {module_handle} - module access permission
|
||||
* 2. {module_handle}.* - wildcard for the module
|
||||
* 3. * - global wildcard
|
||||
*
|
||||
* @param string $moduleHandle The module handle to check
|
||||
* @return bool
|
||||
*/
|
||||
private function hasModuleViewPermission(string $moduleHandle): bool
|
||||
{
|
||||
// Core module is always accessible to authenticated users
|
||||
if ($moduleHandle === 'core') {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Check for specific module permission or wildcard permissions
|
||||
return $this->permissionChecker->canAny([
|
||||
"{$moduleHandle}",
|
||||
"{$moduleHandle}.*",
|
||||
]);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user