1
0

refactor(settings): split security into 4 focused tiles

Extracts user-lifecycle, audit and telemetry from the security subpage
into their own tiles, and renames the slimmed-down security subpage to
account-access for a clearer scope. Each subpage now has at most three
detail cards instead of the eight previously crowded into security.

Hub gains four tiles, sub-action redirects (expire-remember-tokens,
run-user-lifecycle) move to their new sections, architecture tests track
the new section list and i18n adds the new labels in de + en.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-25 08:50:05 +02:00
parent dd5c305f7e
commit c14d42f198
18 changed files with 846 additions and 376 deletions

View File

@@ -33,6 +33,8 @@
"Access emails sent to %d users, %f failed": "Zugangsdaten an %d Benutzer gesendet, %f fehlgeschlagen",
"Access PDF": "Zugangs-PDF",
"Account": "Konto",
"Account access": "Kontozugang",
"Account access settings": "Kontozugang-Einstellungen",
"Account is inactive": "Konto ist deaktiviert",
"Action": "Aktion",
"Actions": "Aktionen",
@@ -133,6 +135,8 @@
"Attempts": "Versuche",
"Attribute mapping and sync": "Attributzuordnung und Synchronisierung",
"Audit": "Audit",
"Audit log": "Audit-Log",
"Audit log settings": "Audit-Log-Einstellungen",
"Authority endpoint": "Authority-Endpunkt",
"Authority URL": "Authority-URL",
"Auto-delete is ignored while auto-deactivate is disabled": "Auto-Löschung wird ignoriert, solange Auto-Deaktivierung deaktiviert ist",
@@ -450,6 +454,7 @@
"Fri": "Fr",
"Frontend": "Frontend",
"Frontend telemetry": "Frontend-Telemetrie",
"Frontend telemetry collection and event allowlist": "Frontend-Telemetrie-Erfassung und Event-Allowlist",
"General": "Allgemein",
"General settings": "Allgemeine Einstellungen",
"Generate access PDFs for selected users?": "Zugangs-PDFs für ausgewählte Benutzer erstellen?",
@@ -502,6 +507,7 @@
"Inactive tenants": "Inaktive Mandanten",
"Inactive tenants are excluded from user access and tenant-scoped data.": "Inaktive Mandanten werden vom Benutzerzugriff und mandantenspezifischen Daten ausgeschlossen.",
"Inactive users": "Inaktive Benutzer",
"Inactivity deactivation and deletion policy": "Richtlinie für Inaktivitäts-Deaktivierung und Löschung",
"Incomplete": "Unvollständig",
"Inherit global default": "Globalen Standard verwenden",
"Internal Server Error": "Interner Serverfehler",
@@ -865,6 +871,7 @@
"Registration controls whether new users can create an account.": "Hier wird gesteuert, ob neue Benutzer ein Konto erstellen dürfen.",
"Registration is currently disabled": "Registrierung ist derzeit deaktiviert.",
"Registration successful! Please check your email for the verification code.": "Registrierung erfolgreich! Bitte prüfe deine E-Mails für den Bestätigungscode.",
"Registration, sessions, login persistence": "Registrierung, Sitzungen, Login-Persistenz",
"Remember login after Microsoft sign-in": "Angemeldet bleiben nach Microsoft-Login",
"Remember me": "Angemeldet bleiben",
"Remember token lifetime (days)": "Token-Lebensdauer Angemeldet-bleiben (Tage)",
@@ -934,6 +941,7 @@
"Rows total": "Zeilen gesamt",
"Rules": "Regeln",
"Run history": "Laufhistorie",
"Run lifecycle now": "Lebenszyklus jetzt ausführen",
"Run now": "Jetzt ausführen",
"Run preview": "Vorschau ausführen",
"Run user lifecycle now": "Benutzer-Lifecycle jetzt ausführen",
@@ -1138,6 +1146,7 @@
"System audit controls whether security events are logged and how long they are kept.": "Hier wird gesteuert, ob Sicherheitsereignisse protokolliert werden und wie lange sie aufbewahrt werden.",
"System audit entry not found": "System-Protokoll-Eintrag nicht gefunden",
"System audit events (24h)": "System-Protokoll-Ereignisse (24h)",
"System audit log enable and retention": "System-Audit-Log aktivieren und Aufbewahrung",
"System audit logs": "System-Protokolle",
"System audit risks (24h)": "System-Protokoll-Risiken (24h)",
"System Info": "Systeminfo",
@@ -1153,7 +1162,9 @@
"Target type": "Zieltyp",
"Target UUID": "Ziel-UUID",
"Tax number": "Steuernummer",
"Telemetry": "Telemetrie",
"Telemetry helps detect recurring UI issues and failed requests in production.": "Telemetry hilft, wiederkehrende UI-Probleme und fehlgeschlagene Requests in Produktion zu erkennen.",
"Telemetry settings": "Telemetrie-Einstellungen",
"Template": "Vorlage",
"Tenant": "Mandant",
"Tenant #%d": "Mandant #%d",
@@ -1196,6 +1207,7 @@
"These limits define default and maximum lifetimes for newly issued API tokens.": "Diese Grenzwerte definieren Standard- und Maximallaufzeit für neu ausgestellte API-Tokens.",
"This action cannot be undone.": "Diese Aktion kann nicht rückgängig gemacht werden.",
"This action revokes all active API tokens immediately across all users.": "Diese Aktion widerruft sofort alle aktiven API-Tokens über alle Benutzer hinweg.",
"This runs the lifecycle policy immediately and may deactivate or delete users.": "Dies führt die Lebenszyklus-Richtlinie sofort aus und kann Benutzer deaktivieren oder löschen.",
"This scheduled job is no longer registered and cannot be edited. It has been superseded by a newer version.": "Diese geplante Aufgabe ist nicht mehr registriert und kann nicht bearbeitet werden. Sie wurde durch eine neuere Version ersetzt.",
"This setting controls the application name shown across the UI.": "Diese Einstellung steuert den in der gesamten UI angezeigten Anwendungsnamen.",
"This setting controls the default language for users without a personal preference.": "Diese Einstellung steuert die Standardsprache für Benutzer ohne persönliche Präferenz.",
@@ -1277,12 +1289,14 @@
"User ID": "Benutzer-ID",
"User inactivity deactivation period is invalid": "Zeitraum für automatische Deaktivierung ist ungültig",
"User inactivity deletion period is invalid": "Zeitraum für automatische Löschung ist ungültig",
"User lifecycle": "Benutzer-Lebenszyklus",
"User lifecycle already running": "Benutzer-Lifecycle läuft bereits",
"User lifecycle completed: %d deactivated, %d deleted": "Benutzer-Lifecycle abgeschlossen: %d deaktiviert, %d gelöscht",
"User lifecycle defines when inactive users are deactivated or deleted.": "Hier wird festgelegt, wann inaktive Benutzer deaktiviert oder gelöscht werden.",
"User lifecycle failed": "Benutzer-Lifecycle fehlgeschlagen",
"User lifecycle logs": "Benutzer-Lifecycle-Protokolle",
"User lifecycle policy": "Benutzer-Lifecycle-Regel",
"User lifecycle settings": "Benutzer-Lebenszyklus-Einstellungen",
"User not found": "Benutzer nicht gefunden",
"User override disabled": "Benutzer-Override deaktiviert",
"User override enabled": "Benutzer-Override aktiviert",

View File

@@ -33,6 +33,8 @@
"Access emails sent to %d users, %f failed": "Access emails sent to %d users, %f failed",
"Access PDF": "Access PDF",
"Account": "Account",
"Account access": "Account access",
"Account access settings": "Account access settings",
"Account is inactive": "Account is inactive",
"Action": "Action",
"Actions": "Actions",
@@ -133,6 +135,8 @@
"Attempts": "Attempts",
"Attribute mapping and sync": "Attribute mapping and sync",
"Audit": "Audit",
"Audit log": "Audit log",
"Audit log settings": "Audit log settings",
"Authority endpoint": "Authority endpoint",
"Authority URL": "Authority URL",
"Auto-delete is ignored while auto-deactivate is disabled": "Auto-delete is ignored while auto-deactivate is disabled",
@@ -450,6 +454,7 @@
"Fri": "Fri",
"Frontend": "Frontend",
"Frontend telemetry": "Frontend telemetry",
"Frontend telemetry collection and event allowlist": "Frontend telemetry collection and event allowlist",
"General": "General",
"General settings": "General settings",
"Generate access PDFs for selected users?": "Generate access PDFs for selected users?",
@@ -502,6 +507,7 @@
"Inactive tenants": "Inactive tenants",
"Inactive tenants are excluded from user access and tenant-scoped data.": "Inactive tenants are excluded from user access and tenant-scoped data.",
"Inactive users": "Inactive users",
"Inactivity deactivation and deletion policy": "Inactivity deactivation and deletion policy",
"Incomplete": "Incomplete",
"Inherit global default": "Inherit global default",
"Internal Server Error": "Internal Server Error",
@@ -865,6 +871,7 @@
"Registration controls whether new users can create an account.": "Registration controls whether new users can create an account.",
"Registration is currently disabled": "Registration is currently disabled.",
"Registration successful! Please check your email for the verification code.": "Registration successful! Please check your email for the verification code.",
"Registration, sessions, login persistence": "Registration, sessions, login persistence",
"Remember login after Microsoft sign-in": "Remember login after Microsoft sign-in",
"Remember me": "Remember me",
"Remember token lifetime (days)": "Remember token lifetime (days)",
@@ -934,6 +941,7 @@
"Rows total": "Rows total",
"Rules": "Rules",
"Run history": "Run history",
"Run lifecycle now": "Run lifecycle now",
"Run now": "Run now",
"Run preview": "Run preview",
"Run user lifecycle now": "Run user lifecycle now",
@@ -1138,6 +1146,7 @@
"System audit controls whether security events are logged and how long they are kept.": "System audit controls whether security events are logged and how long they are kept.",
"System audit entry not found": "System audit entry not found",
"System audit events (24h)": "System audit events (24h)",
"System audit log enable and retention": "System audit log enable and retention",
"System audit logs": "System audit logs",
"System audit risks (24h)": "System audit risks (24h)",
"System Info": "System Info",
@@ -1153,7 +1162,9 @@
"Target type": "Target type",
"Target UUID": "Target UUID",
"Tax number": "Tax number",
"Telemetry": "Telemetry",
"Telemetry helps detect recurring UI issues and failed requests in production.": "Telemetry helps detect recurring UI issues and failed requests in production.",
"Telemetry settings": "Telemetry settings",
"Template": "Template",
"Tenant": "Tenant",
"Tenant #%d": "Tenant #%d",
@@ -1196,6 +1207,7 @@
"These limits define default and maximum lifetimes for newly issued API tokens.": "These limits define default and maximum lifetimes for newly issued API tokens.",
"This action cannot be undone.": "This action cannot be undone.",
"This action revokes all active API tokens immediately across all users.": "This action revokes all active API tokens immediately across all users.",
"This runs the lifecycle policy immediately and may deactivate or delete users.": "This runs the lifecycle policy immediately and may deactivate or delete users.",
"This scheduled job is no longer registered and cannot be edited. It has been superseded by a newer version.": "This scheduled job is no longer registered and cannot be edited. It has been superseded by a newer version.",
"This setting controls the application name shown across the UI.": "This setting controls the application name shown across the UI.",
"This setting controls the default language for users without a personal preference.": "This setting controls the default language for users without a personal preference.",
@@ -1277,12 +1289,14 @@
"User ID": "User ID",
"User inactivity deactivation period is invalid": "User inactivity deactivation period is invalid",
"User inactivity deletion period is invalid": "User inactivity deletion period is invalid",
"User lifecycle": "User lifecycle",
"User lifecycle already running": "User lifecycle already running",
"User lifecycle completed: %d deactivated, %d deleted": "User lifecycle completed: %d deactivated, %d deleted",
"User lifecycle defines when inactive users are deactivated or deleted.": "User lifecycle defines when inactive users are deactivated or deleted.",
"User lifecycle failed": "User lifecycle failed",
"User lifecycle logs": "User lifecycle logs",
"User lifecycle policy": "User lifecycle policy",
"User lifecycle settings": "User lifecycle settings",
"User not found": "User not found",
"User override disabled": "User override disabled",
"User override enabled": "User override enabled",

View File

@@ -29,7 +29,7 @@ $values = is_array($pageData['values'] ?? null) ? $pageData['values'] : [];
$settings = is_array($pageData['settings'] ?? null) ? $pageData['settings'] : [];
$activeLoginTokens = (int) ($pageData['active_login_tokens'] ?? 0);
if ($request->isMethod('POST') && !actionRequireCsrf('admin/settings/security', 'admin/settings/security', 'csrf_expired')) {
if ($request->isMethod('POST') && !actionRequireCsrf('admin/settings/account-access', 'admin/settings/account-access', 'csrf_expired')) {
return;
}
@@ -47,13 +47,6 @@ if ($request->isMethod('POST')) {
'session_absolute_timeout_hours',
'remember_token_lifetime_days',
'microsoft_auto_remember_default',
'user_inactivity_deactivate_days',
'user_inactivity_delete_days',
'system_audit_enabled',
'system_audit_retention_days',
'frontend_telemetry_enabled',
'frontend_telemetry_sample_rate',
'frontend_telemetry_allowed_events',
];
$mergedPost = settingsSectionMergePost($values, $request->bodyAll(), $sectionKeys);
@@ -75,21 +68,21 @@ if ($request->isMethod('POST')) {
}
if ($errorBag->hasAny()) {
flashFormErrors($errorBag, 'admin/settings/security', 'settings_update_error');
Router::redirect('admin/settings/security');
flashFormErrors($errorBag, 'admin/settings/account-access', 'settings_update_error');
Router::redirect('admin/settings/account-access');
}
$redirectTarget = ((string) $request->body('action', 'save') === 'save_close')
? 'admin/settings'
: 'admin/settings/security';
: 'admin/settings/account-access';
Flash::success('Settings updated', $redirectTarget, 'settings_updated');
Router::redirect($redirectTarget);
}
Buffer::set('title', t('Security settings'));
Buffer::set('title', t('Account access settings'));
$breadcrumbs = [
['label' => t('Home'), 'path' => 'admin'],
['label' => t('Settings'), 'path' => 'admin/settings'],
['label' => t('Security')],
['label' => t('Account access')],
];

View File

@@ -0,0 +1,181 @@
<?php
/**
* @var array $values
* @var array $settings
* @var int $activeLoginTokens
* @var bool $canUpdateSettings
*/
use MintyPHP\Session;
$values = $values ?? [];
$settings = $settings ?? [];
$appRegistration = !empty($values['app_registration']);
$sessionIdleTimeoutMinutes = (int) ($values['session_idle_timeout_minutes'] ?? 30);
$sessionAbsoluteTimeoutHours = (int) ($values['session_absolute_timeout_hours'] ?? 8);
$rememberTokenLifetimeDays = (int) ($values['remember_token_lifetime_days'] ?? 30);
$microsoftAutoRememberDefault = !empty($values['microsoft_auto_remember_default']);
$appRegistrationDesc = $settings['app_registration']['description'] ?? 'setting.app_registration';
$sessionIdleTimeoutMinutesDesc = $settings['session_idle_timeout_minutes']['description'] ?? 'setting.session_idle_timeout_minutes';
$sessionAbsoluteTimeoutHoursDesc = $settings['session_absolute_timeout_hours']['description'] ?? 'setting.session_absolute_timeout_hours';
$rememberTokenLifetimeDaysDesc = $settings['remember_token_lifetime_days']['description'] ?? 'setting.remember_token_lifetime_days';
$microsoftAutoRememberDefaultDesc = $settings['microsoft_auto_remember_default']['description'] ?? 'setting.microsoft_auto_remember_default';
$activeLoginTokens = (int) ($activeLoginTokens ?? 0);
$canUpdateSettings = (bool) ($canUpdateSettings ?? false);
$isReadOnly = !$canUpdateSettings;
$readonlyAttr = $isReadOnly ? 'readonly' : '';
$disabledAttr = $isReadOnly ? 'disabled' : '';
?>
<div class="app-details-container">
<section>
<?php
$titlebar = [
'title' => t('Account access settings'),
'backHref' => 'admin/settings',
'backTitle' => t('Cancel'),
'actions' => $canUpdateSettings ? [
[
'form' => 'settings-account-access-form',
'name' => 'action',
'value' => 'save',
'class' => 'secondary outline',
'label' => t('Save'),
],
[
'form' => 'settings-account-access-form',
'name' => 'action',
'value' => 'save_close',
'class' => 'primary',
'label' => t('Save & close'),
],
] : [],
];
require templatePath('partials/app-details-titlebar.phtml');
?>
<form id="settings-account-access-form" method="post" data-details-storage="settings-account-access-details-v1" data-standard-detail-form="1">
<details class="app-details-card" name="settings-account-access-registration" data-details-key="settings-account-access-registration">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Allow registration')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($appRegistration ? t('Enabled') : t('Disabled')); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Registration controls whether new users can create an account.')); ?></small>
</blockquote>
<fieldset>
<legend>
<small><?php e(t($appRegistrationDesc)); ?></small>
</legend>
<label class="app-field">
<input type="checkbox" name="app_registration" value="1" <?php e($appRegistration ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Allow registration')); ?> <span class="badge" data-variant="info"><?php e(t('Cached')); ?></span></span>
</label>
</fieldset>
</div>
</details>
<details class="app-details-card" name="settings-account-access-session" data-details-key="settings-account-access-session" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('Session policy')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $sessionIdleTimeoutMinutes); ?></span>
<span class="badge" data-variant="neutral"><?php e((string) $sessionAbsoluteTimeoutHours); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Session limits define how long logged-in users stay signed in.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Session idle timeout (minutes)')); ?></span>
<input type="number" name="session_idle_timeout_minutes"
value="<?php e((string) $sessionIdleTimeoutMinutes); ?>" min="5" max="1440" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($sessionIdleTimeoutMinutesDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 5-1440 minutes (default: 30)')); ?></small>
</label>
<label class="app-field">
<span><?php e(t('Session absolute timeout (hours)')); ?></span>
<input type="number" name="session_absolute_timeout_hours"
value="<?php e((string) $sessionAbsoluteTimeoutHours); ?>" min="1" max="72" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($sessionAbsoluteTimeoutHoursDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 1-72 hours (default: 8)')); ?></small>
</label>
</div>
</div>
</details>
<details class="app-details-card" name="settings-account-access-login-persistence" data-details-key="settings-account-access-login-persistence">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Login persistence')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $rememberTokenLifetimeDays); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Controls remember-me token lifetime and Microsoft auto-remember behavior.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Remember token lifetime (days)')); ?></span>
<input type="number" name="remember_token_lifetime_days"
value="<?php e((string) $rememberTokenLifetimeDays); ?>" min="1" max="365" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($rememberTokenLifetimeDaysDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 1-365 days (default: 30)')); ?></small>
</label>
<fieldset>
<legend>
<small><?php e(t($microsoftAutoRememberDefaultDesc)); ?></small>
</legend>
<label class="app-field">
<input type="checkbox" name="microsoft_auto_remember_default" value="1"
<?php e($microsoftAutoRememberDefault ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Microsoft Auto-Remember default')); ?></span>
</label>
<small class="muted"><?php e(t('When enabled, successful Microsoft logins automatically persist a remember-me token (unless overridden per tenant).')); ?></small>
</fieldset>
</div>
</div>
</details>
<?php if ($canUpdateSettings): ?>
<details class="app-details-card" name="settings-account-access-login-tokens" data-details-key="settings-account-access-login-tokens">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Login tokens')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e(sprintf(t('%d active login tokens'), $activeLoginTokens)); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="warning">
<small><?php e(t('This will expire all remember-me tokens immediately and force users to sign in again.')); ?></small>
</blockquote>
<button type="submit" class="danger" formnovalidate
formaction="admin/settings/expire-remember-tokens"
formmethod="post"
data-detail-confirm-message="<?php e(t('Expire all login tokens?')); ?>"
data-detail-action-kind="danger">
<?php e(t('Expire all login tokens')); ?>
</button>
</div>
</details>
<?php endif; ?>
<?php Session::getCsrfInput(); ?>
</form>
</section>
<aside id="app-details-aside-section">
<div class="app-details-aside-section"></div>
</aside>
</div>

View File

@@ -0,0 +1,84 @@
<?php
use MintyPHP\Buffer;
use MintyPHP\Http\SessionStoreInterface;
use MintyPHP\Router;
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
use MintyPHP\Service\Settings\AdminSettingsService;
use MintyPHP\Support\Flash;
use MintyPHP\Support\Guard;
$session = app(SessionStoreInterface::class)->all();
Guard::requireLogin();
$request = requestInput();
$currentUserId = (int) ($session['user']['id'] ?? 0);
$authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class);
$viewDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW, [
'actor_user_id' => $currentUserId,
]);
if (!$viewDecision->isAllowed()) {
Guard::deny();
}
$viewCapabilities = $viewDecision->attribute('capabilities', []);
$canUpdateSettings = is_array($viewCapabilities) ? (bool) ($viewCapabilities['can_update_settings'] ?? false) : false;
$adminSettingsService = app(AdminSettingsService::class);
$pageData = $adminSettingsService->buildPageData();
$values = is_array($pageData['values'] ?? null) ? $pageData['values'] : [];
$settings = is_array($pageData['settings'] ?? null) ? $pageData['settings'] : [];
if ($request->isMethod('POST') && !actionRequireCsrf('admin/settings/audit', 'admin/settings/audit', 'csrf_expired')) {
return;
}
if ($request->isMethod('POST')) {
$updateDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE, [
'actor_user_id' => $currentUserId,
]);
if (!$updateDecision->isAllowed()) {
Guard::deny();
}
$sectionKeys = [
'system_audit_enabled',
'system_audit_retention_days',
];
$mergedPost = settingsSectionMergePost($values, $request->bodyAll(), $sectionKeys);
$updateResult = $adminSettingsService->updateFromAdmin($mergedPost);
$errorBag = formErrors();
foreach ((array) ($updateResult['errors'] ?? []) as $error) {
if (is_array($error)) {
$message = trim((string) ($error['message'] ?? ''));
$field = trim((string) ($error['field'] ?? 'input'));
if ($message !== '') {
$errorBag->add($field !== '' ? $field : 'input', $message);
}
continue;
}
$message = trim((string) $error);
if ($message !== '') {
$errorBag->addGlobal($message);
}
}
if ($errorBag->hasAny()) {
flashFormErrors($errorBag, 'admin/settings/audit', 'settings_update_error');
Router::redirect('admin/settings/audit');
}
$redirectTarget = ((string) $request->body('action', 'save') === 'save_close')
? 'admin/settings'
: 'admin/settings/audit';
Flash::success('Settings updated', $redirectTarget, 'settings_updated');
Router::redirect($redirectTarget);
}
Buffer::set('title', t('Audit log settings'));
$breadcrumbs = [
['label' => t('Home'), 'path' => 'admin'],
['label' => t('Settings'), 'path' => 'admin/settings'],
['label' => t('Audit log')],
];

View File

@@ -0,0 +1,87 @@
<?php
/**
* @var array $values
* @var array $settings
* @var bool $canUpdateSettings
*/
use MintyPHP\Session;
$values = $values ?? [];
$settings = $settings ?? [];
$systemAuditEnabled = !empty($values['system_audit_enabled']);
$systemAuditRetentionDays = (int) ($values['system_audit_retention_days'] ?? 365);
$systemAuditRetentionDaysDesc = $settings['system_audit_retention_days']['description'] ?? 'setting.system_audit_retention_days';
$canUpdateSettings = (bool) ($canUpdateSettings ?? false);
$isReadOnly = !$canUpdateSettings;
$readonlyAttr = $isReadOnly ? 'readonly' : '';
$disabledAttr = $isReadOnly ? 'disabled' : '';
?>
<div class="app-details-container">
<section>
<?php
$titlebar = [
'title' => t('Audit log settings'),
'backHref' => 'admin/settings',
'backTitle' => t('Cancel'),
'actions' => $canUpdateSettings ? [
[
'form' => 'settings-audit-form',
'name' => 'action',
'value' => 'save',
'class' => 'secondary outline',
'label' => t('Save'),
],
[
'form' => 'settings-audit-form',
'name' => 'action',
'value' => 'save_close',
'class' => 'primary',
'label' => t('Save & close'),
],
] : [],
];
require templatePath('partials/app-details-titlebar.phtml');
?>
<form id="settings-audit-form" method="post" data-details-storage="settings-audit-details-v1" data-standard-detail-form="1">
<details class="app-details-card" name="settings-audit-system" data-details-key="settings-audit-system" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('System audit')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($systemAuditEnabled ? t('Enabled') : t('Disabled')); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('System audit controls whether security events are logged and how long they are kept.')); ?></small>
</blockquote>
<label class="app-field">
<input type="checkbox" name="system_audit_enabled" value="1" <?php e($systemAuditEnabled ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('Enable system audit log')); ?></span>
</label>
<hr>
<label class="app-field">
<span><?php e(t('Retention (days)')); ?></span>
<input
type="number"
name="system_audit_retention_days"
value="<?php e((string) $systemAuditRetentionDays); ?>"
min="30"
max="1095"
step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($systemAuditRetentionDaysDesc)); ?></small>
</label>
</div>
</details>
<?php Session::getCsrfInput(); ?>
</form>
</section>
<aside id="app-details-aside-section">
<div class="app-details-aside-section"></div>
</aside>
</div>

View File

@@ -18,15 +18,15 @@ if (!$decision->isAllowed()) {
Guard::deny();
}
if (!actionRequirePost('admin/settings/security')) {
if (!actionRequirePost('admin/settings/account-access')) {
return;
}
if (!actionRequireCsrf('admin/settings/security', 'admin/settings/security', 'settings_tokens_expire')) {
if (!actionRequireCsrf('admin/settings/account-access', 'admin/settings/account-access', 'settings_tokens_expire')) {
return;
}
$rememberMeService = app(\MintyPHP\Service\Auth\RememberMeService::class);
$count = $rememberMeService->expireAllTokensByAdmin();
Flash::success(sprintf(t('%d login tokens expired'), $count), 'admin/settings/security', 'login_tokens_expired');
Router::redirect('admin/settings/security');
Flash::success(sprintf(t('%d login tokens expired'), $count), 'admin/settings/account-access', 'login_tokens_expired');
Router::redirect('admin/settings/account-access');

View File

@@ -24,12 +24,36 @@
'tooltip' => t('App title, language, user creation defaults'),
]);
appTile([
'href' => 'admin/settings/security',
'label' => t('Security'),
'href' => 'admin/settings/account-access',
'label' => t('Account access'),
'icon' => 'bi bi-shield-lock',
'iconBg' => '#ede9fe',
'iconColor' => '#7c3aed',
'tooltip' => t('Sessions, registration, lifecycle, audit, telemetry'),
'tooltip' => t('Registration, sessions, login persistence'),
]);
appTile([
'href' => 'admin/settings/user-lifecycle',
'label' => t('User lifecycle'),
'icon' => 'bi bi-arrow-repeat',
'iconBg' => '#fee2e2',
'iconColor' => '#b91c1c',
'tooltip' => t('Inactivity deactivation and deletion policy'),
]);
appTile([
'href' => 'admin/settings/audit',
'label' => t('Audit log'),
'icon' => 'bi bi-journal-text',
'iconBg' => '#fff7ed',
'iconColor' => '#c2410c',
'tooltip' => t('System audit log enable and retention'),
]);
appTile([
'href' => 'admin/settings/telemetry',
'label' => t('Telemetry'),
'icon' => 'bi bi-graph-up',
'iconBg' => '#ecfdf5',
'iconColor' => '#047857',
'tooltip' => t('Frontend telemetry collection and event allowlist'),
]);
appTile([
'href' => 'admin/settings/email',

View File

@@ -18,11 +18,11 @@ if (!$decision->isAllowed()) {
Guard::deny();
}
if (!actionRequirePost('admin/settings/security')) {
if (!actionRequirePost('admin/settings/user-lifecycle')) {
return;
}
if (!actionRequireCsrf('admin/settings/security', 'admin/settings/security', 'user_lifecycle_run')) {
if (!actionRequireCsrf('admin/settings/user-lifecycle', 'admin/settings/user-lifecycle', 'user_lifecycle_run')) {
return;
}
@@ -35,8 +35,8 @@ if (!($result['ok'] ?? false)) {
} else {
$errorBag->addGlobal('User lifecycle failed');
}
flashFormErrors($errorBag, 'admin/settings/security', 'user_lifecycle_run');
Router::redirect('admin/settings/security');
flashFormErrors($errorBag, 'admin/settings/user-lifecycle', 'user_lifecycle_run');
Router::redirect('admin/settings/user-lifecycle');
}
Flash::success(
@@ -45,7 +45,7 @@ Flash::success(
(int) ($result['deactivated_count'] ?? 0),
(int) ($result['deleted_count'] ?? 0)
),
'admin/settings/security',
'admin/settings/user-lifecycle',
'user_lifecycle_completed'
);
Router::redirect('admin/settings/security');
Router::redirect('admin/settings/user-lifecycle');

View File

@@ -1,344 +0,0 @@
<?php
/**
* @var array $values
* @var array $settings
* @var int $activeLoginTokens
* @var bool $canUpdateSettings
*/
use MintyPHP\Session;
$values = $values ?? [];
$settings = $settings ?? [];
$appRegistration = !empty($values['app_registration']);
$sessionIdleTimeoutMinutes = (int) ($values['session_idle_timeout_minutes'] ?? 30);
$sessionAbsoluteTimeoutHours = (int) ($values['session_absolute_timeout_hours'] ?? 8);
$rememberTokenLifetimeDays = (int) ($values['remember_token_lifetime_days'] ?? 30);
$microsoftAutoRememberDefault = !empty($values['microsoft_auto_remember_default']);
$userInactivityDeactivateDays = (int) ($values['user_inactivity_deactivate_days'] ?? 180);
$userInactivityDeleteDays = (int) ($values['user_inactivity_delete_days'] ?? 365);
$systemAuditEnabled = !empty($values['system_audit_enabled']);
$systemAuditRetentionDays = (int) ($values['system_audit_retention_days'] ?? 365);
$frontendTelemetryEnabled = !empty($values['frontend_telemetry_enabled']);
$frontendTelemetrySampleRate = (string) ($values['frontend_telemetry_sample_rate'] ?? '0.2');
$frontendTelemetrySampleRateOptions = ['0.1', '0.2', '0.5', '1'];
if (!in_array($frontendTelemetrySampleRate, $frontendTelemetrySampleRateOptions, true)) {
$frontendTelemetrySampleRate = '0.2';
}
$frontendTelemetryAllowedEvents = $values['frontend_telemetry_allowed_events'] ?? ['warn_once', 'ajax_error'];
if (!is_array($frontendTelemetryAllowedEvents)) {
$frontendTelemetryAllowedEvents = preg_split('/[\s,]+/', (string) $frontendTelemetryAllowedEvents) ?: [];
}
$frontendTelemetryAllowedEvents = array_values(array_unique(array_filter(array_map(
static fn($entry): string => strtolower(trim((string) $entry)),
$frontendTelemetryAllowedEvents
))));
if ($frontendTelemetryAllowedEvents === []) {
$frontendTelemetryAllowedEvents = ['warn_once', 'ajax_error'];
}
$appRegistrationDesc = $settings['app_registration']['description'] ?? 'setting.app_registration';
$sessionIdleTimeoutMinutesDesc = $settings['session_idle_timeout_minutes']['description'] ?? 'setting.session_idle_timeout_minutes';
$sessionAbsoluteTimeoutHoursDesc = $settings['session_absolute_timeout_hours']['description'] ?? 'setting.session_absolute_timeout_hours';
$rememberTokenLifetimeDaysDesc = $settings['remember_token_lifetime_days']['description'] ?? 'setting.remember_token_lifetime_days';
$microsoftAutoRememberDefaultDesc = $settings['microsoft_auto_remember_default']['description'] ?? 'setting.microsoft_auto_remember_default';
$userInactivityDeactivateDaysDesc = $settings['user_inactivity_deactivate_days']['description'] ?? 'setting.user_inactivity_deactivate_days';
$userInactivityDeleteDaysDesc = $settings['user_inactivity_delete_days']['description'] ?? 'setting.user_inactivity_delete_days';
$systemAuditRetentionDaysDesc = $settings['system_audit_retention_days']['description'] ?? 'setting.system_audit_retention_days';
$activeLoginTokens = (int) ($activeLoginTokens ?? 0);
$canUpdateSettings = (bool) ($canUpdateSettings ?? false);
$isReadOnly = !$canUpdateSettings;
$readonlyAttr = $isReadOnly ? 'readonly' : '';
$disabledAttr = $isReadOnly ? 'disabled' : '';
?>
<div class="app-details-container">
<section>
<?php
$titlebar = [
'title' => t('Security settings'),
'backHref' => 'admin/settings',
'backTitle' => t('Cancel'),
'actions' => $canUpdateSettings ? [
[
'form' => 'settings-security-form',
'name' => 'action',
'value' => 'save',
'class' => 'secondary outline',
'label' => t('Save'),
],
[
'form' => 'settings-security-form',
'name' => 'action',
'value' => 'save_close',
'class' => 'primary',
'label' => t('Save & close'),
],
] : [],
];
require templatePath('partials/app-details-titlebar.phtml');
?>
<form id="settings-security-form" method="post" data-details-storage="settings-security-details-v1" data-standard-detail-form="1">
<details class="app-details-card" name="settings-security-registration" data-details-key="settings-security-registration">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Allow registration')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($appRegistration ? t('Enabled') : t('Disabled')); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Registration controls whether new users can create an account.')); ?></small>
</blockquote>
<fieldset>
<legend>
<small><?php e(t($appRegistrationDesc)); ?></small>
</legend>
<label class="app-field">
<input type="checkbox" name="app_registration" value="1" <?php e($appRegistration ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Allow registration')); ?> <span class="badge" data-variant="info"><?php e(t('Cached')); ?></span></span>
</label>
</fieldset>
</div>
</details>
<details class="app-details-card" name="settings-security-session" data-details-key="settings-security-session" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('Session policy')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $sessionIdleTimeoutMinutes); ?></span>
<span class="badge" data-variant="neutral"><?php e((string) $sessionAbsoluteTimeoutHours); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Session limits define how long logged-in users stay signed in.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Session idle timeout (minutes)')); ?></span>
<input type="number" name="session_idle_timeout_minutes"
value="<?php e((string) $sessionIdleTimeoutMinutes); ?>" min="5" max="1440" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($sessionIdleTimeoutMinutesDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 5-1440 minutes (default: 30)')); ?></small>
</label>
<label class="app-field">
<span><?php e(t('Session absolute timeout (hours)')); ?></span>
<input type="number" name="session_absolute_timeout_hours"
value="<?php e((string) $sessionAbsoluteTimeoutHours); ?>" min="1" max="72" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($sessionAbsoluteTimeoutHoursDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 1-72 hours (default: 8)')); ?></small>
</label>
</div>
</div>
</details>
<details class="app-details-card" name="settings-security-login-persistence" data-details-key="settings-security-login-persistence">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Login persistence')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $rememberTokenLifetimeDays); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Controls remember-me token lifetime and Microsoft auto-remember behavior.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Remember token lifetime (days)')); ?></span>
<input type="number" name="remember_token_lifetime_days"
value="<?php e((string) $rememberTokenLifetimeDays); ?>" min="1" max="365" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($rememberTokenLifetimeDaysDesc)); ?></small>
<small class="muted"><?php e(t('Allowed range: 1-365 days (default: 30)')); ?></small>
</label>
<fieldset>
<legend>
<small><?php e(t($microsoftAutoRememberDefaultDesc)); ?></small>
</legend>
<label class="app-field">
<input type="checkbox" name="microsoft_auto_remember_default" value="1"
<?php e($microsoftAutoRememberDefault ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Microsoft Auto-Remember default')); ?></span>
</label>
<small class="muted"><?php e(t('When enabled, successful Microsoft logins automatically persist a remember-me token (unless overridden per tenant).')); ?></small>
</fieldset>
</div>
</div>
</details>
<details class="app-details-card" name="settings-security-user-lifecycle" data-details-key="settings-security-user-lifecycle">
<summary>
<span class="app-details-card-summary-title"><?php e(t('User lifecycle policy')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $userInactivityDeactivateDays); ?></span>
<span class="badge" data-variant="neutral"><?php e((string) $userInactivityDeleteDays); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('User lifecycle defines when inactive users are deactivated or deleted.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Deactivate users after inactivity (days)')); ?></span>
<input type="number" name="user_inactivity_deactivate_days"
value="<?php e((string) $userInactivityDeactivateDays); ?>" min="0" max="3650" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($userInactivityDeactivateDaysDesc)); ?> - <?php e(t('0 disables this rule')); ?></small>
</label>
<label class="app-field">
<span><?php e(t('Delete inactive users after (days)')); ?></span>
<input type="number" name="user_inactivity_delete_days"
value="<?php e((string) $userInactivityDeleteDays); ?>" min="0" max="3650" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($userInactivityDeleteDaysDesc)); ?> - <?php e(t('0 disables this rule')); ?></small>
</label>
</div>
<?php if ($canUpdateSettings): ?>
<button type="submit" class="danger" formnovalidate
formaction="admin/settings/run-user-lifecycle"
formmethod="post"
data-detail-confirm-message="<?php e(t('Run user lifecycle now?')); ?>"
data-detail-action-kind="danger">
<?php e(t('Run user lifecycle now')); ?>
</button>
<?php endif; ?>
</div>
</details>
<details class="app-details-card" name="settings-security-system-audit" data-details-key="settings-security-system-audit">
<summary>
<span class="app-details-card-summary-title"><?php e(t('System audit')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($systemAuditEnabled ? t('Enabled') : t('Disabled')); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('System audit controls whether security events are logged and how long they are kept.')); ?></small>
</blockquote>
<label class="app-field">
<input type="checkbox" name="system_audit_enabled" value="1" <?php e($systemAuditEnabled ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('Enable system audit log')); ?></span>
</label>
<hr>
<label class="app-field">
<span><?php e(t('Retention (days)')); ?></span>
<input
type="number"
name="system_audit_retention_days"
value="<?php e((string) $systemAuditRetentionDays); ?>"
min="30"
max="1095"
step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($systemAuditRetentionDaysDesc)); ?></small>
</label>
</div>
</details>
<details class="app-details-card" name="settings-telemetry-core" data-details-key="settings-telemetry-core" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('Frontend telemetry')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($frontendTelemetryEnabled ? t('Enabled') : t('Disabled')); ?></span>
<span class="badge" data-variant="neutral"><?php e($frontendTelemetrySampleRate); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Telemetry helps detect recurring UI issues and failed requests in production.')); ?></small>
</blockquote>
<fieldset>
<legend><small><?php e(t('Frontend telemetry')); ?></small></legend>
<label class="app-field">
<input
type="checkbox"
role="switch"
name="frontend_telemetry_enabled"
value="1"
data-telemetry-enabled-toggle
<?php e($frontendTelemetryEnabled ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Enable frontend telemetry')); ?></span>
</label>
</fieldset>
<fieldset data-telemetry-sampling-fieldset <?php e($frontendTelemetryEnabled ? '' : 'hidden'); ?>>
<legend><small><?php e(t('Sampling rate')); ?></small></legend>
<label class="app-field" data-telemetry-sampling-row>
<span><?php e(t('Sampling rate')); ?></span>
<select name="frontend_telemetry_sample_rate" data-telemetry-sampling-select <?php e($disabledAttr); ?>>
<option value="0.1" <?php e($frontendTelemetrySampleRate === '0.1' ? 'selected' : ''); ?>>10%</option>
<option value="0.2" <?php e($frontendTelemetrySampleRate === '0.2' ? 'selected' : ''); ?>>20%</option>
<option value="0.5" <?php e($frontendTelemetrySampleRate === '0.5' ? 'selected' : ''); ?>>50%</option>
<option value="1" <?php e($frontendTelemetrySampleRate === '1' ? 'selected' : ''); ?>>100%</option>
</select>
<small><?php e(t('The percentage of users who will have telemetry enabled.')); ?></small>
</label>
</fieldset>
</div>
</details>
<details class="app-details-card" name="telemetry-advanced" data-details-key="telemetry-advanced">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Advanced telemetry options')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e(sprintf(t('%d events enabled'), count($frontendTelemetryAllowedEvents))); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Limit which event types are collected to match your privacy and operations requirements.')); ?></small>
</blockquote>
<fieldset>
<legend><small><?php e(t('Allowed telemetry events')); ?></small></legend>
<label class="app-field">
<input type="checkbox" name="frontend_telemetry_allowed_events[]" value="warn_once" <?php e(in_array('warn_once', $frontendTelemetryAllowedEvents, true) ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('warnOnce warnings')); ?></span>
</label>
<label class="app-field">
<input type="checkbox" name="frontend_telemetry_allowed_events[]" value="ajax_error" <?php e(in_array('ajax_error', $frontendTelemetryAllowedEvents, true) ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('AJAX errors')); ?></span>
</label>
</fieldset>
</div>
</details>
<?php if ($canUpdateSettings): ?>
<details class="app-details-card" name="settings-security-login-tokens" data-details-key="settings-security-login-tokens">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Login tokens')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e(sprintf(t('%d active login tokens'), $activeLoginTokens)); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="warning">
<small><?php e(t('This will expire all remember-me tokens immediately and force users to sign in again.')); ?></small>
</blockquote>
<button type="submit" class="danger" formnovalidate
formaction="admin/settings/expire-remember-tokens"
formmethod="post"
data-detail-confirm-message="<?php e(t('Expire all login tokens?')); ?>"
data-detail-action-kind="danger">
<?php e(t('Expire all login tokens')); ?>
</button>
</div>
</details>
<?php endif; ?>
<?php Session::getCsrfInput(); ?>
</form>
</section>
<aside id="app-details-aside-section">
<div class="app-details-aside-section"></div>
</aside>
</div>

View File

@@ -0,0 +1,85 @@
<?php
use MintyPHP\Buffer;
use MintyPHP\Http\SessionStoreInterface;
use MintyPHP\Router;
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
use MintyPHP\Service\Settings\AdminSettingsService;
use MintyPHP\Support\Flash;
use MintyPHP\Support\Guard;
$session = app(SessionStoreInterface::class)->all();
Guard::requireLogin();
$request = requestInput();
$currentUserId = (int) ($session['user']['id'] ?? 0);
$authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class);
$viewDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW, [
'actor_user_id' => $currentUserId,
]);
if (!$viewDecision->isAllowed()) {
Guard::deny();
}
$viewCapabilities = $viewDecision->attribute('capabilities', []);
$canUpdateSettings = is_array($viewCapabilities) ? (bool) ($viewCapabilities['can_update_settings'] ?? false) : false;
$adminSettingsService = app(AdminSettingsService::class);
$pageData = $adminSettingsService->buildPageData();
$values = is_array($pageData['values'] ?? null) ? $pageData['values'] : [];
$settings = is_array($pageData['settings'] ?? null) ? $pageData['settings'] : [];
if ($request->isMethod('POST') && !actionRequireCsrf('admin/settings/telemetry', 'admin/settings/telemetry', 'csrf_expired')) {
return;
}
if ($request->isMethod('POST')) {
$updateDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE, [
'actor_user_id' => $currentUserId,
]);
if (!$updateDecision->isAllowed()) {
Guard::deny();
}
$sectionKeys = [
'frontend_telemetry_enabled',
'frontend_telemetry_sample_rate',
'frontend_telemetry_allowed_events',
];
$mergedPost = settingsSectionMergePost($values, $request->bodyAll(), $sectionKeys);
$updateResult = $adminSettingsService->updateFromAdmin($mergedPost);
$errorBag = formErrors();
foreach ((array) ($updateResult['errors'] ?? []) as $error) {
if (is_array($error)) {
$message = trim((string) ($error['message'] ?? ''));
$field = trim((string) ($error['field'] ?? 'input'));
if ($message !== '') {
$errorBag->add($field !== '' ? $field : 'input', $message);
}
continue;
}
$message = trim((string) $error);
if ($message !== '') {
$errorBag->addGlobal($message);
}
}
if ($errorBag->hasAny()) {
flashFormErrors($errorBag, 'admin/settings/telemetry', 'settings_update_error');
Router::redirect('admin/settings/telemetry');
}
$redirectTarget = ((string) $request->body('action', 'save') === 'save_close')
? 'admin/settings'
: 'admin/settings/telemetry';
Flash::success('Settings updated', $redirectTarget, 'settings_updated');
Router::redirect($redirectTarget);
}
Buffer::set('title', t('Telemetry settings'));
$breadcrumbs = [
['label' => t('Home'), 'path' => 'admin'],
['label' => t('Settings'), 'path' => 'admin/settings'],
['label' => t('Telemetry')],
];

View File

@@ -0,0 +1,136 @@
<?php
/**
* @var array $values
* @var array $settings
* @var bool $canUpdateSettings
*/
use MintyPHP\Session;
$values = $values ?? [];
$settings = $settings ?? [];
$frontendTelemetryEnabled = !empty($values['frontend_telemetry_enabled']);
$frontendTelemetrySampleRate = (string) ($values['frontend_telemetry_sample_rate'] ?? '0.2');
$frontendTelemetrySampleRateOptions = ['0.1', '0.2', '0.5', '1'];
if (!in_array($frontendTelemetrySampleRate, $frontendTelemetrySampleRateOptions, true)) {
$frontendTelemetrySampleRate = '0.2';
}
$frontendTelemetryAllowedEvents = $values['frontend_telemetry_allowed_events'] ?? ['warn_once', 'ajax_error'];
if (!is_array($frontendTelemetryAllowedEvents)) {
$frontendTelemetryAllowedEvents = preg_split('/[\s,]+/', (string) $frontendTelemetryAllowedEvents) ?: [];
}
$frontendTelemetryAllowedEvents = array_values(array_unique(array_filter(array_map(
static fn($entry): string => strtolower(trim((string) $entry)),
$frontendTelemetryAllowedEvents
))));
if ($frontendTelemetryAllowedEvents === []) {
$frontendTelemetryAllowedEvents = ['warn_once', 'ajax_error'];
}
$canUpdateSettings = (bool) ($canUpdateSettings ?? false);
$isReadOnly = !$canUpdateSettings;
$disabledAttr = $isReadOnly ? 'disabled' : '';
?>
<div class="app-details-container">
<section>
<?php
$titlebar = [
'title' => t('Telemetry settings'),
'backHref' => 'admin/settings',
'backTitle' => t('Cancel'),
'actions' => $canUpdateSettings ? [
[
'form' => 'settings-telemetry-form',
'name' => 'action',
'value' => 'save',
'class' => 'secondary outline',
'label' => t('Save'),
],
[
'form' => 'settings-telemetry-form',
'name' => 'action',
'value' => 'save_close',
'class' => 'primary',
'label' => t('Save & close'),
],
] : [],
];
require templatePath('partials/app-details-titlebar.phtml');
?>
<form id="settings-telemetry-form" method="post" data-details-storage="settings-telemetry-details-v1" data-standard-detail-form="1">
<details class="app-details-card" name="settings-telemetry-core" data-details-key="settings-telemetry-core" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('Frontend telemetry')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e($frontendTelemetryEnabled ? t('Enabled') : t('Disabled')); ?></span>
<span class="badge" data-variant="neutral"><?php e($frontendTelemetrySampleRate); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Telemetry helps detect recurring UI issues and failed requests in production.')); ?></small>
</blockquote>
<fieldset>
<legend><small><?php e(t('Frontend telemetry')); ?></small></legend>
<label class="app-field">
<input
type="checkbox"
role="switch"
name="frontend_telemetry_enabled"
value="1"
data-telemetry-enabled-toggle
<?php e($frontendTelemetryEnabled ? 'checked' : ''); ?>
<?php e($disabledAttr); ?>>
<span><?php e(t('Enable frontend telemetry')); ?></span>
</label>
</fieldset>
<fieldset data-telemetry-sampling-fieldset <?php e($frontendTelemetryEnabled ? '' : 'hidden'); ?>>
<legend><small><?php e(t('Sampling rate')); ?></small></legend>
<label class="app-field" data-telemetry-sampling-row>
<span><?php e(t('Sampling rate')); ?></span>
<select name="frontend_telemetry_sample_rate" data-telemetry-sampling-select <?php e($disabledAttr); ?>>
<option value="0.1" <?php e($frontendTelemetrySampleRate === '0.1' ? 'selected' : ''); ?>>10%</option>
<option value="0.2" <?php e($frontendTelemetrySampleRate === '0.2' ? 'selected' : ''); ?>>20%</option>
<option value="0.5" <?php e($frontendTelemetrySampleRate === '0.5' ? 'selected' : ''); ?>>50%</option>
<option value="1" <?php e($frontendTelemetrySampleRate === '1' ? 'selected' : ''); ?>>100%</option>
</select>
<small><?php e(t('The percentage of users who will have telemetry enabled.')); ?></small>
</label>
</fieldset>
</div>
</details>
<details class="app-details-card" name="settings-telemetry-advanced" data-details-key="settings-telemetry-advanced">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Advanced telemetry options')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e(sprintf(t('%d events enabled'), count($frontendTelemetryAllowedEvents))); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('Limit which event types are collected to match your privacy and operations requirements.')); ?></small>
</blockquote>
<fieldset>
<legend><small><?php e(t('Allowed telemetry events')); ?></small></legend>
<label class="app-field">
<input type="checkbox" name="frontend_telemetry_allowed_events[]" value="warn_once" <?php e(in_array('warn_once', $frontendTelemetryAllowedEvents, true) ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('warnOnce warnings')); ?></span>
</label>
<label class="app-field">
<input type="checkbox" name="frontend_telemetry_allowed_events[]" value="ajax_error" <?php e(in_array('ajax_error', $frontendTelemetryAllowedEvents, true) ? 'checked' : ''); ?> <?php e($disabledAttr); ?>>
<span><?php e(t('AJAX errors')); ?></span>
</label>
</fieldset>
</div>
</details>
<?php Session::getCsrfInput(); ?>
</form>
</section>
<aside id="app-details-aside-section">
<div class="app-details-aside-section"></div>
</aside>
</div>

View File

@@ -0,0 +1,84 @@
<?php
use MintyPHP\Buffer;
use MintyPHP\Http\SessionStoreInterface;
use MintyPHP\Router;
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
use MintyPHP\Service\Settings\AdminSettingsService;
use MintyPHP\Support\Flash;
use MintyPHP\Support\Guard;
$session = app(SessionStoreInterface::class)->all();
Guard::requireLogin();
$request = requestInput();
$currentUserId = (int) ($session['user']['id'] ?? 0);
$authorizationService = app(\MintyPHP\Service\Access\AuthorizationService::class);
$viewDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW, [
'actor_user_id' => $currentUserId,
]);
if (!$viewDecision->isAllowed()) {
Guard::deny();
}
$viewCapabilities = $viewDecision->attribute('capabilities', []);
$canUpdateSettings = is_array($viewCapabilities) ? (bool) ($viewCapabilities['can_update_settings'] ?? false) : false;
$adminSettingsService = app(AdminSettingsService::class);
$pageData = $adminSettingsService->buildPageData();
$values = is_array($pageData['values'] ?? null) ? $pageData['values'] : [];
$settings = is_array($pageData['settings'] ?? null) ? $pageData['settings'] : [];
if ($request->isMethod('POST') && !actionRequireCsrf('admin/settings/user-lifecycle', 'admin/settings/user-lifecycle', 'csrf_expired')) {
return;
}
if ($request->isMethod('POST')) {
$updateDecision = $authorizationService->authorize(SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE, [
'actor_user_id' => $currentUserId,
]);
if (!$updateDecision->isAllowed()) {
Guard::deny();
}
$sectionKeys = [
'user_inactivity_deactivate_days',
'user_inactivity_delete_days',
];
$mergedPost = settingsSectionMergePost($values, $request->bodyAll(), $sectionKeys);
$updateResult = $adminSettingsService->updateFromAdmin($mergedPost);
$errorBag = formErrors();
foreach ((array) ($updateResult['errors'] ?? []) as $error) {
if (is_array($error)) {
$message = trim((string) ($error['message'] ?? ''));
$field = trim((string) ($error['field'] ?? 'input'));
if ($message !== '') {
$errorBag->add($field !== '' ? $field : 'input', $message);
}
continue;
}
$message = trim((string) $error);
if ($message !== '') {
$errorBag->addGlobal($message);
}
}
if ($errorBag->hasAny()) {
flashFormErrors($errorBag, 'admin/settings/user-lifecycle', 'settings_update_error');
Router::redirect('admin/settings/user-lifecycle');
}
$redirectTarget = ((string) $request->body('action', 'save') === 'save_close')
? 'admin/settings'
: 'admin/settings/user-lifecycle';
Flash::success('Settings updated', $redirectTarget, 'settings_updated');
Router::redirect($redirectTarget);
}
Buffer::set('title', t('User lifecycle settings'));
$breadcrumbs = [
['label' => t('Home'), 'path' => 'admin'],
['label' => t('Settings'), 'path' => 'admin/settings'],
['label' => t('User lifecycle')],
];

View File

@@ -0,0 +1,107 @@
<?php
/**
* @var array $values
* @var array $settings
* @var bool $canUpdateSettings
*/
use MintyPHP\Session;
$values = $values ?? [];
$settings = $settings ?? [];
$userInactivityDeactivateDays = (int) ($values['user_inactivity_deactivate_days'] ?? 180);
$userInactivityDeleteDays = (int) ($values['user_inactivity_delete_days'] ?? 365);
$userInactivityDeactivateDaysDesc = $settings['user_inactivity_deactivate_days']['description'] ?? 'setting.user_inactivity_deactivate_days';
$userInactivityDeleteDaysDesc = $settings['user_inactivity_delete_days']['description'] ?? 'setting.user_inactivity_delete_days';
$canUpdateSettings = (bool) ($canUpdateSettings ?? false);
$isReadOnly = !$canUpdateSettings;
$readonlyAttr = $isReadOnly ? 'readonly' : '';
?>
<div class="app-details-container">
<section>
<?php
$titlebar = [
'title' => t('User lifecycle settings'),
'backHref' => 'admin/settings',
'backTitle' => t('Cancel'),
'actions' => $canUpdateSettings ? [
[
'form' => 'settings-user-lifecycle-form',
'name' => 'action',
'value' => 'save',
'class' => 'secondary outline',
'label' => t('Save'),
],
[
'form' => 'settings-user-lifecycle-form',
'name' => 'action',
'value' => 'save_close',
'class' => 'primary',
'label' => t('Save & close'),
],
] : [],
];
require templatePath('partials/app-details-titlebar.phtml');
?>
<form id="settings-user-lifecycle-form" method="post" data-details-storage="settings-user-lifecycle-details-v1" data-standard-detail-form="1">
<details class="app-details-card" name="settings-user-lifecycle-policy" data-details-key="settings-user-lifecycle-policy" open>
<summary>
<span class="app-details-card-summary-title"><?php e(t('User lifecycle policy')); ?></span>
<span class="app-details-card-summary-meta">
<span class="badge" data-variant="neutral"><?php e((string) $userInactivityDeactivateDays); ?></span>
<span class="badge" data-variant="neutral"><?php e((string) $userInactivityDeleteDays); ?></span>
</span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="info">
<small><?php e(t('User lifecycle defines when inactive users are deactivated or deleted.')); ?></small>
</blockquote>
<div class="grid">
<label class="app-field">
<span><?php e(t('Deactivate users after inactivity (days)')); ?></span>
<input type="number" name="user_inactivity_deactivate_days"
value="<?php e((string) $userInactivityDeactivateDays); ?>" min="0" max="3650" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($userInactivityDeactivateDaysDesc)); ?> - <?php e(t('0 disables this rule')); ?></small>
</label>
<label class="app-field">
<span><?php e(t('Delete inactive users after (days)')); ?></span>
<input type="number" name="user_inactivity_delete_days"
value="<?php e((string) $userInactivityDeleteDays); ?>" min="0" max="3650" step="1"
<?php e($readonlyAttr); ?>>
<small><?php e(t($userInactivityDeleteDaysDesc)); ?> - <?php e(t('0 disables this rule')); ?></small>
</label>
</div>
</div>
</details>
<?php if ($canUpdateSettings): ?>
<details class="app-details-card" name="settings-user-lifecycle-run-now" data-details-key="settings-user-lifecycle-run-now">
<summary>
<span class="app-details-card-summary-title"><?php e(t('Run lifecycle now')); ?></span>
</summary>
<div class="app-details-card-container">
<blockquote data-variant="warning">
<small><?php e(t('This runs the lifecycle policy immediately and may deactivate or delete users.')); ?></small>
</blockquote>
<button type="submit" class="danger" formnovalidate
formaction="admin/settings/run-user-lifecycle"
formmethod="post"
data-detail-confirm-message="<?php e(t('Run user lifecycle now?')); ?>"
data-detail-action-kind="danger">
<?php e(t('Run user lifecycle now')); ?>
</button>
</div>
</details>
<?php endif; ?>
<?php Session::getCsrfInput(); ?>
</form>
</section>
<aside id="app-details-aside-section">
<div class="app-details-aside-section"></div>
</aside>
</div>

View File

@@ -16,7 +16,7 @@ class AuthzAdminSettingsContractTest extends TestCase
$this->assertStringContainsString('SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW', $indexContent);
// Subpages that expose a settings form: VIEW + UPDATE.
foreach (['general', 'security', 'email', 'api', 'sso'] as $section) {
foreach (['general', 'account-access', 'user-lifecycle', 'audit', 'telemetry', 'email', 'api', 'sso'] as $section) {
$content = $this->readProjectFile("pages/admin/settings/{$section}().php");
$this->assertStringContainsString('AuthorizationService::class', $content, $section);
$this->assertStringContainsString('SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_VIEW', $content, $section);

View File

@@ -59,7 +59,7 @@ class AuthzUiTemplateContractTest extends TestCase
// Settings was split into a landing hub + per-section subpages.
// The form-carrying subpages must use the server-side $canUpdateSettings
// capability instead of the legacy can() helper.
foreach (['general', 'security', 'email', 'api', 'sso', 'branding'] as $section) {
foreach (['general', 'account-access', 'user-lifecycle', 'audit', 'telemetry', 'email', 'api', 'sso', 'branding'] as $section) {
$templateContent = $this->readProjectFile("pages/admin/settings/{$section}(default).phtml");
$this->assertStringNotContainsString("can('settings.update')", $templateContent, $section);
$this->assertStringContainsString('$canUpdateSettings', $templateContent, $section);

View File

@@ -18,9 +18,11 @@ final class DetailActionPolicyContractFiles
'pages/admin/roles/edit(default).phtml',
'pages/admin/permissions/edit(default).phtml',
// Settings subpages that carry danger actions (and therefore need
// the data-detail-confirm-message contract) — general/email/sso/branding
// have no destructive buttons and are deliberately excluded.
'pages/admin/settings/security(default).phtml',
// the data-detail-confirm-message contract). Subpages without
// destructive buttons (general/audit/telemetry/email/sso/branding)
// are deliberately excluded.
'pages/admin/settings/account-access(default).phtml',
'pages/admin/settings/user-lifecycle(default).phtml',
'pages/admin/settings/api(default).phtml',
'templates/partials/app-details-titlebar.phtml',
'templates/partials/app-details-aside-actions.phtml',

View File

@@ -17,7 +17,10 @@ final class DetailPageContractFiles
'pages/admin/permissions/_form.phtml',
'pages/admin/scheduled-jobs/edit(default).phtml',
'pages/admin/settings/general(default).phtml',
'pages/admin/settings/security(default).phtml',
'pages/admin/settings/account-access(default).phtml',
'pages/admin/settings/user-lifecycle(default).phtml',
'pages/admin/settings/audit(default).phtml',
'pages/admin/settings/telemetry(default).phtml',
'pages/admin/settings/email(default).phtml',
'pages/admin/settings/api(default).phtml',
'pages/admin/settings/sso(default).phtml',