feat: admin panel module with tenant-aware infrastructure

app-modules/panel-admin/composer.json

@@ -0,0 +1,28 @@
+{
+    "name": "he4rt/panel-admin",
+    "description": "",
+    "type": "library",
+    "version": "1.0",
+    "license": "proprietary",
+    "require": {},
+    "autoload": {
+        "psr-4": {
+            "He4rt\\PanelAdmin\\": "src/",
+            "He4rt\\PanelAdmin\\Database\\Factories\\": "database/factories/",
+            "He4rt\\PanelAdmin\\Database\\Seeders\\": "database/seeders/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "He4rt\\PanelAdmin\\Tests\\": "tests/"
+        }
+    },
+    "minimum-stability": "stable",
+    "extra": {
+        "laravel": {
+            "providers": [
+                "He4rt\\PanelAdmin\\PanelAdminServiceProvider"
+            ]
+        }
+    }
+}

app-modules/panel-admin/config/panel-admin.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+return [
+    'modules' => [
+        // Modules whose Filament/Admin/ resources will be discovered
+        // Ex: 'identity', 'gamification', 'events'
+    ],
+
+    'tenant_scoped_models' => [
+        // Models that receive tenant global scope
+        // Ex: \He4rt\Identity\User\Models\User::class,
+    ],
+];

app-modules/panel-admin/phpstan.ignore.neon

@@ -0,0 +1,2 @@
+parameters:
+    ignoreErrors: []

app-modules/panel-admin/phpstan.neon

@@ -0,0 +1,6 @@
+includes:
+    - phpstan.ignore.neon
+
+parameters:
+    paths:
+        - src/

app-modules/panel-admin/src/Http/Middleware/ApplyTenantScopes.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace He4rt\PanelAdmin\Http\Middleware;
+
+use Closure;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class ApplyTenantScopes
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $tenant = Filament::getTenant();
+
+        if (!$tenant) {
+            return $next($request);
+        }
+
+        foreach (config('panel-admin.tenant_scoped_models', []) as $model) {
+            $model::addGlobalScope(
+                'tenant',
+                fn (Builder $query) => $query->whereBelongsTo($tenant),
+            );
+        }
+
+        return $next($request);
+    }
+}

app-modules/panel-admin/src/Pages/Dashboard.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace He4rt\PanelAdmin\Pages;
+
+use BackedEnum;
+use Filament\Pages\Dashboard as BaseDashboard;
+
+class Dashboard extends BaseDashboard
+{
+    protected static string|null|BackedEnum $navigationIcon = 'heroicon-o-home';
+
+    protected static ?string $title = 'Dashboard';
+}

app-modules/panel-admin/src/PanelAdminServiceProvider.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace He4rt\PanelAdmin;
+
+use Illuminate\Support\ServiceProvider;
+
+class PanelAdminServiceProvider extends ServiceProvider
+{
+    public function register(): void
+    {
+        $this->mergeConfigFrom(__DIR__.'/../config/panel-admin.php', 'panel-admin');
+    }
+
+    public function boot(): void
+    {
+        $this->loadViewsFrom(__DIR__.'/../resources/views', 'panel-admin');
+    }
+}

app-modules/panel-admin/tests/Feature/AdminPanelAccessTest.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+use Filament\Facades\Filament;
+use He4rt\Identity\Tenant\Models\Tenant;
+use He4rt\Identity\User\Models\User;
+
+test('unauthenticated user is redirected to login', function (): void {
+    $tenant = Tenant::factory()->create(['slug' => 'he4rt-dev']);
+
+    $this
+        ->get('/admin/'.$tenant->slug)
+        ->assertRedirect('/admin/login');
+});
+
+test('admin login page renders', function (): void {
+    $this
+        ->get('/admin/login')
+        ->assertOk();
+});
+
+test('authenticated admin can access admin panel', function (): void {
+    $tenant = Tenant::factory()->create(['slug' => 'he4rt-dev']);
+    $user = User::factory()->create(['username' => 'danielhe4rt']);
+
+    $tenant->members()->attach($user);
+
+    config(['he4rt.admins' => 'danielhe4rt']);
+
+    $this
+        ->actingAs($user)
+        ->get('/admin')
+        ->assertRedirect();
+});
+
+test('admin user can access panel via canAccessPanel', function (): void {
+    $user = User::factory()->create(['username' => 'danielhe4rt']);
+
+    config(['he4rt.admins' => 'danielhe4rt']);
+
+    $panel = Filament::getPanel('admin');
+
+    expect($user->canAccessPanel($panel))->toBeTrue();
+});
+
+test('non-admin user cannot access admin panel in production', function (): void {
+    $user = User::factory()->create(['username' => 'regular-user']);
+
+    config(['he4rt.admins' => 'danielhe4rt']);
+
+    app()->detectEnvironment(fn () => 'production');
+
+    $panel = Filament::getPanel('admin');
+
+    expect($user->canAccessPanel($panel))->toBeFalse();
+});

app-modules/panel-admin/tests/Feature/ApplyTenantScopesTest.php

@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+use Filament\Facades\Filament;
+use He4rt\Events\Models\EventModel;
+use He4rt\Identity\Tenant\Models\Tenant;
+use He4rt\Identity\User\Models\User;
+use He4rt\PanelAdmin\Http\Middleware\ApplyTenantScopes;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+
+test('applies global scope to configured models when tenant is set', function (): void {
+    $tenant = Tenant::factory()->create();
+
+    Filament::shouldReceive('getTenant')
+        ->andReturn($tenant);
+
+    config(['panel-admin.tenant_scoped_models' => [
+        EventModel::class,
+    ]]);
+
+    $middleware = new ApplyTenantScopes();
+
+    $middleware->handle(
+        Request::create('/admin'),
+        fn () => new Response(),
+    );
+
+    $query = EventModel::query()->toSql();
+
+    expect($query)->toContain('where');
+});
+
+test('skips scope application when no tenant is set', function (): void {
+    Filament::shouldReceive('getTenant')
+        ->andReturn(null);
+
+    config(['panel-admin.tenant_scoped_models' => [
+        User::class,
+    ]]);
+
+    $middleware = new ApplyTenantScopes();
+
+    $middleware->handle(
+        Request::create('/admin'),
+        fn () => new Response(),
+    );
+
+    $query = User::query()->toSql();
+
+    expect($query)->not->toContain('tenant_id');
+});
+
+test('handles empty tenant_scoped_models config', function (): void {
+    $tenant = Tenant::factory()->create();
+
+    Filament::shouldReceive('getTenant')
+        ->andReturn($tenant);
+
+    config(['panel-admin.tenant_scoped_models' => []]);
+
+    $middleware = new ApplyTenantScopes();
+
+    $response = $middleware->handle(
+        Request::create('/admin'),
+        fn () => new Response('ok'),
+    );
+
+    expect($response->getContent())->toBe('ok');
+});

app/Providers/Filament/AdminPanelProvider.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Providers\Filament;
+
+use App\Enums\FilamentPanel;
+use App\Filament\Pages\Login;
+use Filament\Http\Middleware\Authenticate;
+use Filament\Http\Middleware\AuthenticateSession;
+use Filament\Http\Middleware\DisableBladeIconComponents;
+use Filament\Http\Middleware\DispatchServingFilamentEvent;
+use Filament\Panel;
+use Filament\PanelProvider;
+use Filament\Support\Colors\Color;
+use He4rt\Identity\Tenant\Models\Tenant;
+use He4rt\PanelAdmin\Pages\Dashboard;
+use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
+use Illuminate\Cookie\Middleware\EncryptCookies;
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Routing\Middleware\SubstituteBindings;
+use Illuminate\Session\Middleware\StartSession;
+use Illuminate\View\Middleware\ShareErrorsFromSession;
+
+class AdminPanelProvider extends PanelProvider
+{
+    public function panel(Panel $panel): Panel
+    {
+        $panel
+            ->id('admin')
+            ->path('admin')
+            ->login(Login::class)
+            ->colors([
+                'primary' => Color::Purple,
+            ])
+            ->tenant(Tenant::class, slugAttribute: 'slug')
+            ->middleware([
+                EncryptCookies::class,
+                AddQueuedCookiesToResponse::class,
+                StartSession::class,
+                AuthenticateSession::class,
+                ShareErrorsFromSession::class,
+                VerifyCsrfToken::class,
+                SubstituteBindings::class,
+                DisableBladeIconComponents::class,
+                DispatchServingFilamentEvent::class,
+            ])
+            ->pages([
+                Dashboard::class,
+            ])
+            ->authMiddleware([
+                Authenticate::class,
+            ]);
+
+        foreach (config('panel-admin.modules', []) as $module) {
+            $panel->discoverResourcesForPanel($module, FilamentPanel::Admin);
+        }
+
+        return $panel;
+    }
+}

bootstrap/providers.php

@@ -4,12 +4,14 @@
 
 use App\Providers\AppServiceProvider;
 use App\Providers\EventServiceProvider;
+use App\Providers\Filament\AdminPanelProvider;
 use App\Providers\FilamentServiceProvider;
 use App\Providers\RouteServiceProvider;
 
 return [
     AppServiceProvider::class,
     EventServiceProvider::class,
     FilamentServiceProvider::class,
+    AdminPanelProvider::class,
     RouteServiceProvider::class,
 ];

composer.json

@@ -27,6 +27,7 @@
         "he4rt/integration-devto": ">=1",
         "he4rt/integration-discord": ">=1",
         "he4rt/integration-twitch": ">=1",
+        "he4rt/panel-admin": ">=1",
         "he4rt/portal": ">=1",
         "internachi/modular": "^3.0.2",
         "laracord/framework": "dev-next",