Update: 2026-05-06 17:10:14

2026-05-06 17:10:14 +03:00
parent a9a2c65bee
commit 019bff7e37
16 changed files with 788 additions and 68 deletions
--- a/app/Middleware/RoleMiddleware.php
+++ b/app/Middleware/RoleMiddleware.php
@@ -0,0 +1,97 @@
+<?php
+/**
+ * Role-Based Access Control (RBAC) Middleware
+ * 
+ * Enforces role-based permissions on API endpoints.
+ * Must be called AFTER AuthMiddleware::check().
+ * 
+ * Usage:
+ *   RoleMiddleware::require(['admin', 'super_admin']);
+ *   RoleMiddleware::requireAny(['admin', 'accountant', 'super_admin']);
+ *   RoleMiddleware::denyRole('viewer');
+ */
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+final class RoleMiddleware
+{
+    /**
+     * Require the user to have ONE of the specified roles.
+     * Halts execution with 403 if the user doesn't have any of them.
+     */
+    public static function require(array $allowedRoles, ?array $decoded = null): array
+    {
+        if (!$decoded) {
+            $decoded = AuthMiddleware::check();
+        }
+
+        $userRole = $decoded['role'] ?? '';
+
+        if (!in_array($userRole, $allowedRoles, true)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode([
+                'success' => false,
+                'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
+                'code'    => 'FORBIDDEN',
+                'required_roles' => $allowedRoles,
+                'your_role'      => $userRole,
+            ], JSON_UNESCAPED_UNICODE);
+            exit;
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Deny access to specific roles (blacklist approach).
+     */
+    public static function deny(array $deniedRoles, ?array $decoded = null): array
+    {
+        if (!$decoded) {
+            $decoded = AuthMiddleware::check();
+        }
+
+        $userRole = $decoded['role'] ?? '';
+
+        if (in_array($userRole, $deniedRoles, true)) {
+            http_response_code(403);
+            header('Content-Type: application/json');
+            echo json_encode([
+                'success' => false,
+                'message' => 'ليس لديك صلاحية للوصول إلى هذا المورد',
+                'code'    => 'FORBIDDEN',
+            ], JSON_UNESCAPED_UNICODE);
+            exit;
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Check if the current user is a super_admin.
+     */
+    public static function isSuperAdmin(array $decoded): bool
+    {
+        return ($decoded['role'] ?? '') === 'super_admin';
+    }
+
+    /**
+     * Check if the current user is an admin or super_admin.
+     */
+    public static function isAdmin(array $decoded): bool
+    {
+        return in_array($decoded['role'] ?? '', ['admin', 'super_admin'], true);
+    }
+
+    /**
+     * Check if the current user can write (create/update/delete).
+     * Viewers are read-only.
+     */
+    public static function canWrite(array $decoded): bool
+    {
+        return in_array($decoded['role'] ?? '', ['super_admin', 'admin', 'accountant'], true);
+    }
+}