112 lines
4.0 KiB
PHP
112 lines
4.0 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Authz;
|
|
|
|
use App\Models\Members\User;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Cache;
|
|
use Carbon\Carbon;
|
|
|
|
final class AccessService
|
|
{
|
|
public static function allows(User $user, string $permission, int $tenantId, ?string $guardName = null): bool
|
|
{
|
|
$guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★ 기본 가드
|
|
$ver = Cache::get("access:version:$tenantId", 1); // ★ 버전 토큰
|
|
|
|
$key = "access:$tenantId:{$user->id}:$guard:$permission:v{$ver}"; // ★ 키 강화
|
|
return Cache::remember($key, now()->addSeconds(20), function () use ($user, $permission, $tenantId, $guard) {
|
|
|
|
// 1) 개인 DENY
|
|
if (self::hasUserOverride($user->id, $permission, $tenantId, false, $guard)) {
|
|
return false;
|
|
}
|
|
|
|
// 2) Spatie can (팀 컨텍스트는 미들웨어에서 이미 세팅됨)
|
|
if ($user->can($permission)) {
|
|
return true;
|
|
}
|
|
|
|
// 3) 부서 ALLOW
|
|
if (self::departmentAllows($user->id, $permission, $tenantId, $guard)) {
|
|
return true;
|
|
}
|
|
|
|
// 4) 개인 ALLOW
|
|
if (self::hasUserOverride($user->id, $permission, $tenantId, true, $guard)) {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
});
|
|
}
|
|
|
|
protected static function hasUserOverride(
|
|
int $userId,
|
|
string $permissionName,
|
|
int $tenantId,
|
|
bool $allow,
|
|
?string $guardName = null
|
|
): bool {
|
|
$now = now();
|
|
$guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★
|
|
|
|
$q = DB::table('user_permission_overrides as uo')
|
|
->join('permissions as p', 'p.id', '=', 'uo.permission_id')
|
|
->whereNull('uo.deleted_at')
|
|
->where('uo.user_id', $userId)
|
|
->where('uo.tenant_id', $tenantId)
|
|
->where('p.name', $permissionName)
|
|
->where('p.tenant_id', $tenantId) // ★ 테넌트 일치
|
|
->where('p.guard_name', $guard) // ★ 가드 일치
|
|
->where(function ($w) use ($now) {
|
|
$w->whereNull('uo.effective_from')->orWhere('uo.effective_from', '<=', $now);
|
|
})
|
|
->where(function ($w) use ($now) {
|
|
$w->whereNull('uo.effective_to')->orWhere('uo.effective_to', '>=', $now);
|
|
})
|
|
->where('uo.is_allowed', $allow ? 1 : 0);
|
|
|
|
return $q->exists();
|
|
}
|
|
|
|
protected static function departmentAllows(
|
|
int $userId,
|
|
string $permissionName,
|
|
int $tenantId,
|
|
?string $guardName = null
|
|
): bool {
|
|
$guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★
|
|
|
|
$q = DB::table('department_user as du')
|
|
->join('department_permissions as dp', function ($j) {
|
|
$j->on('dp.department_id', '=', 'du.department_id')
|
|
->whereNull('dp.deleted_at')
|
|
->where('dp.is_allowed', 1);
|
|
})
|
|
->join('permissions as p', 'p.id', '=', 'dp.permission_id')
|
|
->whereNull('du.deleted_at')
|
|
->where('du.user_id', $userId)
|
|
->where('du.tenant_id', $tenantId)
|
|
->where('dp.tenant_id', $tenantId)
|
|
->where('p.tenant_id', $tenantId) // ★ 테넌트 일치
|
|
->where('p.guard_name', $guard) // ★ 가드 일치
|
|
->where('p.name', $permissionName);
|
|
|
|
return $q->exists();
|
|
}
|
|
|
|
public static function allowsOrAbort(User $user, string $permission, int $tenantId, ?string $guardName = null): void
|
|
{
|
|
if (! self::allows($user, $permission, $tenantId, $guardName)) {
|
|
abort(403, 'Forbidden');
|
|
}
|
|
}
|
|
|
|
// (선택) 권한 변경 시 호출해 캐시 무효화
|
|
public static function bumpVersion(int $tenantId): void
|
|
{
|
|
Cache::increment("access:version:$tenantId");
|
|
}
|
|
}
|