Skip to content

feat: Add idempotent RolesAndPermissionsSeeder for RBAC Phase 4 #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 11, 2025
Merged

feat: Add idempotent RolesAndPermissionsSeeder for RBAC Phase 4 #150

merged 2 commits into from
Nov 11, 2025

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 11, 2025

🎯 Objective

Implement idempotent seeder for predefined roles and permissions (RBAC Phase 4).

πŸ“‹ Changes

Seeder Implementation

  • βœ… Created RolesAndPermissionsSeeder.php with idempotent firstOrCreate() pattern
  • βœ… Added guard_name='sanctum' to all Permission and Role creation
  • βœ… Added missing permissions.assign_direct and permissions.revoke_direct
  • βœ… Registered seeder in DatabaseSeeder.php call chain

Predefined Roles (5)

  • Admin: Full system access (37 permissions)
  • Manager: Branch-scoped management (16 permissions)
  • Guard: Own data + shift assignments (5 permissions)
  • Client: Read-only location data (3 permissions)
  • Works Council: BR-specific permissions (8 permissions)

Permission Groups (37 total)

  • Employees (7): read, create, update, delete, read_salary, read_all_branches, export
  • Shifts (6): read, create, update, delete, publish, approve_as_br
  • Work Instructions (7): read, create, update, delete, publish, acknowledge, view_acknowledgments
  • Roles (6): read, create, update, delete, assign_temporary, extend_expiration
  • Permissions (6): read, create, update, delete, assign_direct, revoke_direct
  • Works Council (2): access_employee_files, approve_shift_plans
  • Reports (3): generate, view, export

Idempotency Testing

  • βœ… Seeder runs 3+ times without duplicates
  • βœ… Verified: Role::count() === 5
  • βœ… Verified: Permission::count() === 37
  • βœ… All roles use guard_name='sanctum'
  • βœ… All permissions use guard_name='sanctum'

πŸ§ͺ Quality Gates

  • βœ… PHPStan Level Max: 0 errors
  • βœ… Laravel Pint: Clean (0 files changed)
  • βœ… REUSE 3.3: Compliant (164/164 files)
  • βœ… Domain Policy: Passed (secpal.app/dev only)
  • βœ… Markdownlint: 0 errors
  • βœ… Tests: 233 passed in 19.86s

βœ… Acceptance Criteria

  • βœ… Seeder creates 5 predefined roles with correct permissions
  • βœ… Seeder is idempotent (can run multiple times safely)
  • βœ… Deleted predefined roles are recreated on next seeder run
  • βœ… All permissions use guard_name='sanctum'
  • βœ… All roles use guard_name='sanctum'
  • βœ… No errors when running seeder repeatedly
  • βœ… PHPStan + Pint clean

πŸ“Š Test Results

# Idempotency Test (3 runs)
ddev exec php artisan db:seed --class=RolesAndPermissionsSeeder  # βœ“
ddev exec php artisan db:seed --class=RolesAndPermissionsSeeder  # βœ“
ddev exec php artisan db:seed --class=RolesAndPermissionsSeeder  # βœ“

# Verification
Role::count()       // 5
Permission::count() // 37

πŸ”— Related Issues

Fixes #139
Part of #108 - RBAC Phase 4

πŸ“ Review Checklist

  • βœ… Seeder uses firstOrCreate() everywhere
  • βœ… Guard name explicit (sanctum) for all permissions
  • βœ… Guard name explicit (sanctum) for all roles
  • βœ… Permission naming follows resource.action convention
  • βœ… All 5 predefined roles have correct permissions
  • βœ… Tested running seeder 3+ times (no duplicates)
  • βœ… PHPDoc explains idempotency

Type: Database / RBAC
Size: ~6 LOC changed
Risk: Low (data seeding, idempotent design)

@kevalyq
feat: Add idempotent RolesAndPermissionsSeeder for RBAC Phase 4
6e633aa 
- Create 5 predefined roles: Admin, Manager, Guard, Client, Works Council
- Create 37 permissions across 7 resource groups
- Idempotent design using firstOrCreate()
- All roles/permissions use guard_name='sanctum'
- Add permissions.assign_direct + permissions.revoke_direct
- Tested: No duplicates after 3 runs

Fixes #139
@kevalyq kevalyq marked this pull request as ready for review November 11, 2025 20:04
Copilot AI review requested due to automatic review settings November 11, 2025 20:04
@github-actions
Copy link

github-actions bot commented Nov 11, 2025

πŸ’‘ Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • πŸ’° Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • πŸš€ Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

Copilot finished reviewing on behalf of kevalyq November 11, 2025 20:07
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements an idempotent seeder for RBAC Phase 4, adding predefined roles and permissions with explicit Sanctum guard names. The key changes add guard_name='sanctum' to Role and Permission creation and introduce two new permission actions for direct permission management.

  • Adds explicit guard_name='sanctum' to all Permission and Role creation calls
  • Introduces permissions.assign_direct and permissions.revoke_direct actions
  • Ensures idempotent seeder operation using firstOrCreate() pattern

@kevalyq
fix: Use correct firstOrCreate() signature for guard_name
17c7352 
- Move guard_name to second parameter (values on create)
- First parameter now only searches by name (prevents duplicates)
- Fixes Copilot review comments on PR #150

Previously: firstOrCreate(['name' => ..., 'guard_name' => ...])
Would search for BOTH name AND guard_name, creating duplicates
if same name exists with different guard.

Now: firstOrCreate(['name' => ...], ['guard_name' => ...])
Searches only by name, sets guard_name only on creation.
@kevalyq kevalyq merged commit ae77946 into main Nov 11, 2025
16 checks passed
@kevalyq kevalyq deleted the feat/issue-139-roles-permissions-seeder branch November 11, 2025 20:17
@github-actions
Copy link

github-actions bot commented Nov 11, 2025

πŸ’‘ Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • πŸ’° Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • πŸš€ Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Predefined Roles \u0026 Permissions Seeder (Idempotent) - RBAC Phase 4

2 participants

@kevalyq