allow only partial server editing for maintainers

Author: phit

README.md

@@ -3,8 +3,6 @@
 
 A Laravel 12 application for preparing and deploying Minecraft modpack releases by comparing a modpack against a remote server snapshot, applying override rules, and syncing changed files over SFTP. The app provides a simple Web UI for server admins.
 
-**This README is current as of the workspace snapshot.**
-
 ## Highlights
 - Compare a modpack (zip or extracted folder) with a server snapshot to detect added, removed, and modified files.
 - Apply override rules per-path using plain text replace, JSON merge, or YAML merge.
@@ -19,7 +17,7 @@ A Laravel 12 application for preparing and deploying Minecraft modpack releases
 
 ## Prerequisites
 - Composer 2
-- Node.js 18+ and npm/yarn
+- for dev only: (Node.js 18+ and npm/yarn)
 - SFTP-accessible remote server (password or key auth)
 
 ## Quick Setup (developer)
@@ -30,11 +28,7 @@ composer install
 cp .env.example .env
 php artisan key:generate
 
-# Configure your DB in .env (SQLite / MySQL / Postgres)
-# For quick SQLite development:
-# echo "DB_CONNECTION=sqlite" >> .env
-# touch database/database.sqlite
-
+# default env will use sqlite
 php artisan migrate --force
 npm install
 # For development with HMR

app/Filament/Resources/Servers/Schemas/ServerForm.php

@@ -4,15 +4,20 @@
 
 namespace App\Filament\Resources\Servers\Schemas;
 
+use App\Models\User;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TagsInput;
 use Filament\Forms\Components\TextInput;
 use Filament\Schemas\Schema;
+use Illuminate\Support\Facades\Auth;
 
 class ServerForm
 {
     public static function configure(Schema $schema): Schema
     {
+        /** @var User $user */
+        $user = Auth::user();
+
         return $schema
             ->components([
                 TextInput::make('name')
@@ -28,18 +33,21 @@ public static function configure(Schema $schema): Schema
                 TextInput::make('host')
                     ->label('Host')
                     ->required()
-                    ->default('5.9.78.56'),
+                    ->default('mc.stonebound.net')
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TextInput::make('port')
                     ->label('SSH port')
                     ->required()
                     ->numeric()
                     ->minValue(1)
                     ->maxValue(65535)
-                    ->default(3875),
+                    ->default(3875)
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TextInput::make('username')
                     ->label('SSH username')
                     ->required()
-                    ->placeholder('deployer'),
+                    ->placeholder('deployer')
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 Select::make('auth_type')
                     ->label('Authentication')
                     ->options([
@@ -49,23 +57,28 @@ public static function configure(Schema $schema): Schema
                     ->required()
                     ->default('password')
                     ->native(false)
-                    ->reactive(),
+                    ->reactive()
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TextInput::make('password')
                     ->label('Password')
                     ->password()
                     ->revealable()
-                    ->required(fn ($get) => $get('auth_type') === 'password')
+                    ->required(fn ($get, $operation) => $operation === 'create' && $get('auth_type') === 'password')
                     ->hidden(fn ($get) => $get('auth_type') !== 'password')
-                    ->dehydrated(fn ($get, $state) => $get('auth_type') === 'password' && filled($state)),
+                    ->dehydrated(fn ($get, $state) => $get('auth_type') === 'password' && filled($state))
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TextInput::make('private_key_path')
                     ->label('Private key path')
                     ->placeholder('/home/user/.ssh/id_rsa')
+                    ->required(fn ($get, $operation) => $operation === 'create' && $get('auth_type') === 'private_key')
                     ->hidden(fn ($get) => $get('auth_type') !== 'private_key')
-                    ->dehydrated(fn ($get) => $get('auth_type') === 'private_key'),
+                    ->dehydrated(fn ($get) => $get('auth_type') === 'private_key')
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TextInput::make('remote_root_path')
                     ->label('Remote root path')
                     ->required()
-                    ->default('/'),
+                    ->default('/')
+                    ->disabled(fn ($operation) => $operation === 'update' && ! $user->isAdmin()),
                 TagsInput::make('include_paths')
                     ->label('Include folders')
                     ->placeholder('Add folders to include')

app/Models/User.php

@@ -60,6 +60,11 @@ public function isMaintainer(): bool
         return in_array($this->role, [UserRole::Maintainer, UserRole::Admin], true);
     }
 
+    public function isAdmin(): bool
+    {
+        return $this->role === UserRole::Admin;
+    }
+
     public function canAccessPanel(Panel $panel): bool
     {
         return true;

app/Policies/ServerPolicy.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies;
+
+use App\Enums\UserRole;
+use App\Models\Server;
+use App\Models\User;
+
+class ServerPolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return in_array($user->role, [UserRole::Admin, UserRole::Maintainer], true);
+    }
+
+    public function view(User $user, Server $server): bool
+    {
+        return in_array($user->role, [UserRole::Admin, UserRole::Maintainer], true);
+    }
+
+    public function update(User $user, Server $server): bool
+    {
+        // Only Admins and Maintainers can update provider, game version, and title
+        return in_array($user->role, [UserRole::Admin, UserRole::Maintainer], true);
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->role === UserRole::Admin;
+    }
+
+    public function delete(User $user, Server $server): bool
+    {
+        return $user->role === UserRole::Admin;
+    }
+}

tests/Feature/ServersControllerTest.php

@@ -40,7 +40,7 @@ public function test_list_servers(): void
 
     public function test_create_server(): void
     {
-        $user = User::factory()->create(['role' => 'maintainer']);
+        $user = User::factory()->create(['role' => 'admin']);
         $this->actingAs($user);
 
         Livewire::test(\App\Filament\Resources\Servers\Pages\CreateServer::class)
@@ -56,4 +56,13 @@ public function test_create_server(): void
 
         $this->assertDatabaseHas('servers', ['name' => 'TestSrv', 'host' => 'host.local']);
     }
+
+    public function test_maintainer_cant_create_server(): void
+    {
+        $user = User::factory()->create(['role' => 'maintainer']);
+        $this->actingAs($user);
+
+        Livewire::test(\App\Filament\Resources\Servers\Pages\CreateServer::class)
+            ->assertForbidden();
+    }
 }