feat: implement global permission checks for role management actions

Author: aspirantzhang

contexts/Authorization/Application/Coordinators/RoleCoordinator.php

@@ -9,11 +9,13 @@
 use Contexts\Authorization\Application\DTOs\Role\GetRoleListDTO;
 use Contexts\Authorization\Application\DTOs\Role\UpdateRoleDTO;
 use Contexts\Authorization\Domain\Factories\RoleFactory;
+use Contexts\Authorization\Domain\Policies\GlobalPermissionPolicy;
 use Contexts\Authorization\Domain\Repositories\RoleRepository;
 use Contexts\Authorization\Domain\Role\Models\Role;
 use Contexts\Authorization\Domain\Role\Models\RoleId;
 use Contexts\Authorization\Domain\Role\Models\RoleStatus;
 use Contexts\Shared\Application\BaseCoordinator;
+use Contexts\Shared\Policies\CompositePolicy;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
 
 class RoleCoordinator extends BaseCoordinator
@@ -25,6 +27,10 @@ public function __construct(
 
     public function create(CreateRoleDTO $data): Role
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.create'),
+        ])->check();
+
         $role = $this->factory->create(
             RoleId::null(),
             $data->label,
@@ -36,16 +42,28 @@ public function create(CreateRoleDTO $data): Role
 
     public function getRole(int $id): Role
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.get'),
+        ])->check();
+
         return $this->repository->getById(RoleId::fromInt($id));
     }
 
     public function getRoleList(GetRoleListDTO $data): LengthAwarePaginator
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.list'),
+        ])->check();
+
         return $this->repository->paginate($data->currentPage, $data->perPage, $data->toCriteria(), $data->toSorting());
     }
 
     public function updateRole(int $id, UpdateRoleDTO $data): Role
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.udpate'),
+        ])->check();
+
         $role = $this->repository->getById(RoleId::fromInt($id));
         $role->modify(
             $data->label,
@@ -62,6 +80,10 @@ public function updateRole(int $id, UpdateRoleDTO $data): Role
 
     public function subspendRole(int $id)
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.suspend'),
+        ])->check();
+
         $role = $this->repository->getById(RoleId::fromInt($id));
         $role->subspend();
 
@@ -72,6 +94,10 @@ public function subspendRole(int $id)
 
     public function deleteRole(int $id)
     {
+        CompositePolicy::allOf([
+            new GlobalPermissionPolicy('role.delete'),
+        ])->check();
+
         $role = $this->repository->getById(RoleId::fromInt($id));
         $role->delete();
 

contexts/Authorization/Tests/Feature/RoleTest.php

@@ -1,11 +1,20 @@
 <?php
 
 declare(strict_types=1);
+use Contexts\Authorization\Domain\Policies\RolePolicy;
 use Contexts\Authorization\Domain\Role\Models\RoleStatus;
 use Contexts\Authorization\Infrastructure\Records\RoleRecord;
 
 beforeEach(function () {
-    $this->loginAsUser();
+    Config::set('policies.authorization', [
+        'context_default' => [
+            'handler' => RolePolicy::class,
+            'rules' => [
+                'roles' => ['admin'],
+            ],
+        ],
+    ]);
+    $this->loginAsAdmin();
 });
 
 it('can create active roles via api', function () {
@@ -59,12 +68,14 @@
 });
 
 it('can get a list of roles with sorting', function () {
+    $initialCount = RoleRecord::count();
+
     RoleRecord::factory(3)->create();
 
     $response = $this->get('roles?sorting=[{"id":"id","desc":false}]');
 
     $response->assertStatus(200);
-    $response->assertJsonCount(3, 'data');
+    $response->assertJsonCount(3 + $initialCount, 'data');
 
     $responseIds = collect($response->json('data'))->pluck('id')->all();
     $sortedIds = collect($responseIds)->sort()->values()->all();