security: expand and complete permissions matrix with granular, enterprise-ready permissions

2026-05-21 22:15:53 +07:00
parent 65804be1cb
commit 7965b34c85
44 changed files with 179 additions and 145 deletions
@@ -14,13 +14,37 @@ class RolesAndPermissionsSeeder extends Seeder
        app()[PermissionRegistrar::class]->forgetCachedPermissions();

        $permissions = [
+            // User Management
            'user.view',
            'user.create',
            'user.edit',
            'user.delete',
+            'user.restore',
+            'user.force-delete',
+            'user.export',
+            'user.import',
+
+            // Role Management
            'role.view',
+            'role.create',
+            'role.delete',
            'role.manage',
-            'settings.manage',
+
+            // Notification broadcast
+            'notifications.view',
+            'notifications.send',
+
+            // Activity Logs
+            'activity-logs.view',
+            'activity-logs.delete',
+
+            // System Settings
+            'settings.view',
+            'settings.edit',
+            'settings.test-email',
+
+            // Internal Documentation
+            'documentation.view',
        ];

        foreach ($permissions as $permission) {
@@ -28,22 +52,32 @@ class RolesAndPermissionsSeeder extends Seeder
            Permission::firstOrCreate(['name' => $permission, 'guard_name' => 'api']);
        }

-        // user — read-only access
+        // user — read-only basic access
        $user = Role::firstOrCreate(['name' => 'user', 'guard_name' => 'web']);
-        $user->syncPermissions(['user.view']);
+        $user->syncPermissions([
+            'user.view',
+        ]);

-        // admin — full user & role management, no system settings
+        // admin — full operational, governance, and reporting access, no raw system configuration
        $admin = Role::firstOrCreate(['name' => 'admin', 'guard_name' => 'web']);
        $admin->syncPermissions([
            'user.view',
            'user.create',
            'user.edit',
            'user.delete',
+            'user.restore',
+            'user.export',
+            'user.import',
            'role.view',
+            'role.create',
+            'role.delete',
            'role.manage',
+            'notifications.view',
+            'notifications.send',
+            'activity-logs.view',
        ]);

-        // super-admin — everything (Gate::before bypasses checks anyway)
+        // super-admin — absolute root access
        $superAdmin = Role::firstOrCreate(['name' => 'super-admin', 'guard_name' => 'web']);
        $superAdmin->syncPermissions(Permission::where('guard_name', 'web')->get());
    }