2026-03-04 15:56:58 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace MintyPHP\Service\Access;
|
|
|
|
|
|
|
|
|
|
final class UiCapabilityMap
|
|
|
|
|
{
|
|
|
|
|
/**
|
feat: extend module platform with UI slots, runtime components, CLI tooling and {{userId}} search support
Completes the generic module platform that enables modules to contribute
UI elements, runtime JS components, and search resources without any
core hardcoding.
New generic UI slot types:
- topbar.right_item: module-contributed topbar buttons
- layout.body_end_template: module-contributed dialog/overlay templates
- layout.head_style: module-contributed global CSS
- runtime.component: declarative JS component registration with phase ordering
New infrastructure:
- ModuleAutoloader: PSR-4 autoloading for module-local PHP classes
- ModuleRuntimePageBuilder: symlinks module pages into runtime directory
- ModuleRuntimeAssetPublisher: publishes module CSS/JS to web/modules/
- ModulePermissionSynchronizer: syncs module permissions to DB
- CLI scripts: module-runtime-sync, module-build, module-migrate,
module-permissions-sync, module-assets-sync
- {{userId}} placeholder in SearchDataService for user-scoped search queries
- Component runtime with phased initialization (early/default/late)
- AppContainer.protectExistingBindings() to prevent module→core overwrites
- Architecture tests: ModuleStructureContractTest, CoreTemplateIsolationTest,
FrontendComponentRuntimeContractTest, AppContainerIsolationContractTest
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 22:19:56 +01:00
|
|
|
* Core layout capabilities — admin panel visibility checks.
|
|
|
|
|
*
|
2026-03-19 08:26:45 +01:00
|
|
|
* Module abilities are collected from UI slot 'permission' fields and
|
|
|
|
|
* merged dynamically in UiAccessService::layoutCapabilities().
|
feat: extend module platform with UI slots, runtime components, CLI tooling and {{userId}} search support
Completes the generic module platform that enables modules to contribute
UI elements, runtime JS components, and search resources without any
core hardcoding.
New generic UI slot types:
- topbar.right_item: module-contributed topbar buttons
- layout.body_end_template: module-contributed dialog/overlay templates
- layout.head_style: module-contributed global CSS
- runtime.component: declarative JS component registration with phase ordering
New infrastructure:
- ModuleAutoloader: PSR-4 autoloading for module-local PHP classes
- ModuleRuntimePageBuilder: symlinks module pages into runtime directory
- ModuleRuntimeAssetPublisher: publishes module CSS/JS to web/modules/
- ModulePermissionSynchronizer: syncs module permissions to DB
- CLI scripts: module-runtime-sync, module-build, module-migrate,
module-permissions-sync, module-assets-sync
- {{userId}} placeholder in SearchDataService for user-scoped search queries
- Component runtime with phased initialization (early/default/late)
- AppContainer.protectExistingBindings() to prevent module→core overwrites
- Architecture tests: ModuleStructureContractTest, CoreTemplateIsolationTest,
FrontendComponentRuntimeContractTest, AppContainerIsolationContractTest
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 22:19:56 +01:00
|
|
|
*
|
2026-03-04 15:56:58 +01:00
|
|
|
* @var array<string, string>
|
|
|
|
|
*/
|
|
|
|
|
public const LAYOUT = [
|
|
|
|
|
'can_view_tenants' => TenantAuthorizationPolicy::ABILITY_ADMIN_TENANTS_VIEW,
|
|
|
|
|
'can_view_departments' => DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW,
|
|
|
|
|
'can_view_users' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_VIEW,
|
|
|
|
|
'can_view_roles' => RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW,
|
|
|
|
|
'can_view_permissions' => PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW,
|
|
|
|
|
'can_view_settings' => SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW,
|
|
|
|
|
'can_view_imports' => OperationsAuthorizationPolicy::ABILITY_ADMIN_IMPORTS_VIEW,
|
|
|
|
|
'can_view_jobs' => OperationsAuthorizationPolicy::ABILITY_ADMIN_JOBS_VIEW,
|
|
|
|
|
'can_view_docs' => OperationsAuthorizationPolicy::ABILITY_ADMIN_DOCS_VIEW,
|
|
|
|
|
'can_view_mail_log' => OperationsAuthorizationPolicy::ABILITY_ADMIN_MAIL_LOG_VIEW,
|
|
|
|
|
'can_view_stats' => OperationsAuthorizationPolicy::ABILITY_ADMIN_STATS_VIEW,
|
feat: add read-only System Info admin page with health checks and module inventory
New page at /admin/system-info with three tabs:
- Overview: PHP version, SAPI, environment, 6 health checks (DB, schema,
storage, RBAC baseline, admin role, scheduler heartbeat)
- Modules: table of active modules with version, dependencies, permission count
- Permissions: active/inactive counts and per-source breakdown
Gated behind new system_info.view permission assigned to Admin role.
No mutations — purely diagnostic/observability.
Includes SystemHealthService, SystemInfoService, SystemHealthRepository
with interface, DI registration, i18n keys (de+en), idempotent DB update
script, and 17 new PHPUnit tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 15:08:02 +01:00
|
|
|
'can_view_system_info' => OperationsAuthorizationPolicy::ABILITY_ADMIN_SYSTEM_INFO_VIEW,
|
2026-03-04 15:56:58 +01:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var array<string, string>
|
|
|
|
|
*/
|
|
|
|
|
public const PAGE_USERS_INDEX = [
|
|
|
|
|
'can_create_user' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_CREATE,
|
|
|
|
|
'can_update_users' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_ACTIVATE,
|
|
|
|
|
'can_delete_users' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_DELETE,
|
|
|
|
|
'can_access_pdf' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_ACCESS_PDF,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var array<string, string>
|
|
|
|
|
*/
|
|
|
|
|
public const PAGE_USERS_CREATE = [
|
|
|
|
|
'can_manage_assignments' => OperationsAuthorizationPolicy::ABILITY_ADMIN_USERS_ASSIGNMENTS_MANAGE,
|
|
|
|
|
'can_edit_custom_field_values' => OperationsAuthorizationPolicy::ABILITY_ADMIN_USERS_CREATE_EDIT_CUSTOM_FIELDS,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var array<string, string>
|
|
|
|
|
*/
|
|
|
|
|
public const PAGE_STATS_INDEX = [
|
|
|
|
|
'can_view_mail_log' => OperationsAuthorizationPolicy::ABILITY_ADMIN_MAIL_LOG_VIEW,
|
|
|
|
|
'can_view_users' => UserAuthorizationPolicy::ABILITY_ADMIN_USERS_VIEW,
|
|
|
|
|
'can_view_tenants' => TenantAuthorizationPolicy::ABILITY_ADMIN_TENANTS_VIEW,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var array<string, string>
|
|
|
|
|
*/
|
refactor(audit): extract audit domain into self-contained module
Move the entire audit subsystem (system audit, API audit, import audit,
user lifecycle audit, frontend telemetry) from core into modules/audit/.
Core decoupling via interface-based injection:
- AuditRecorderInterface replaces SystemAuditService in 10+ core services
- UserLifecycleAuditInterface / ImportAuditInterface for specialized flows
- NullAuditRecorder fallback when audit module is disabled
- ApiBootstrap/ApiResponse use null-safe callable resolvers
Module structure (modules/audit/):
- Manifest with routes, permissions, scheduler jobs, authorization policy
- 9 services, 8 repositories, 6 domain enums, 4 job handlers
- 33 page files, 4 JS files, 8 test files, migration scripts, i18n
Core cleanup:
- OperationsAuthorizationPolicy, UiCapabilityMap, PermissionService
surgically cleaned of audit-specific constants
- Sidebar template cleared of hardcoded audit navigation
- AuditModuleIsolationContractTest ensures no future core→module coupling
All quality gates pass: 1346 tests (19,276 assertions), PHPStan level 5
clean, architecture contracts verified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 21:12:49 +01:00
|
|
|
public const PAGE_JOBS_PURGE = [
|
2026-03-04 15:56:58 +01:00
|
|
|
'can_purge' => SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
}
|