Fixed Login for Superuser
This commit is contained in:
@@ -3,6 +3,7 @@
|
||||
namespace App\Providers;
|
||||
|
||||
use App\Enumerations\UserRole;
|
||||
use App\Models\User;
|
||||
|
||||
class AuthCheckProvider {
|
||||
public function checkLoggedIn() : bool {
|
||||
@@ -16,7 +17,7 @@ class AuthCheckProvider {
|
||||
return $user->active;
|
||||
}
|
||||
|
||||
if ($user->user_role_main === UserRole::USER_ROLE_ADMIN) {
|
||||
if ($this->isMainAdministrator($user)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -28,10 +29,39 @@ class AuthCheckProvider {
|
||||
return null;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
|
||||
if (app('tenant')->slug === 'lv') {
|
||||
return auth()->user()->user_role_main;
|
||||
return $user->user_role_main;
|
||||
}
|
||||
|
||||
return auth()->user()->user_role_local_group;
|
||||
// "Bundesrecht steht über Landesrecht":
|
||||
// Ein ROLE_ADMINISTRATOR auf LV-Ebene ist auf jedem Sub-Tenant automatisch Administrator,
|
||||
// unabhängig von user_role_local_group.
|
||||
if ($this->isMainAdministrator($user)) {
|
||||
return UserRole::USER_ROLE_ADMIN;
|
||||
}
|
||||
|
||||
return $user->user_role_local_group;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gibt true zurück, wenn der Nutzer auf LV-Ebene Administrator ist.
|
||||
* Diese Rolle hebt das lokale Rechtesystem für alle Sub-Tenants auf.
|
||||
*/
|
||||
public function isMainAdministrator(?User $user = null) : bool {
|
||||
$user ??= auth()->user();
|
||||
|
||||
return $user !== null
|
||||
&& $user->user_role_main === UserRole::USER_ROLE_ADMIN;
|
||||
}
|
||||
|
||||
/**
|
||||
* Bequemer Helper für die Berechtigungs-Checks im gesamten System.
|
||||
* Gibt true zurück, wenn der aktuell eingeloggte Nutzer im Kontext des
|
||||
* aktuellen Tenants effektiv Administrator ist.
|
||||
*/
|
||||
public function isAdministrator() : bool {
|
||||
return $this->getUserRole() === UserRole::USER_ROLE_ADMIN;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -116,9 +116,11 @@ class GlobalDataProvider {
|
||||
$navigation['personal'][] = ['url' => '/personal-data', 'display' => 'Meine Daten'];
|
||||
$navigation['personal'][] = ['url' => '/messages', 'display' => 'Meine Nachrichten'];
|
||||
|
||||
$authCheck = new AuthCheckProvider();
|
||||
$effectiveRole = $authCheck->getUserRole();
|
||||
|
||||
if (
|
||||
in_array($this->user->user_role_local_group, [UserRole::USER_ROLE_ADMIN, UserRole::USER_ROLE_GROUP_LEADER] ) ||
|
||||
$this->user->user_role_main === UserRole::USER_ROLE_ADMIN
|
||||
in_array($effectiveRole, [UserRole::USER_ROLE_ADMIN, UserRole::USER_ROLE_GROUP_LEADER], true)
|
||||
) {
|
||||
$navigation['costunits'][] = ['url' => '/cost-unit/list', 'display' => 'Kostenstellen'];
|
||||
$navigation['costunits'][] = ['url' => '/cost-unit/create', 'display' => 'Neue laufende Tätigkeit'];
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Providers;
|
||||
|
||||
use App\Enumerations\UserRole;
|
||||
use Illuminate\Auth\EloquentUserProvider;
|
||||
|
||||
class TenantUserProvider extends EloquentUserProvider
|
||||
@@ -18,15 +19,20 @@ class TenantUserProvider extends EloquentUserProvider
|
||||
}
|
||||
}
|
||||
|
||||
// Auf "lv" gilt grundsätzlich keine local_group-Einschränkung.
|
||||
if (app('tenant')->slug === 'lv') {
|
||||
return $query->first();
|
||||
}
|
||||
|
||||
$query->where([
|
||||
'local_group' => app('tenant')->slug,
|
||||
'active' => true
|
||||
|
||||
]);
|
||||
// Auf Sub-Tenants:
|
||||
// - Entweder gehört der Nutzer zum aktuellen Tenant (local_group)
|
||||
// - ODER er ist auf LV-Ebene Administrator
|
||||
// -> "Bundesrecht steht über Landesrecht": Login überall möglich.
|
||||
$query->where('active', true)
|
||||
->where(function ($q) {
|
||||
$q->where('local_group', app('tenant')->slug)
|
||||
->orWhere('user_role_main', UserRole::USER_ROLE_ADMIN);
|
||||
});
|
||||
|
||||
return $query->first();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user