feat: two-role system — super_admin & admin program (Fasa 12)
- Replace is_admin boolean with role enum('super_admin','admin') via migration
- ProgramPolicy: admin program can only view/edit/delete own programs
- EnsureIsAdmin: accepts both roles; EnsureSuperAdmin: super_admin only
- UserController + views: super_admin can manage admin accounts
- Sidebar: user management link & role badge gated on isSuperAdmin()
- Fix Controller base class: add AuthorizesRequests trait
- Fix tests: replace nonAdmin() (invalid enum) with adminProgram() against super_admin-only route
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Saufi
@@ -19,6 +19,11 @@ class ProgramController extends Controller
|
||||
->withCount(['attendances', 'programParticipants'])
|
||||
->latest();
|
||||
|
||||
// Admin program hanya nampak program sendiri
|
||||
if (auth()->user()->isAdminProgram()) {
|
||||
$query->where('created_by', auth()->id());
|
||||
}
|
||||
|
||||
if ($request->filled('search')) {
|
||||
$query->where(function ($q) use ($request) {
|
||||
$q->where('title', 'like', '%' . $request->search . '%')
|
||||
@@ -57,6 +62,8 @@ class ProgramController extends Controller
|
||||
|
||||
public function show(Program $program): View
|
||||
{
|
||||
$this->authorize('view', $program);
|
||||
|
||||
$program->load([
|
||||
'qrCode',
|
||||
'certificateTemplate',
|
||||
@@ -77,11 +84,15 @@ class ProgramController extends Controller
|
||||
|
||||
public function edit(Program $program): View
|
||||
{
|
||||
$this->authorize('update', $program);
|
||||
|
||||
return view('admin.programs.edit', compact('program'));
|
||||
}
|
||||
|
||||
public function update(UpdateProgramRequest $request, Program $program): RedirectResponse
|
||||
{
|
||||
$this->authorize('update', $program);
|
||||
|
||||
$old = $program->only([
|
||||
'title', 'status', 'checkin_start_at', 'checkin_end_at',
|
||||
'ecert_download_start_at', 'ecert_download_end_at',
|
||||
@@ -98,6 +109,8 @@ class ProgramController extends Controller
|
||||
|
||||
public function destroy(Program $program): RedirectResponse
|
||||
{
|
||||
$this->authorize('delete', $program);
|
||||
|
||||
if ($program->attendances()->exists()) {
|
||||
return back()->with('error', 'Program tidak boleh dipadam kerana sudah ada rekod kehadiran.');
|
||||
}
|
||||
@@ -113,6 +126,8 @@ class ProgramController extends Controller
|
||||
|
||||
public function publish(Program $program): RedirectResponse
|
||||
{
|
||||
$this->authorize('update', $program);
|
||||
|
||||
if ($program->status !== 'draft') {
|
||||
return back()->with('error', 'Hanya program berstatus Draf boleh diterbitkan.');
|
||||
}
|
||||
@@ -125,6 +140,8 @@ class ProgramController extends Controller
|
||||
|
||||
public function close(Program $program): RedirectResponse
|
||||
{
|
||||
$this->authorize('update', $program);
|
||||
|
||||
if ($program->status !== 'published') {
|
||||
return back()->with('error', 'Hanya program berstatus Diterbitkan boleh ditutup.');
|
||||
}
|
||||
|
||||
89
app/Http/Controllers/Admin/UserController.php
Normal file
89
app/Http/Controllers/Admin/UserController.php
Normal file
@@ -0,0 +1,89 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Admin;
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Models\User;
|
||||
use App\Services\AuditLogService;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\Rules\Password;
|
||||
use Illuminate\View\View;
|
||||
|
||||
class UserController extends Controller
|
||||
{
|
||||
public function index(): View
|
||||
{
|
||||
$users = User::withCount('programs')->latest()->paginate(20);
|
||||
|
||||
return view('admin.users.index', compact('users'));
|
||||
}
|
||||
|
||||
public function create(): View
|
||||
{
|
||||
return view('admin.users.create');
|
||||
}
|
||||
|
||||
public function store(Request $request): RedirectResponse
|
||||
{
|
||||
$data = $request->validate([
|
||||
'name' => 'required|string|max:255',
|
||||
'email' => 'required|email|max:255|unique:users,email',
|
||||
'role' => 'required|in:super_admin,admin',
|
||||
'password' => ['required', 'confirmed', Password::min(8)->mixedCase()->numbers()],
|
||||
]);
|
||||
|
||||
$user = User::create($data);
|
||||
|
||||
AuditLogService::log('user.created', $user, [], ['email' => $user->email, 'role' => $user->role]);
|
||||
|
||||
return redirect()->route('admin.users.index')
|
||||
->with('success', 'Pengguna "' . $user->name . '" berjaya ditambah.');
|
||||
}
|
||||
|
||||
public function edit(User $user): View
|
||||
{
|
||||
return view('admin.users.edit', compact('user'));
|
||||
}
|
||||
|
||||
public function update(Request $request, User $user): RedirectResponse
|
||||
{
|
||||
$rules = [
|
||||
'name' => 'required|string|max:255',
|
||||
'email' => 'required|email|max:255|unique:users,email,' . $user->id,
|
||||
'role' => 'required|in:super_admin,admin',
|
||||
];
|
||||
|
||||
if ($request->filled('password')) {
|
||||
$rules['password'] = ['confirmed', Password::min(8)->mixedCase()->numbers()];
|
||||
}
|
||||
|
||||
$data = $request->validate($rules);
|
||||
|
||||
if (! $request->filled('password')) {
|
||||
unset($data['password']);
|
||||
}
|
||||
|
||||
$old = $user->only(['name', 'email', 'role']);
|
||||
$user->update($data);
|
||||
|
||||
AuditLogService::log('user.updated', $user, $old, $user->only(['name', 'email', 'role']));
|
||||
|
||||
return redirect()->route('admin.users.index')
|
||||
->with('success', 'Maklumat pengguna "' . $user->name . '" berjaya dikemas kini.');
|
||||
}
|
||||
|
||||
public function destroy(User $user): RedirectResponse
|
||||
{
|
||||
if ($user->id === auth()->id()) {
|
||||
return back()->with('error', 'Anda tidak boleh padam akaun sendiri.');
|
||||
}
|
||||
|
||||
$name = $user->name;
|
||||
AuditLogService::log('user.deleted', $user);
|
||||
$user->delete();
|
||||
|
||||
return redirect()->route('admin.users.index')
|
||||
->with('success', 'Pengguna "' . $name . '" berjaya dipadam.');
|
||||
}
|
||||
}
|
||||
@@ -2,7 +2,9 @@
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
|
||||
abstract class Controller
|
||||
{
|
||||
//
|
||||
use AuthorizesRequests;
|
||||
}
|
||||
|
||||
@@ -10,7 +10,9 @@ class EnsureIsAdmin
|
||||
{
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
if (! $request->user()?->is_admin) {
|
||||
$role = $request->user()?->role;
|
||||
|
||||
if (! in_array($role, ['super_admin', 'admin'])) {
|
||||
abort(403, 'Akses ditolak.');
|
||||
}
|
||||
|
||||
|
||||
19
app/Http/Middleware/EnsureSuperAdmin.php
Normal file
19
app/Http/Middleware/EnsureSuperAdmin.php
Normal file
@@ -0,0 +1,19 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class EnsureSuperAdmin
|
||||
{
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
if ($request->user()?->role !== 'super_admin') {
|
||||
abort(403, 'Hanya Super Admin boleh mengakses bahagian ini.');
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -12,7 +12,7 @@ class User extends Authenticatable
|
||||
/** @use HasFactory<UserFactory> */
|
||||
use HasFactory, Notifiable;
|
||||
|
||||
protected $fillable = ['name', 'email', 'password', 'is_admin'];
|
||||
protected $fillable = ['name', 'email', 'password', 'role'];
|
||||
protected $hidden = ['password', 'remember_token'];
|
||||
|
||||
protected function casts(): array
|
||||
@@ -20,10 +20,24 @@ class User extends Authenticatable
|
||||
return [
|
||||
'email_verified_at' => 'datetime',
|
||||
'password' => 'hashed',
|
||||
'is_admin' => 'boolean',
|
||||
];
|
||||
}
|
||||
|
||||
public function isSuperAdmin(): bool
|
||||
{
|
||||
return $this->role === 'super_admin';
|
||||
}
|
||||
|
||||
public function isAdminProgram(): bool
|
||||
{
|
||||
return $this->role === 'admin';
|
||||
}
|
||||
|
||||
public function canAccessProgram(Program $program): bool
|
||||
{
|
||||
return $this->isSuperAdmin() || $program->created_by === $this->id;
|
||||
}
|
||||
|
||||
public function programs()
|
||||
{
|
||||
return $this->hasMany(Program::class, 'created_by');
|
||||
|
||||
34
app/Policies/ProgramPolicy.php
Normal file
34
app/Policies/ProgramPolicy.php
Normal file
@@ -0,0 +1,34 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Program;
|
||||
use App\Models\User;
|
||||
|
||||
class ProgramPolicy
|
||||
{
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
return true; // Both roles can see programs list (scoped per controller)
|
||||
}
|
||||
|
||||
public function view(User $user, Program $program): bool
|
||||
{
|
||||
return $user->canAccessProgram($program);
|
||||
}
|
||||
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return true; // Both roles can create programs
|
||||
}
|
||||
|
||||
public function update(User $user, Program $program): bool
|
||||
{
|
||||
return $user->canAccessProgram($program);
|
||||
}
|
||||
|
||||
public function delete(User $user, Program $program): bool
|
||||
{
|
||||
return $user->canAccessProgram($program);
|
||||
}
|
||||
}
|
||||
@@ -2,9 +2,12 @@
|
||||
|
||||
namespace App\Providers;
|
||||
|
||||
use App\Models\Program;
|
||||
use App\Policies\ProgramPolicy;
|
||||
use Illuminate\Cache\RateLimiting\Limit;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Pagination\Paginator;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
use Illuminate\Support\Facades\RateLimiter;
|
||||
use Illuminate\Support\Facades\URL;
|
||||
use Illuminate\Support\ServiceProvider;
|
||||
@@ -15,6 +18,9 @@ class AppServiceProvider extends ServiceProvider
|
||||
|
||||
public function boot(): void
|
||||
{
|
||||
// Policies
|
||||
Gate::policy(Program::class, ProgramPolicy::class);
|
||||
|
||||
// Bootstrap pagination
|
||||
Paginator::useBootstrapFive();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user