sls/app/Models/User.php

106 lines
3.4 KiB
PHP

<?php
namespace App\Models;
// use Illuminate\Contracts\Auth\MustVerifyEmail;
use Database\Factories\UserFactory;
use Illuminate\Database\Eloquent\Attributes\Fillable;
use Illuminate\Database\Eloquent\Attributes\Hidden;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
#[Fillable(['name', 'email', 'password', 'role', 'microsoft_id', 'microsoft_token', 'microsoft_refresh_token', 'avatar', 'is_blocked'])]
#[Hidden(['password', 'remember_token'])]
class User extends Authenticatable
{
/** @use HasFactory<UserFactory> */
use HasFactory, Notifiable;
/**
* Check if user is an admin.
*/
public function isAdmin(): bool
{
return $this->role === 'admin';
}
/**
* Get the roles assigned to this user.
*/
public function roles()
{
return $this->belongsToMany(Role::class, 'role_user');
}
/**
* Get the app overrides (allow/deny) for this user.
*/
public function overrides()
{
return $this->hasMany(UserAppOverride::class);
}
/**
* Get the authorized apps for this user, computed from roles and overrides.
*/
public function authorizedApps()
{
if ($this->isAdmin()) {
return App::orderBy('name', 'asc')->get();
}
$roleIds = $this->roles()->pluck('roles.id')->toArray();
// Get apps associated with user's roles
$roleAppIds = \DB::table('app_role')
->whereIn('role_id', $roleIds)
->pluck('app_id')
->toArray();
// If no roles are assigned, user gets default access to Outlook email and Drive apps if registered
if (empty($roleIds)) {
$defaultAppIds = App::where(function ($query) {
$query->whereRaw('LOWER(name) LIKE ?', ['%outlook%'])
->orWhereRaw('LOWER(name) LIKE ?', ['%mail%'])
->orWhereRaw('LOWER(name) LIKE ?', ['%email%'])
->orWhereRaw('LOWER(name) LIKE ?', ['%drive%'])
->orWhereRaw('LOWER(name) LIKE ?', ['%onedrive%'])
->orWhereRaw('LOWER(tag) LIKE ?', ['%outlook%'])
->orWhereRaw('LOWER(tag) LIKE ?', ['%mail%'])
->orWhereRaw('LOWER(tag) LIKE ?', ['%email%'])
->orWhereRaw('LOWER(tag) LIKE ?', ['%drive%'])
->orWhereRaw('LOWER(tag) LIKE ?', ['%onedrive%']);
})->pluck('id')->toArray();
$roleAppIds = array_unique(array_merge($roleAppIds, $defaultAppIds));
}
// Get user overrides
$overrides = $this->overrides()->get();
$allowedAppIds = $overrides->where('type', 'allow')->pluck('app_id')->toArray();
$deniedAppIds = $overrides->where('type', 'deny')->pluck('app_id')->toArray();
// Compute final allowed app IDs: (Role Apps + Allowed Overrides) - Denied Overrides
$finalAppIds = array_diff(
array_unique(array_merge($roleAppIds, $allowedAppIds)),
$deniedAppIds
);
return App::whereIn('id', $finalAppIds)->orderBy('name', 'asc')->get();
}
/**
* Get the attributes that should be cast.
*
* @return array<string, string>
*/
protected function casts(): array
{
return [
'email_verified_at' => 'datetime',
'password' => 'hashed',
];
}
}