1
0

fix: permission sync was deactivating core permissions, not just module-owned ones

deactivateOrphaned() treated ALL is_system=1 permissions as module-owned.
Core seed permissions (users.view, tenants.view, etc.) are also is_system=1,
so they were incorrectly deactivated — breaking admin panel access.

Fix: scan all module manifests on disk (enabled or not) to build the set of
module-owned permission keys. Only deactivate permissions whose key appears
in that set. Core seed permissions are never touched.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-03-19 19:32:36 +01:00
parent e40cba23a1
commit 8cd21f3c8a
3 changed files with 151 additions and 66 deletions

View File

@@ -11,7 +11,8 @@ final class ModulePermissionSynchronizer
{
public function __construct(
private readonly ModuleRegistry $moduleRegistry,
private readonly PermissionRepositoryInterface $permissionRepository
private readonly PermissionRepositoryInterface $permissionRepository,
private readonly string $modulesDir = ''
) {
}
@@ -78,15 +79,23 @@ final class ModulePermissionSynchronizer
}
/**
* Deactivate system permissions that no active module claims.
* Deactivate module-owned permissions that no active module claims.
*
* Only touches is_system=1 rows (module-owned). Admin-created permissions
* (is_system=0) are never modified. Setting active=0 is reversible — if the
* module is re-enabled, the next sync will set active=1 again.
* Only touches permissions whose key is declared in at least one module
* manifest on disk (enabled or not). Core seed permissions are never touched.
* Setting active=0 is reversible — re-enabling the module and running sync
* restores active=1.
*/
private function deactivateOrphaned(): int
{
$activeKeys = $this->moduleRegistry->getPermissionKeys();
$allModuleKeys = $this->collectAllModulePermissionKeys();
// Nothing to deactivate if we can't determine module-owned keys
if ($allModuleKeys === []) {
return 0;
}
$systemPermissions = $this->permissionRepository->listSystem();
$deactivated = 0;
@@ -109,7 +118,12 @@ final class ModulePermissionSynchronizer
continue;
}
// Orphaned: system permission not claimed by any active module → deactivate
// Not a module-owned permission — never touch core seed permissions
if (!in_array($key, $allModuleKeys, true)) {
continue;
}
// Orphaned module permission: declared by a module on disk but not by any active module
$this->permissionRepository->update($id, [
'key' => $key,
'description' => (string) $permission['description'],
@@ -122,6 +136,62 @@ final class ModulePermissionSynchronizer
return $deactivated;
}
/**
* Scan all module manifests on disk (not just enabled) and collect their permission keys.
* This determines which permissions are module-owned vs core seed data.
*
* @return list<string>
*/
private function collectAllModulePermissionKeys(): array
{
if ($this->modulesDir === '' || !is_dir($this->modulesDir)) {
return [];
}
$keys = [];
$entries = scandir($this->modulesDir);
if ($entries === false) {
return [];
}
foreach ($entries as $entry) {
if ($entry === '.' || $entry === '..') {
continue;
}
$manifestFile = $this->modulesDir . '/' . $entry . '/module.php';
if (!is_file($manifestFile)) {
continue;
}
try {
$raw = require $manifestFile;
if (!is_array($raw)) {
continue;
}
$permissions = $raw['permissions'] ?? [];
if (!is_array($permissions)) {
continue;
}
foreach ($permissions as $permission) {
if (is_array($permission)) {
$key = trim((string) ($permission['key'] ?? ''));
if ($key !== '') {
$keys[] = $key;
}
}
}
} catch (\Throwable) {
// Skip broken manifests — don't break the sync
continue;
}
}
return array_values(array_unique($keys));
}
/**
* @param array<string, mixed> $existing
* @param array<string, mixed> $desired