# Checklist: POS Access Control & Login Hardening ## 1. **User Type Check & Parent Role Configuration** - [x] **app/Http/Controllers/Helpers/Permissions/UserPermissions.php**: Ensure `POS_TERMINAL` role has: - `ViewPosReports` - `ViewCustomers` - `ViewUserInfo` (For customer lookup) - `ManageUserInfo` (For customer lookup) - `ViewShipments` (Optional? User didn't specify, but often needed). - [x] **app/Http/Controllers/Helpers/Permissions/UserPermissions.php**: Verify that `STORE_MANAGER` is the only parent role for `POS_TERMINAL`. - [x] **app/Http/Controllers/Helpers/Permissions/UserTypeService.php**: Ensure `STORE_MANAGER` (and above) can create `POS_TERMINAL` users. ## 2. **Store-Level Authorization Helper** - [x] Create a helper to verify if a user is allowed to access a specific store's POS/Reports. - [x] Implementation: ```php public static function isUserAllowedAccessToStore($user, $storeId): bool { if ($user->acct_type === UserTypes::ULTIMATE) return true; $store = Store::find($storeId); if (!$store) return false; // Check if user owns or manages the store if ($user->id === $store->owner_id || $user->id === $store->manager_id) return true; // Check if user's parent is the owner/manager (for POS_TERMINAL/RIDER) if ($user->parentuid === $store->owner_id || $user->parentuid === $store->manager_id) return true; // check if user is an ancestor of the owner/manager if (self::isAncestorOf($user, $store->owner) || self::isAncestorOf($user, $store->manager)) return true; return false; } ``` ## 3. **Controller Hardening** - [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `startSession` using `store_hash`. - [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getSession` when looking up a store session. - [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getTodayStats`. - [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getPosSessions`. - [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getCustomers`. ## 4. **Testing & Validation** - [x] Create **tests/Feature/PosAccessTest.php**: - Test `POS_TERMINAL` login. - Test access to authorized store (Success). - Test access to unauthorized store (Fail - 401/403). - Test access to manager-only pages (Fail - 302). - [x] Run the tests and ensure 100% success. - [x] Perform a final sanity check on the UI (`PosMain.vue`) to ensure no broken links.