Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-05-06 17:10:14

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-06 17:10:14 +03:00
parent a9a2c65bee
commit 019bff7e37
16 changed files with 788 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
app/Middleware/CompanyAccessMiddleware.php Normal file
View File

@@ -0,0 +1,104 @@
<?php
/**
* Company Access Middleware
*
* Ensures that the current user has access to the requested company.
* - super_admin: access to ALL companies across ALL tenants
* - admin: access to ALL companies within their tenant
* - accountant: access ONLY to their assigned company (users.company_id)
* - viewer: access ONLY to their assigned company (read-only)
*
* Usage:
* $decoded = AuthMiddleware::check();
* CompanyAccessMiddleware::check($companyId, $decoded);
*/
declare(strict_types=1);
namespace App\Middleware;
use App\Core\Database;
final class CompanyAccessMiddleware
{
/**
* Check if the user can access the given company.
* Halts with 403 if access is denied.
*/
public static function check(string $companyId, array $decoded): void
{
$role = $decoded['role'] ?? '';
$tenantId = $decoded['tenant_id'] ?? '';
$userId = $decoded['user_id'] ?? '';
// super_admin can access everything
if ($role === 'super_admin') {
return;
}
$db = Database::getInstance();
// 1. Verify the company belongs to the user's tenant
$stmt = $db->prepare("SELECT id, tenant_id FROM companies WHERE id = ? LIMIT 1");
$stmt->execute([$companyId]);
$company = $stmt->fetch();
if (!$company) {
json_error('الشركة غير موجودة', 404);
}
if ($company['tenant_id'] !== $tenantId) {
// Company exists but belongs to a different tenant — treat as 404 (don't leak info)
json_error('الشركة غير موجودة', 404);
}
// 2. admin can access all companies in their tenant
if ($role === 'admin') {
return;
}
// 3. accountant / viewer — must be assigned to this specific company
$stmt = $db->prepare("SELECT company_id FROM users WHERE id = ? AND tenant_id = ? LIMIT 1");
$stmt->execute([$userId, $tenantId]);
$user = $stmt->fetch();
if (!$user || $user['company_id'] !== $companyId) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode([
'success' => false,
'message' => 'ليس لديك صلاحية للوصول إلى هذه الشركة',
'code' => 'COMPANY_ACCESS_DENIED',
], JSON_UNESCAPED_UNICODE);
exit;
}
}
/**
* Get the list of company IDs that the user can access.
* Useful for listing/filtering queries.
*/
public static function getAccessibleCompanyIds(array $decoded): ?array
{
$role = $decoded['role'] ?? '';
$tenantId = $decoded['tenant_id'] ?? '';
$userId = $decoded['user_id'] ?? '';
// super_admin & admin: null means "no filter" (access all)
if ($role === 'super_admin' || $role === 'admin') {
return null;
}
// accountant / viewer: only their assigned company
$db = Database::getInstance();
$stmt = $db->prepare("SELECT company_id FROM users WHERE id = ? AND tenant_id = ? LIMIT 1");
$stmt->execute([$userId, $tenantId]);
$user = $stmt->fetch();
if ($user && $user['company_id']) {
return [$user['company_id']];
}
return []; // No access to any company
}
}

97
app/Middleware/RoleMiddleware.php Normal file
View File

@@ -0,0 +1,97 @@
<?php
/**
* Role-Based Access Control (RBAC) Middleware
*
* Enforces role-based permissions on API endpoints.
* Must be called AFTER AuthMiddleware::check().
*
* Usage:
* RoleMiddleware::require(['admin', 'super_admin']);
* RoleMiddleware::requireAny(['admin', 'accountant', 'super_admin']);
* RoleMiddleware::denyRole('viewer');
*/
declare(strict_types=1);
namespace App\Middleware;
final class RoleMiddleware
{
/**
* Require the user to have ONE of the specified roles.
* Halts execution with 403 if the user doesn't have any of them.
*/
public static function require(array $allowedRoles, ?array $decoded = null): array
{
if (!$decoded) {
$decoded = AuthMiddleware::check();
}
$userRole = $decoded['role'] ?? '';
if (!in_array($userRole, $allowedRoles, true)) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode([
'success' => false,
'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
'code' => 'FORBIDDEN',
'required_roles' => $allowedRoles,
'your_role' => $userRole,
], JSON_UNESCAPED_UNICODE);
exit;
}
return $decoded;
}
/**
* Deny access to specific roles (blacklist approach).
*/
public static function deny(array $deniedRoles, ?array $decoded = null): array
{
if (!$decoded) {
$decoded = AuthMiddleware::check();
}
$userRole = $decoded['role'] ?? '';
if (in_array($userRole, $deniedRoles, true)) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode([
'success' => false,
'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
'code' => 'FORBIDDEN',
], JSON_UNESCAPED_UNICODE);
exit;
}
return $decoded;
}
/**
* Check if the current user is a super_admin.
*/
public static function isSuperAdmin(array $decoded): bool
{
return ($decoded['role'] ?? '') === 'super_admin';
}
/**
* Check if the current user is an admin or super_admin.
*/
public static function isAdmin(array $decoded): bool
{
return in_array($decoded['role'] ?? '', ['admin', 'super_admin'], true);
}
/**
* Check if the current user can write (create/update/delete).
* Viewers are read-only.
*/
public static function canWrite(array $decoded): bool
{
return in_array($decoded['role'] ?? '', ['super_admin', 'admin', 'accountant'], true);
}
}