sky121113
d2cefe3f39
All checks were successful
star-cloud-deploy-demo / deploy-demo (push) Successful in 1m4s
- [DOCS] 補齊 en, ja, zh_TW 語系檔翻譯並完善驗證錯誤訊息 (validation.php) - [FEAT] 角色權限頁面新增「所屬單位」篩選功能 (僅限系統管理員) - [STYLE] 優化角色列表顯示,將「類型」變更為具體「所屬單位」名稱 - [STYLE] 修正角色頁面工具列佈局,搜尋框置前並修正下拉箭頭顯示 - [REFACTOR] 統一全站刪除確認視窗,導入新版 <x-delete-confirm-modal /> 組件 - [REFACTOR] 優化 PermissionController 查詢效能 (Eager Loading) - [FIX] 修正 RoleSeeder 角色命名與資料庫同步邏輯
459 lines
18 KiB
PHP
459 lines
18 KiB
PHP
<?php
|
||
|
||
namespace App\Http\Controllers\Admin;
|
||
|
||
use App\Http\Controllers\Controller;
|
||
use Illuminate\Http\Request;
|
||
|
||
class PermissionController extends Controller
|
||
{
|
||
// 權限角色設定
|
||
public function roles()
|
||
{
|
||
$per_page = request()->input('per_page', 10);
|
||
$user = auth()->user();
|
||
$query = \App\Models\System\Role::query()->with(['permissions', 'users', 'company']);
|
||
|
||
// 租戶隔離:租戶只能看到自己公司的角色
|
||
if (!$user->isSystemAdmin()) {
|
||
$query->where('company_id', $user->company_id);
|
||
}
|
||
|
||
// 搜尋:角色名稱
|
||
if ($search = request()->input('search')) {
|
||
$query->where('name', 'like', "%{$search}%");
|
||
}
|
||
|
||
// 篩選:所屬單位 (僅限系統管理員)
|
||
if ($user->isSystemAdmin() && request()->filled('company_id')) {
|
||
if (request()->company_id === 'system') {
|
||
$query->where('is_system', true);
|
||
} else {
|
||
$query->where('company_id', request()->company_id);
|
||
}
|
||
}
|
||
|
||
$roles = $query->latest()->paginate($per_page)->withQueryString();
|
||
$companies = $user->isSystemAdmin() ? \App\Models\System\Company::all() : collect();
|
||
|
||
// 權限遞迴約束:租戶管理員只能看到並指派自己擁有的權限
|
||
$permissionQuery = \Spatie\Permission\Models\Permission::query();
|
||
if (!$user->isSystemAdmin()) {
|
||
$permissionQuery->whereIn('name', $user->getAllPermissions()->pluck('name'));
|
||
}
|
||
|
||
$all_permissions = $permissionQuery->get()
|
||
->filter(function($perm) {
|
||
// 排除子項項目,只顯示主要權限
|
||
$excluded = [
|
||
'menu.basic.machines',
|
||
'menu.basic.payment-configs',
|
||
'menu.companies',
|
||
'menu.accounts',
|
||
'menu.roles',
|
||
];
|
||
return !in_array($perm->name, $excluded);
|
||
})
|
||
->groupBy(function($perm) {
|
||
if (str_starts_with($perm->name, 'menu.')) {
|
||
return 'menu';
|
||
}
|
||
return 'other';
|
||
});
|
||
|
||
// 根據路由決定標題
|
||
$title = request()->routeIs('*.sub-account-roles') ? __('Sub Account Roles') : __('Role Settings');
|
||
|
||
$currentUserRoleIds = $user->roles->pluck('id')->toArray();
|
||
return view('admin.permission.roles', compact('roles', 'all_permissions', 'title', 'currentUserRoleIds', 'companies'));
|
||
}
|
||
|
||
/**
|
||
* Store a newly created role in storage.
|
||
*/
|
||
public function storeRole(Request $request)
|
||
{
|
||
$is_system = auth()->user()->isSystemAdmin() && $request->boolean('is_system');
|
||
$company_id = $is_system ? null : auth()->user()->company_id;
|
||
|
||
$validated = $request->validate([
|
||
'name' => [
|
||
'required', 'string', 'max:255',
|
||
\Illuminate\Validation\Rule::unique('roles', 'name')->where(function ($query) use ($company_id) {
|
||
return $query->where('company_id', $company_id);
|
||
})
|
||
],
|
||
'permissions' => 'nullable|array',
|
||
'permissions.*' => 'string|exists:permissions,name',
|
||
]);
|
||
|
||
$role = \App\Models\System\Role::query()->create([
|
||
'name' => $validated['name'],
|
||
'guard_name' => 'web',
|
||
'company_id' => $is_system ? null : auth()->user()->company_id,
|
||
'is_system' => $is_system,
|
||
]);
|
||
|
||
if (!empty($validated['permissions'])) {
|
||
$perms = $validated['permissions'];
|
||
|
||
// 權限遞迴約束驗證:確保指派的權限是操作者權限的子集
|
||
if (!auth()->user()->isSystemAdmin()) {
|
||
$currentUserPerms = auth()->user()->getAllPermissions()->pluck('name');
|
||
if (collect($perms)->diff($currentUserPerms)->isNotEmpty()) {
|
||
return redirect()->back()->with('error', __('You cannot assign permissions you do not possess.'));
|
||
}
|
||
}
|
||
|
||
// 如果不是系統角色,排除主選單的系統權限
|
||
if (!$is_system) {
|
||
$perms = array_diff($perms, ['menu.basic-settings', 'menu.permissions']);
|
||
}
|
||
$role->syncPermissions($perms);
|
||
}
|
||
|
||
return redirect()->back()->with('success', __('Role created successfully.'));
|
||
}
|
||
|
||
/**
|
||
* Update the specified role in storage.
|
||
*/
|
||
public function updateRole(Request $request, $id)
|
||
{
|
||
$role = \App\Models\System\Role::findOrFail($id);
|
||
|
||
$is_system = $role->is_system;
|
||
$company_id = $role->company_id;
|
||
|
||
$validated = $request->validate([
|
||
'name' => [
|
||
'required', 'string', 'max:255',
|
||
\Illuminate\Validation\Rule::unique('roles', 'name')
|
||
->ignore($id)
|
||
->where(function ($query) use ($company_id) {
|
||
return $query->where('company_id', $company_id);
|
||
})
|
||
],
|
||
'permissions' => 'nullable|array',
|
||
'permissions.*' => 'string|exists:permissions,name',
|
||
]);
|
||
|
||
if ($role->name === 'super-admin') {
|
||
return redirect()->back()->with('error', __('The Super Admin role is immutable.'));
|
||
}
|
||
|
||
if (!auth()->user()->isSystemAdmin() && $role->is_system) {
|
||
return redirect()->back()->with('error', __('System roles cannot be modified by tenant administrators.'));
|
||
}
|
||
|
||
$is_system = auth()->user()->isSystemAdmin() ? $request->boolean('is_system') : $role->is_system;
|
||
|
||
$role->update([
|
||
'name' => $validated['name'],
|
||
'is_system' => $is_system,
|
||
'company_id' => $is_system ? null : $role->company_id,
|
||
]);
|
||
|
||
$perms = $validated['permissions'] ?? [];
|
||
|
||
// 權限遞迴約束驗證
|
||
if (!auth()->user()->isSystemAdmin()) {
|
||
$currentUserPerms = auth()->user()->getAllPermissions()->pluck('name');
|
||
if (collect($perms)->diff($currentUserPerms)->isNotEmpty()) {
|
||
return redirect()->back()->with('error', __('You cannot assign permissions you do not possess.'));
|
||
}
|
||
}
|
||
|
||
// 如果不是系統角色,排除主選單的系統權限
|
||
if (!$is_system) {
|
||
$perms = array_diff($perms, ['menu.basic-settings', 'menu.permissions']);
|
||
}
|
||
$role->syncPermissions($perms);
|
||
|
||
return redirect()->back()->with('success', __('Role updated successfully.'));
|
||
}
|
||
|
||
/**
|
||
* Remove the specified role from storage.
|
||
*/
|
||
public function destroyRole($id)
|
||
{
|
||
$role = \App\Models\System\Role::findOrFail($id);
|
||
|
||
if ($role->name === 'super-admin') {
|
||
return redirect()->back()->with('error', __('The Super Admin role cannot be deleted.'));
|
||
}
|
||
|
||
if (!auth()->user()->isSystemAdmin() && $role->is_system) {
|
||
return redirect()->back()->with('error', __('System roles cannot be deleted by tenant administrators.'));
|
||
}
|
||
|
||
if ($role->users()->count() > 0) {
|
||
return redirect()->back()->with('error', __('Cannot delete role with active users.'));
|
||
}
|
||
|
||
$role->delete();
|
||
|
||
return redirect()->back()->with('success', __('Role deleted successfully.'));
|
||
}
|
||
|
||
// 帳號管理
|
||
public function accounts(Request $request)
|
||
{
|
||
$query = \App\Models\System\User::query()->with(['company', 'roles']);
|
||
|
||
// 租戶隔離:如果不是系統管理員,則只看自己公司的成員
|
||
if (!auth()->user()->isSystemAdmin()) {
|
||
$query->where('company_id', auth()->user()->company_id);
|
||
}
|
||
|
||
// 搜尋
|
||
if ($search = $request->input('search')) {
|
||
$query->where(function($q) use ($search) {
|
||
$q->where('name', 'like', "%{$search}%")
|
||
->orWhere('username', 'like', "%{$search}%")
|
||
->orWhere('email', 'like', "%{$search}%");
|
||
});
|
||
}
|
||
|
||
// 公司篩選 (僅限 super-admin)
|
||
if (auth()->user()->isSystemAdmin() && $request->filled('company_id')) {
|
||
$query->where('company_id', $request->company_id);
|
||
}
|
||
|
||
$per_page = $request->input('per_page', 10);
|
||
$users = $query->latest()->paginate($per_page)->withQueryString();
|
||
$companies = auth()->user()->isSystemAdmin() ? \App\Models\System\Company::all() : collect();
|
||
$roles_query = \App\Models\System\Role::query();
|
||
if (!auth()->user()->isSystemAdmin()) {
|
||
$roles_query->forCompany(auth()->user()->company_id);
|
||
}
|
||
$roles = $roles_query->get();
|
||
|
||
// 根據路由決定標題
|
||
$title = request()->routeIs('*.sub-accounts') ? __('Sub Account Management') : __('Account Management');
|
||
|
||
return view('admin.data-config.accounts', compact('users', 'companies', 'roles', 'title'));
|
||
}
|
||
|
||
/**
|
||
* Store a newly created account in storage.
|
||
*/
|
||
public function storeAccount(Request $request)
|
||
{
|
||
$validated = $request->validate([
|
||
'name' => 'required|string|max:255',
|
||
'username' => 'required|string|max:255|unique:users,username',
|
||
'email' => 'nullable|email|max:255|unique:users,email',
|
||
'password' => 'required|string|min:8',
|
||
'role' => 'required|string',
|
||
'status' => 'required|boolean',
|
||
'company_id' => 'nullable|exists:companies,id',
|
||
'phone' => 'nullable|string|max:20',
|
||
]);
|
||
|
||
$company_id = auth()->user()->isSystemAdmin() ? ($validated['company_id'] ?? null) : auth()->user()->company_id;
|
||
|
||
// 查找角色:優先尋找該公司的角色,若無則尋找全域範本
|
||
$role = \App\Models\System\Role::where('name', $validated['role'])
|
||
->where(function($q) use ($company_id) {
|
||
$q->where('company_id', $company_id)->orWhereNull('company_id');
|
||
})
|
||
->first();
|
||
|
||
if (!$role) {
|
||
return redirect()->back()->with('error', __('Role not found.'));
|
||
}
|
||
|
||
// 驗證角色與公司的匹配性 (RBAC Safeguard)
|
||
if ($company_id !== null) {
|
||
// 如果是租戶帳號,不能選超級管理員角色
|
||
if ($role->is_system && $role->name === 'super-admin') {
|
||
return redirect()->back()->with('error', __('Super-admin role cannot be assigned to tenant accounts.'));
|
||
}
|
||
// 如果角色有特定的 company_id,必須匹配
|
||
if ($role->company_id !== null && $role->company_id != $company_id) {
|
||
return redirect()->back()->with('error', __('This role belongs to another company and cannot be assigned.'));
|
||
}
|
||
} else {
|
||
// 如果是系統層級帳號,只能選系統角色 (is_system = 1)
|
||
if (!$role->is_system) {
|
||
return redirect()->back()->with('error', __('Only system roles can be assigned to platform administrative accounts.'));
|
||
}
|
||
}
|
||
|
||
// 角色初始化與克隆邏輯 (只有 super-admin 在幫空白公司開帳號時觸發)
|
||
$company_id = auth()->user()->isSystemAdmin() ? ($validated['company_id'] ?? null) : auth()->user()->company_id;
|
||
|
||
if ($company_id && $role && $role->company_id === null && $role->name !== 'super-admin') {
|
||
// 檢查該公司是否已有名為「管理員」的角色
|
||
$existingRole = \App\Models\System\Role::where('company_id', $company_id)
|
||
->where('name', '管理員')
|
||
->first();
|
||
|
||
if (!$existingRole) {
|
||
// 克隆範本為該公司的「管理員」
|
||
$newRole = \App\Models\System\Role::query()->create([
|
||
'name' => '管理員',
|
||
'guard_name' => 'web',
|
||
'company_id' => $company_id,
|
||
'is_system' => false,
|
||
]);
|
||
$newRole->syncPermissions($role->getPermissionNames());
|
||
$role = $newRole;
|
||
} else {
|
||
// 如果已存在名為「管理員」的角色,則直接使用它
|
||
$role = $existingRole;
|
||
}
|
||
}
|
||
|
||
$user = \App\Models\System\User::create([
|
||
'name' => $validated['name'],
|
||
'username' => $validated['username'],
|
||
'email' => $validated['email'],
|
||
'password' => \Illuminate\Support\Facades\Hash::make($validated['password']),
|
||
'status' => $validated['status'],
|
||
'company_id' => $company_id,
|
||
'phone' => $validated['phone'] ?? null,
|
||
]);
|
||
|
||
$user->assignRole($role);
|
||
|
||
return redirect()->back()->with('success', __('Account created successfully.'));
|
||
}
|
||
|
||
/**
|
||
* Update the specified account in storage.
|
||
*/
|
||
public function updateAccount(Request $request, $id)
|
||
{
|
||
$user = \App\Models\System\User::findOrFail($id);
|
||
|
||
if ($user->hasRole('super-admin')) {
|
||
return redirect()->back()->with('error', __('System super admin accounts cannot be modified via this interface.'));
|
||
}
|
||
|
||
$validated = $request->validate([
|
||
'name' => 'required|string|max:255',
|
||
'username' => 'required|string|max:255|unique:users,username,' . $id,
|
||
'email' => 'nullable|email|max:255|unique:users,email,' . $id,
|
||
'password' => 'nullable|string|min:8',
|
||
'role' => 'required|string',
|
||
'status' => 'required|boolean',
|
||
'company_id' => 'nullable|exists:companies,id',
|
||
'phone' => 'nullable|string|max:20',
|
||
]);
|
||
|
||
$target_company_id = auth()->user()->isSystemAdmin() ? ($validated['company_id'] ?? null) : auth()->user()->company_id;
|
||
|
||
// 查找角色:優先尋找該公司的角色,若無則尋找全域範本
|
||
$roleObj = \App\Models\System\Role::where('name', $validated['role'])
|
||
->where(function($q) use ($target_company_id) {
|
||
$q->where('company_id', $target_company_id)->orWhereNull('company_id');
|
||
})
|
||
->first();
|
||
|
||
if (!$roleObj) {
|
||
return redirect()->back()->with('error', __('Role not found.'));
|
||
}
|
||
|
||
// 驗證角色與公司的匹配性 (RBAC Safeguard)
|
||
if ($user->id !== auth()->id()) { // 排除編輯自己 (super-admin 有特殊邏輯)
|
||
if ($target_company_id !== null) {
|
||
if ($roleObj->is_system && $roleObj->name === 'super-admin') {
|
||
return redirect()->back()->with('error', __('Super-admin role cannot be assigned to tenant accounts.'));
|
||
}
|
||
if ($roleObj->company_id !== null && $roleObj->company_id != $target_company_id) {
|
||
return redirect()->back()->with('error', __('This role belongs to another company and cannot be assigned.'));
|
||
}
|
||
} else {
|
||
if (!$roleObj->is_system) {
|
||
return redirect()->back()->with('error', __('Only system roles can be assigned to platform administrative accounts.'));
|
||
}
|
||
}
|
||
}
|
||
|
||
$updateData = [
|
||
'name' => $validated['name'],
|
||
'username' => $validated['username'],
|
||
'email' => $validated['email'],
|
||
'status' => $validated['status'],
|
||
'phone' => $validated['phone'] ?? null,
|
||
];
|
||
|
||
if (auth()->user()->isSystemAdmin()) {
|
||
// 防止超級管理員不小心把自己綁定到租客公司或降級
|
||
if ($user->id === auth()->id()) {
|
||
$updateData['company_id'] = null;
|
||
$validated['role'] = 'super-admin';
|
||
} else {
|
||
$updateData['company_id'] = $validated['company_id'];
|
||
}
|
||
}
|
||
|
||
if (!empty($validated['password'])) {
|
||
$updateData['password'] = \Illuminate\Support\Facades\Hash::make($validated['password']);
|
||
}
|
||
|
||
// 角色初始化與克隆邏輯
|
||
$target_company_id = auth()->user()->isSystemAdmin() ? ($validated['company_id'] ?? null) : auth()->user()->company_id;
|
||
|
||
if ($target_company_id && $roleObj && $roleObj->company_id === null && $roleObj->name !== 'super-admin') {
|
||
// 檢查該公司是否已有名為「管理員」的角色
|
||
$existingRole = \App\Models\System\Role::where('company_id', $target_company_id)
|
||
->where('name', '管理員')
|
||
->first();
|
||
|
||
if (!$existingRole) {
|
||
$newRole = \App\Models\System\Role::query()->create([
|
||
'name' => '管理員',
|
||
'guard_name' => 'web',
|
||
'company_id' => $target_company_id,
|
||
'is_system' => false,
|
||
]);
|
||
$newRole->syncPermissions($roleObj->getPermissionNames());
|
||
$roleObj = $newRole;
|
||
} else {
|
||
$roleObj = $existingRole;
|
||
}
|
||
}
|
||
|
||
$user->update($updateData);
|
||
|
||
// 如果是編輯自己且原本是超級管理員,強制保留 super-admin 角色
|
||
if ($user->id === auth()->id() && auth()->user()->isSystemAdmin()) {
|
||
$user->syncRoles(['super-admin']);
|
||
} else {
|
||
$user->syncRoles([$roleObj]);
|
||
}
|
||
|
||
return redirect()->back()->with('success', __('Account updated successfully.'));
|
||
}
|
||
|
||
/**
|
||
* Remove the specified account from storage.
|
||
*/
|
||
public function destroyAccount($id)
|
||
{
|
||
$user = \App\Models\System\User::findOrFail($id);
|
||
|
||
if ($user->hasRole('super-admin')) {
|
||
return redirect()->back()->with('error', __('System super admin accounts cannot be deleted.'));
|
||
}
|
||
|
||
if ($user->id === auth()->id()) {
|
||
return redirect()->back()->with('error', __('You cannot delete your own account.'));
|
||
}
|
||
|
||
// 為了解決軟刪除導致的唯一索引佔用問題,刪除前先重命名唯一欄位
|
||
$timestamp = now()->getTimestamp();
|
||
$user->username = $user->username . '.deleted.' . $timestamp;
|
||
$user->email = $user->email . '.deleted.' . $timestamp;
|
||
$user->save();
|
||
|
||
$user->delete();
|
||
|
||
return redirect()->back()->with('success', __('Account deleted successfully.'));
|
||
}
|
||
}
|