josh/BarangaySystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3fbeb0ca770cb19aedef0d393981728de4645fb2
BarangaySystem/docs/completed/chklist-20260403024500.md
Jonathan Sykes eb4a5731fb initial: bootstrap from BukidBountyApp base
2026-06-06 18:43:00 +08:00

52 lines
2.6 KiB
Markdown
Raw Blame History

# Checklist: POS Access Control & Login Hardening
## 1. **User Type Check & Parent Role Configuration**
- [x] **app/Http/Controllers/Helpers/Permissions/UserPermissions.php**: Ensure `POS_TERMINAL` role has:
- `ViewPosReports`
- `ViewCustomers`
- `ViewUserInfo` (For customer lookup)
- `ManageUserInfo` (For customer lookup)
- `ViewShipments` (Optional? User didn't specify, but often needed).
- [x] **app/Http/Controllers/Helpers/Permissions/UserPermissions.php**: Verify that `STORE_MANAGER` is the only parent role for `POS_TERMINAL`.
- [x] **app/Http/Controllers/Helpers/Permissions/UserTypeService.php**: Ensure `STORE_MANAGER` (and above) can create `POS_TERMINAL` users.
## 2. **Store-Level Authorization Helper**
- [x] Create a helper to verify if a user is allowed to access a specific store's POS/Reports.
- [x] Implementation:
```php
public static function isUserAllowedAccessToStore($user, $storeId): bool
{
if ($user->acct_type === UserTypes::ULTIMATE) return true;
$store = Store::find($storeId);
if (!$store) return false;
// Check if user owns or manages the store
if ($user->id === $store->owner_id || $user->id === $store->manager_id) return true;
// Check if user's parent is the owner/manager (for POS_TERMINAL/RIDER)
if ($user->parentuid === $store->owner_id || $user->parentuid === $store->manager_id) return true;
// check if user is an ancestor of the owner/manager
if (self::isAncestorOf($user, $store->owner) || self::isAncestorOf($user, $store->manager)) return true;
return false;
}
```
## 3. **Controller Hardening**
- [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `startSession` using `store_hash`.
- [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getSession` when looking up a store session.
- [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getTodayStats`.
- [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getPosSessions`.
- [x] **app/Http/Controllers/Market/PosController.php**: Apply `isUserAllowedAccessToStore` in `getCustomers`.
## 4. **Testing & Validation**
- [x] Create **tests/Feature/PosAccessTest.php**:
- Test `POS_TERMINAL` login.
- Test access to authorized store (Success).
- Test access to unauthorized store (Fail - 401/403).
- Test access to manager-only pages (Fail - 302).
- [x] Run the tests and ensure 100% success.
- [x] Perform a final sanity check on the UI (`PosMain.vue`) to ensure no broken links.
Reference in New Issue View Git Blame Copy Permalink