Add roles for project members; Restrict access to sensitive project v…

…alues
solidtime-io · Sep 30, 2024 · a6e5d37 · a6e5d37
1 parent 32c7e55
commit a6e5d37
Show file tree

Hide file tree

Showing 13 changed files with 332 additions and 13 deletions.
diff --git a/app/Enums/ProjectMemberRole.php b/app/Enums/ProjectMemberRole.php
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Enums;
+
+enum ProjectMemberRole: string
+{
+    case Manager = 'manager';
+    case Normal = 'normal';
+}
diff --git a/app/Http/Controllers/Api/V1/ProjectController.php b/app/Http/Controllers/Api/V1/ProjectController.php
@@ -4,6 +4,7 @@
 
 namespace App\Http\Controllers\Api\V1;
 
+use App\Enums\ProjectMemberRole;
 use App\Exceptions\Api\EntityStillInUseApiException;
 use App\Http\Requests\V1\Project\ProjectIndexRequest;
 use App\Http\Requests\V1\Project\ProjectStoreRequest;
@@ -15,6 +16,8 @@
 use App\Models\ProjectMember;
 use App\Service\BillableRateService;
 use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Resources\Json\JsonResource;
 use Illuminate\Support\Carbon;
@@ -50,6 +53,12 @@ public function index(Organization $organization, ProjectIndexRequest $request):
 
         if (! $canViewAllProjects) {
             $projectsQuery->visibleByEmployee($user);
+            $projectsQuery->with([
+                'members' => function (HasMany $query): void {
+                    /** @var Builder<ProjectMember> $query */
+                    $query->whereBelongsTo($this->user(), 'user');
+                },
+            ]);
         }
         $filterArchived = $request->getFilterArchived();
         if ($filterArchived === 'true') {
@@ -60,6 +69,14 @@ public function index(Organization $organization, ProjectIndexRequest $request):
 
         $projects = $projectsQuery->paginate(config('app.pagination_per_page_default'));
 
+        foreach ($projects->items() as $project) {
+            if ($canViewAllProjects) {
+                $project->setAttribute('limited_visibility', false);
+            } else {
+                $project->setAttribute('limited_visibility', $project->members->firstWhere('user_id', $this->user()->id)?->role !== ProjectMemberRole::Manager);
+            }
+        }
+
         return new ProjectCollection($projects);
     }
 
@@ -73,6 +90,26 @@ public function index(Organization $organization, ProjectIndexRequest $request):
     public function show(Organization $organization, Project $project): JsonResource
     {
         $this->checkPermission($organization, 'projects:view', $project);
+        $canViewAllProjects = $this->hasPermission($organization, 'projects:view:all');
+
+        $project->load([
+            'members' => function (HasMany $query): void {
+                /** @var Builder<ProjectMember> $query */
+                $query->whereBelongsTo($this->user(), 'user');
+            },
+        ]);
+
+        if (! $canViewAllProjects) {
+            if (! $project->is_public && $project->members->firstWhere('user_id', '=', $this->user()->id) === null) {
+                throw new AuthorizationException('No access to project');
+            }
+        }
+
+        if ($canViewAllProjects) {
+            $project->setAttribute('limited_visibility', false);
+        } else {
+            $project->setAttribute('limited_visibility', $project->members->firstWhere('user_id', $this->user()->id)?->role !== ProjectMemberRole::Manager);
+        }
 
         $project->load('organization');
 
@@ -101,6 +138,8 @@ public function store(Organization $organization, ProjectStoreRequest $request):
         $project->organization()->associate($organization);
         $project->save();
 
+        $project->setAttribute('limited_visibility', false);
+
         return new ProjectResource($project);
     }
 
@@ -132,6 +171,8 @@ public function update(Organization $organization, Project $project, ProjectUpda
             $billableRateService->updateTimeEntriesBillableRateForProject($project);
         }
 
+        $project->setAttribute('limited_visibility', false);
+
         return new ProjectResource($project);
     }
 

diff --git a/app/Http/Controllers/Api/V1/ProjectMemberController.php b/app/Http/Controllers/Api/V1/ProjectMemberController.php
@@ -72,6 +72,7 @@ public function store(Organization $organization, Project $project, ProjectMembe
         }
 
         $projectMember = new ProjectMember;
+        $projectMember->role = $request->getRole();
         $projectMember->billable_rate = $request->getBillableRate();
         $projectMember->member()->associate($member);
         $projectMember->user()->associate($member->user);
@@ -95,11 +96,17 @@ public function store(Organization $organization, Project $project, ProjectMembe
     public function update(Organization $organization, ProjectMember $projectMember, ProjectMemberUpdateRequest $request, BillableRateService $billableRateService): JsonResource
     {
         $this->checkPermission($organization, 'project-members:update', projectMember: $projectMember);
-        $oldBillableRate = $projectMember->billable_rate;
-        $projectMember->billable_rate = $request->getBillableRate();
+        $hasBillableRate = $request->has('billable_rate');
+        if ($hasBillableRate) {
+            $oldBillableRate = $projectMember->billable_rate;
+            $projectMember->billable_rate = $request->getBillableRate();
+        }
+        if ($request->getRole() !== null) {
+            $projectMember->role = $request->getRole();
+        }
         $projectMember->save();
 
-        if ($oldBillableRate !== $request->getBillableRate()) {
+        if ($hasBillableRate && $oldBillableRate !== $request->getBillableRate()) {
             $billableRateService->updateTimeEntriesBillableRateForProjectMember($projectMember);
         }
 

diff --git a/app/Http/Requests/V1/ProjectMember/ProjectMemberStoreRequest.php b/app/Http/Requests/V1/ProjectMember/ProjectMemberStoreRequest.php
@@ -4,11 +4,13 @@
 
 namespace App\Http\Requests\V1\ProjectMember;
 
+use App\Enums\ProjectMemberRole;
 use App\Models\Member;
 use App\Models\Organization;
 use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 use Korridor\LaravelModelValidationRules\Rules\ExistsEloquent;
 
 /**
@@ -19,7 +21,7 @@ class ProjectMemberStoreRequest extends FormRequest
     /**
      * Get the validation rules that apply to the request.
      *
-     * @return array<string, array<string|ValidationRule>>
+     * @return array<string, array<string|ValidationRule|\Illuminate\Contracts\Validation\Rule>>
      */
     public function rules(): array
     {
@@ -37,6 +39,11 @@ public function rules(): array
                 'integer',
                 'min:0',
             ],
+            'role' => [
+                'required',
+                'string',
+                Rule::enum(ProjectMemberRole::class),
+            ],
         ];
     }
 
@@ -46,4 +53,9 @@ public function getBillableRate(): ?int
 
         return $input !== null && $input !== 0 ? (int) $this->input('billable_rate') : null;
     }
+
+    public function getRole(): ProjectMemberRole
+    {
+        return ProjectMemberRole::from($this->validated('role'));
+    }
 }
diff --git a/app/Http/Requests/V1/ProjectMember/ProjectMemberUpdateRequest.php b/app/Http/Requests/V1/ProjectMember/ProjectMemberUpdateRequest.php
@@ -4,9 +4,11 @@
 
 namespace App\Http\Requests\V1\ProjectMember;
 
+use App\Enums\ProjectMemberRole;
 use App\Models\Organization;
 use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 /**
  * @property Organization $organization Organization from model binding
@@ -16,7 +18,7 @@ class ProjectMemberUpdateRequest extends FormRequest
     /**
      * Get the validation rules that apply to the request.
      *
-     * @return array<string, array<string|ValidationRule>>
+     * @return array<string, array<string|ValidationRule|\Illuminate\Contracts\Validation\Rule>>
      */
     public function rules(): array
     {
@@ -26,13 +28,22 @@ public function rules(): array
                 'integer',
                 'min:0',
             ],
+            'role' => [
+                'string',
+                Rule::enum(ProjectMemberRole::class),
+            ],
         ];
     }
 
     public function getBillableRate(): ?int
     {
         $input = $this->input('billable_rate');
 
-        return $input !== null && $input !== 0 ? (int) $this->input('billable_rate') : null;
+        return $input !== null && ((int) $input) !== 0 ? (int) $this->validated('billable_rate') : null;
+    }
+
+    public function getRole(): ?ProjectMemberRole
+    {
+        return $this->has('role') ? ProjectMemberRole::from($this->validated('role')) : null;
     }
 }
diff --git a/app/Http/Resources/V1/Project/ProjectResource.php b/app/Http/Resources/V1/Project/ProjectResource.php
@@ -20,6 +20,8 @@ class ProjectResource extends BaseResource
      */
     public function toArray(Request $request): array
     {
+        $limitedVisibility = is_bool($this->resource->getAttributeValue('limited_visibility')) ? $this->resource->getAttributeValue('limited_visibility') : true;
+
         return [
             /** @var string $id ID of project */
             'id' => $this->resource->id,
@@ -32,13 +34,15 @@ public function toArray(Request $request): array
             /** @var bool $is_archived Whether the client is archived */
             'is_archived' => $this->resource->is_archived,
             /** @var int|null $billable_rate Billable rate in cents per hour */
-            'billable_rate' => $this->resource->billable_rate,
+            'billable_rate' => $limitedVisibility ? null : $this->resource->billable_rate,
             /** @var bool $is_billable Project time entries billable default */
             'is_billable' => $this->resource->is_billable,
             /** @var int|null $estimated_time Estimated time in seconds */
-            'estimated_time' => $this->resource->estimated_time,
+            'estimated_time' => $limitedVisibility ? null : $this->resource->estimated_time,
             /** @var int $spent_time Spent time on this project in seconds (sum of the duration of all associated time entries, excl. still running time entries) */
-            'spent_time' => $this->resource->spent_time,
+            'spent_time' => $limitedVisibility ? null : $this->resource->spent_time,
+            /** @var bool $limited_visibility */
+            'limited_visibility' => $limitedVisibility,
         ];
     }
 }
diff --git a/app/Models/ProjectMember.php b/app/Models/ProjectMember.php
@@ -4,6 +4,7 @@
 
 namespace App\Models;
 
+use App\Enums\ProjectMemberRole;
 use App\Models\Concerns\CustomAuditable;
 use App\Models\Concerns\HasUuids;
 use Database\Factories\ProjectMemberFactory;
@@ -22,6 +23,7 @@
  * @property string $user_id User ID (legacy)
  * @property Carbon|null $created_at
  * @property Carbon|null $updated_at
+ * @property ProjectMemberRole $role
  * @property-read Project $project
  * @property-read Member $member
  * @property-read User $user
@@ -45,6 +47,7 @@ class ProjectMember extends Model implements AuditableContract
      */
     protected $casts = [
         'billable_rate' => 'int',
+        'role' => ProjectMemberRole::class,
     ];
 
     /**

diff --git a/database/factories/ProjectMemberFactory.php b/database/factories/ProjectMemberFactory.php
@@ -4,6 +4,7 @@
 
 namespace Database\Factories;
 
+use App\Enums\ProjectMemberRole;
 use App\Models\Member;
 use App\Models\Project;
 use App\Models\ProjectMember;
@@ -24,12 +25,22 @@ public function definition(): array
     {
         return [
             'billable_rate' => $this->faker->numberBetween(10, 10000) * 100,
+            'role' => ProjectMemberRole::Normal,
             'project_id' => Project::factory(),
             'user_id' => User::factory(),
             'member_id' => Member::factory(),
         ];
     }
 
+    public function role(ProjectMemberRole $role): self
+    {
+        return $this->state(function (array $attributes) use ($role) {
+            return [
+                'role' => $role,
+            ];
+        });
+    }
+
     /**
      * @deprecated Use forMember instead
      */

diff --git a/database/migrations/2024_09_30_155934_add_role_to_project_members_table.php b/database/migrations/2024_09_30_155934_add_role_to_project_members_table.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('project_members', function (Blueprint $table): void {
+            $table->string('role')->default('normal');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('project_members', function (Blueprint $table): void {
+            $table->dropColumn('role');
+        });
+    }
+};