coolify/app/Livewire/Team/Index.php
Andras Bacsai fcc58ca08a fix(auth): enforce dashboard authorization and improve team deletion
Add authorization gates to Project and Server creation buttons in the dashboard to prevent non-admin users from accessing resource creation. Improve team deletion to clear cache before deletion and automatically switch to the user's next available team.

- Hide create buttons from non-admin users in dashboard
- Clear cache before team deletion to prevent stale session resolution
- Switch user session to next available team when current team is deleted
- Handle refreshSession when user has no remaining teams
- Add tests for dashboard authorization enforcement and team deletion flow
2026-02-25 14:47:35 +01:00

126 lines
3.5 KiB
PHP

<?php
namespace App\Livewire\Team;
use App\Models\Team;
use App\Models\TeamInvitation;
use App\Support\ValidationPatterns;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\DB;
use Livewire\Component;
class Index extends Component
{
use AuthorizesRequests;
public $invitations = [];
public Team $team;
// Explicit properties
public string $name;
public ?string $description = null;
protected function rules(): array
{
return [
'name' => ValidationPatterns::nameRules(),
'description' => ValidationPatterns::descriptionRules(),
];
}
protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
[
'name.required' => 'The Name field is required.',
]
);
}
protected $validationAttributes = [
'name' => 'name',
'description' => 'description',
];
/**
* Sync data between component properties and model
*
* @param bool $toModel If true, sync FROM properties TO model. If false, sync FROM model TO properties.
*/
private function syncData(bool $toModel = false): void
{
if ($toModel) {
// Sync TO model (before save)
$this->team->name = $this->name;
$this->team->description = $this->description;
} else {
// Sync FROM model (on load/refresh)
$this->name = $this->team->name;
$this->description = $this->team->description;
}
}
public function mount()
{
$this->team = currentTeam();
$this->syncData(false);
if (auth()->user()->isAdminFromSession()) {
$this->invitations = TeamInvitation::whereTeamId(currentTeam()->id)->get();
}
}
public function render()
{
return view('livewire.team.index');
}
public function submit()
{
$this->validate();
try {
$this->authorize('update', $this->team);
$this->syncData(true);
$this->team->save();
refreshSession();
$this->dispatch('success', 'Team updated.');
} catch (\Throwable $e) {
return handleError($e, $this);
}
}
public function delete()
{
try {
$currentTeam = currentTeam();
$this->authorize('delete', $currentTeam);
$currentTeam->members->each(function ($user) use ($currentTeam) {
if ($user->id === Auth::id()) {
return;
}
$user->teams()->detach($currentTeam);
$session = DB::table('sessions')->where('user_id', $user->id)->first();
if ($session) {
DB::table('sessions')->where('id', $session->id)->delete();
}
});
// Clear stale cache before deleting so refreshSession doesn't resolve the deleted team
Cache::forget('user:'.Auth::id().':team:'.$currentTeam->id);
$currentTeam->delete();
// Switch to the user's next available team
$newTeam = Auth::user()->teams()->first();
refreshSession($newTeam);
return redirect()->route('team.index');
} catch (\Throwable $e) {
return handleError($e, $this);
}
}
}