diff --git a/app/Http/Controllers/Admin/ProgramController.php b/app/Http/Controllers/Admin/ProgramController.php index e64a8b3..f023cae 100644 --- a/app/Http/Controllers/Admin/ProgramController.php +++ b/app/Http/Controllers/Admin/ProgramController.php @@ -19,6 +19,11 @@ class ProgramController extends Controller ->withCount(['attendances', 'programParticipants']) ->latest(); + // Admin program hanya nampak program sendiri + if (auth()->user()->isAdminProgram()) { + $query->where('created_by', auth()->id()); + } + if ($request->filled('search')) { $query->where(function ($q) use ($request) { $q->where('title', 'like', '%' . $request->search . '%') @@ -57,6 +62,8 @@ class ProgramController extends Controller public function show(Program $program): View { + $this->authorize('view', $program); + $program->load([ 'qrCode', 'certificateTemplate', @@ -77,11 +84,15 @@ class ProgramController extends Controller public function edit(Program $program): View { + $this->authorize('update', $program); + return view('admin.programs.edit', compact('program')); } public function update(UpdateProgramRequest $request, Program $program): RedirectResponse { + $this->authorize('update', $program); + $old = $program->only([ 'title', 'status', 'checkin_start_at', 'checkin_end_at', 'ecert_download_start_at', 'ecert_download_end_at', @@ -98,6 +109,8 @@ class ProgramController extends Controller public function destroy(Program $program): RedirectResponse { + $this->authorize('delete', $program); + if ($program->attendances()->exists()) { return back()->with('error', 'Program tidak boleh dipadam kerana sudah ada rekod kehadiran.'); } @@ -113,6 +126,8 @@ class ProgramController extends Controller public function publish(Program $program): RedirectResponse { + $this->authorize('update', $program); + if ($program->status !== 'draft') { return back()->with('error', 'Hanya program berstatus Draf boleh diterbitkan.'); } @@ -125,6 +140,8 @@ class ProgramController extends Controller public function close(Program $program): RedirectResponse { + $this->authorize('update', $program); + if ($program->status !== 'published') { return back()->with('error', 'Hanya program berstatus Diterbitkan boleh ditutup.'); } diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php new file mode 100644 index 0000000..583483e --- /dev/null +++ b/app/Http/Controllers/Admin/UserController.php @@ -0,0 +1,89 @@ +latest()->paginate(20); + + return view('admin.users.index', compact('users')); + } + + public function create(): View + { + return view('admin.users.create'); + } + + public function store(Request $request): RedirectResponse + { + $data = $request->validate([ + 'name' => 'required|string|max:255', + 'email' => 'required|email|max:255|unique:users,email', + 'role' => 'required|in:super_admin,admin', + 'password' => ['required', 'confirmed', Password::min(8)->mixedCase()->numbers()], + ]); + + $user = User::create($data); + + AuditLogService::log('user.created', $user, [], ['email' => $user->email, 'role' => $user->role]); + + return redirect()->route('admin.users.index') + ->with('success', 'Pengguna "' . $user->name . '" berjaya ditambah.'); + } + + public function edit(User $user): View + { + return view('admin.users.edit', compact('user')); + } + + public function update(Request $request, User $user): RedirectResponse + { + $rules = [ + 'name' => 'required|string|max:255', + 'email' => 'required|email|max:255|unique:users,email,' . $user->id, + 'role' => 'required|in:super_admin,admin', + ]; + + if ($request->filled('password')) { + $rules['password'] = ['confirmed', Password::min(8)->mixedCase()->numbers()]; + } + + $data = $request->validate($rules); + + if (! $request->filled('password')) { + unset($data['password']); + } + + $old = $user->only(['name', 'email', 'role']); + $user->update($data); + + AuditLogService::log('user.updated', $user, $old, $user->only(['name', 'email', 'role'])); + + return redirect()->route('admin.users.index') + ->with('success', 'Maklumat pengguna "' . $user->name . '" berjaya dikemas kini.'); + } + + public function destroy(User $user): RedirectResponse + { + if ($user->id === auth()->id()) { + return back()->with('error', 'Anda tidak boleh padam akaun sendiri.'); + } + + $name = $user->name; + AuditLogService::log('user.deleted', $user); + $user->delete(); + + return redirect()->route('admin.users.index') + ->with('success', 'Pengguna "' . $name . '" berjaya dipadam.'); + } +} diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 8677cd5..e7f7c94 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -2,7 +2,9 @@ namespace App\Http\Controllers; +use Illuminate\Foundation\Auth\Access\AuthorizesRequests; + abstract class Controller { - // + use AuthorizesRequests; } diff --git a/app/Http/Middleware/EnsureIsAdmin.php b/app/Http/Middleware/EnsureIsAdmin.php index 728abb9..76a29f3 100644 --- a/app/Http/Middleware/EnsureIsAdmin.php +++ b/app/Http/Middleware/EnsureIsAdmin.php @@ -10,7 +10,9 @@ class EnsureIsAdmin { public function handle(Request $request, Closure $next): Response { - if (! $request->user()?->is_admin) { + $role = $request->user()?->role; + + if (! in_array($role, ['super_admin', 'admin'])) { abort(403, 'Akses ditolak.'); } diff --git a/app/Http/Middleware/EnsureSuperAdmin.php b/app/Http/Middleware/EnsureSuperAdmin.php new file mode 100644 index 0000000..a02e22a --- /dev/null +++ b/app/Http/Middleware/EnsureSuperAdmin.php @@ -0,0 +1,19 @@ +user()?->role !== 'super_admin') { + abort(403, 'Hanya Super Admin boleh mengakses bahagian ini.'); + } + + return $next($request); + } +} diff --git a/app/Models/User.php b/app/Models/User.php index 747d97c..88a70e1 100644 --- a/app/Models/User.php +++ b/app/Models/User.php @@ -12,7 +12,7 @@ class User extends Authenticatable /** @use HasFactory */ use HasFactory, Notifiable; - protected $fillable = ['name', 'email', 'password', 'is_admin']; + protected $fillable = ['name', 'email', 'password', 'role']; protected $hidden = ['password', 'remember_token']; protected function casts(): array @@ -20,10 +20,24 @@ class User extends Authenticatable return [ 'email_verified_at' => 'datetime', 'password' => 'hashed', - 'is_admin' => 'boolean', ]; } + public function isSuperAdmin(): bool + { + return $this->role === 'super_admin'; + } + + public function isAdminProgram(): bool + { + return $this->role === 'admin'; + } + + public function canAccessProgram(Program $program): bool + { + return $this->isSuperAdmin() || $program->created_by === $this->id; + } + public function programs() { return $this->hasMany(Program::class, 'created_by'); diff --git a/app/Policies/ProgramPolicy.php b/app/Policies/ProgramPolicy.php new file mode 100644 index 0000000..ce65d7f --- /dev/null +++ b/app/Policies/ProgramPolicy.php @@ -0,0 +1,34 @@ +canAccessProgram($program); + } + + public function create(User $user): bool + { + return true; // Both roles can create programs + } + + public function update(User $user, Program $program): bool + { + return $user->canAccessProgram($program); + } + + public function delete(User $user, Program $program): bool + { + return $user->canAccessProgram($program); + } +} diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index 6b7573e..1e4bed9 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -2,9 +2,12 @@ namespace App\Providers; +use App\Models\Program; +use App\Policies\ProgramPolicy; use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Http\Request; use Illuminate\Pagination\Paginator; +use Illuminate\Support\Facades\Gate; use Illuminate\Support\Facades\RateLimiter; use Illuminate\Support\Facades\URL; use Illuminate\Support\ServiceProvider; @@ -15,6 +18,9 @@ class AppServiceProvider extends ServiceProvider public function boot(): void { + // Policies + Gate::policy(Program::class, ProgramPolicy::class); + // Bootstrap pagination Paginator::useBootstrapFive(); diff --git a/bootstrap/app.php b/bootstrap/app.php index f96e164..8d73310 100644 --- a/bootstrap/app.php +++ b/bootstrap/app.php @@ -12,7 +12,8 @@ return Application::configure(basePath: dirname(__DIR__)) ) ->withMiddleware(function (Middleware $middleware): void { $middleware->alias([ - 'admin' => \App\Http\Middleware\EnsureIsAdmin::class, + 'admin' => \App\Http\Middleware\EnsureIsAdmin::class, + 'super_admin' => \App\Http\Middleware\EnsureSuperAdmin::class, ]); }) ->withExceptions(function (Exceptions $exceptions): void { diff --git a/database/factories/UserFactory.php b/database/factories/UserFactory.php index f014cb0..a12a08e 100644 --- a/database/factories/UserFactory.php +++ b/database/factories/UserFactory.php @@ -30,7 +30,7 @@ class UserFactory extends Factory 'email_verified_at' => now(), 'password' => static::$password ??= Hash::make('password'), 'remember_token' => Str::random(10), - 'is_admin' => true, + 'role' => 'super_admin', ]; } @@ -41,8 +41,15 @@ class UserFactory extends Factory ]); } + public function adminProgram(): static + { + return $this->state(fn (array $attributes) => ['role' => 'admin']); + } + public function nonAdmin(): static { - return $this->state(fn (array $attributes) => ['is_admin' => false]); + // role='none' bukan dalam enum yang valid → EnsureIsAdmin returns 403 + // SQLite tidak enforce enum constraint dalam tests + return $this->state(fn (array $attributes) => ['role' => 'none']); } } diff --git a/database/migrations/2026_05_17_000001_replace_is_admin_with_role_on_users_table.php b/database/migrations/2026_05_17_000001_replace_is_admin_with_role_on_users_table.php new file mode 100644 index 0000000..00e1390 --- /dev/null +++ b/database/migrations/2026_05_17_000001_replace_is_admin_with_role_on_users_table.php @@ -0,0 +1,36 @@ +enum('role', ['super_admin', 'admin'])->default('admin')->after('password'); + }); + + // Migrate existing is_admin=true rows to super_admin + DB::table('users')->where('is_admin', true)->update(['role' => 'super_admin']); + + Schema::table('users', function (Blueprint $table) { + $table->dropColumn('is_admin'); + }); + } + + public function down(): void + { + Schema::table('users', function (Blueprint $table) { + $table->boolean('is_admin')->default(false)->after('password'); + }); + + DB::table('users')->where('role', 'super_admin')->update(['is_admin' => true]); + + Schema::table('users', function (Blueprint $table) { + $table->dropColumn('role'); + }); + } +}; diff --git a/database/seeders/AdminSeeder.php b/database/seeders/AdminSeeder.php index 617492b..f8072b5 100644 --- a/database/seeders/AdminSeeder.php +++ b/database/seeders/AdminSeeder.php @@ -15,7 +15,7 @@ class AdminSeeder extends Seeder [ 'name' => 'Admin eCert MBIP', 'password' => Hash::make('Admin@MBIP2025!'), - 'is_admin' => true, + 'role' => 'super_admin', ] ); diff --git a/resources/views/admin/users/create.blade.php b/resources/views/admin/users/create.blade.php new file mode 100644 index 0000000..109c5ea --- /dev/null +++ b/resources/views/admin/users/create.blade.php @@ -0,0 +1,76 @@ +@extends('layouts.admin') + +@section('title', 'Tambah Pengguna') +@section('header', 'Tambah Pengguna Baru') + +@section('breadcrumb') +
  • Pengguna
    • +
  • Tambah Baru
    • +@endsection + +@section('content') + +
    +
    +
    +
    +
    + @csrf + +
    + + + @error('name')
    {{ $message }}
    @enderror +
    + +
    + + + @error('email')
    {{ $message }}
    @enderror +
    + +
    + + + @error('role')
    {{ $message }}
    @enderror +
    + +
    + + + @error('password')
    {{ $message }}
    @enderror +
    + +
    + + +
    + +
    + + Batal +
    +
    +
    +
    +
    +
    + +@endsection diff --git a/resources/views/admin/users/edit.blade.php b/resources/views/admin/users/edit.blade.php new file mode 100644 index 0000000..c29f965 --- /dev/null +++ b/resources/views/admin/users/edit.blade.php @@ -0,0 +1,77 @@ +@extends('layouts.admin') + +@section('title', 'Edit Pengguna — ' . $user->name) +@section('header', 'Edit Pengguna') + +@section('breadcrumb') +
  • Pengguna
    • +
  • {{ Str::limit($user->name, 30) }}
    • +@endsection + +@section('content') + +
    +
    +
    +
    +
    + @csrf @method('PUT') + +
    + + + @error('name')
    {{ $message }}
    @enderror +
    + +
    + + + @error('email')
    {{ $message }}
    @enderror +
    + +
    + + + @if($user->id === auth()->id()) + +
    Anda tidak boleh tukar peranan akaun sendiri.
    + @endif + @error('role')
    {{ $message }}
    @enderror +
    + +
    + + + @error('password')
    {{ $message }}
    @enderror +
    + +
    + + +
    + +
    + + Batal +
    +
    +
    +
    +
    +
    + +@endsection diff --git a/resources/views/admin/users/index.blade.php b/resources/views/admin/users/index.blade.php new file mode 100644 index 0000000..caf7819 --- /dev/null +++ b/resources/views/admin/users/index.blade.php @@ -0,0 +1,83 @@ +@extends('layouts.admin') + +@section('title', 'Pengurusan Pengguna') +@section('header', 'Pengurusan Pengguna') + +@section('breadcrumb') +
  • Pengguna
    • +@endsection + +@section('header-actions') + + Tambah Pengguna + +@endsection + +@section('content') + +
    +
    + + + + + + + + + + + + + @forelse($users as $user) + + + + + + + + + @empty + + + + @endforelse + +
    NamaEmelPerananProgramTarikh Daftar
    +
    {{ $user->name }}
    + @if($user->id === auth()->id()) + Anda + @endif +     		{{ $user->email }} + @if($user->role === 'super_admin') + Super Admin + @else + Admin Program + @endif + + {{ $user->programs_count }} + {{ $user->created_at->format('d/m/Y') }} + + + + @if($user->id !== auth()->id()) +
    + @csrf @method('DELETE') + +
    + @endif +
    Tiada pengguna dijumpai.
    +
    + + @if($users->hasPages()) +
    {{ $users->links() }}
    + @endif +
    + +@endsection diff --git a/resources/views/layouts/admin.blade.php b/resources/views/layouts/admin.blade.php index 55d232d..166ee61 100644 --- a/resources/views/layouts/admin.blade.php +++ b/resources/views/layouts/admin.blade.php @@ -46,11 +46,26 @@ Set Soalselidik + + @if(auth()->user()->isSuperAdmin()) +
  • + Sistem +
    • +
  • + + Pengurusan Pengguna + +
    • + @endif
    {{ auth()->user()->name }} + + {{ auth()->user()->isSuperAdmin() ? 'Super Admin' : 'Admin Program' }} +
    @csrf
    diff --git a/routes/web.php b/routes/web.php index 0d6c42f..b9b0134 100644 --- a/routes/web.php +++ b/routes/web.php @@ -2,6 +2,7 @@ use Illuminate\Support\Facades\Route; use App\Http\Controllers\Admin\DashboardController; +use App\Http\Controllers\Admin\UserController; use App\Http\Controllers\Admin\ProgramController; use App\Http\Controllers\Admin\QrCodeController; use App\Http\Controllers\Admin\ParticipantController; @@ -83,6 +84,11 @@ Route::middleware(['auth', 'admin'])->prefix('admin')->name('admin.')->group(fun Route::post('/email-all', [AdminCertificateController::class, 'emailAll'])->name('email-all'); }); + // User Management (Super Admin only) + Route::middleware('super_admin')->group(function () { + Route::resource('users', UserController::class)->except(['show']); + }); + // Questionnaire Sets Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show'])->parameters(['questionnaires' => 'set']); Route::post('/questionnaires/{set}/publish', [QuestionnaireSetController::class, 'publish'])->name('questionnaires.publish'); diff --git a/tests/Feature/AuthTest.php b/tests/Feature/AuthTest.php index 26de24d..62d010d 100644 --- a/tests/Feature/AuthTest.php +++ b/tests/Feature/AuthTest.php @@ -27,12 +27,12 @@ class AuthTest extends TestCase $this->get('/admin/dashboard')->assertRedirect('/login'); } - public function test_non_admin_cannot_access_admin_routes(): void + public function test_admin_program_cannot_access_user_management(): void { - $user = User::factory()->nonAdmin()->create(); + $admin = User::factory()->adminProgram()->create(); - $this->actingAs($user) - ->get('/admin/dashboard') + $this->actingAs($admin) + ->get('/admin/users') ->assertForbidden(); }