chore: upgrade to PHP 8.5 and Laravel 13#1488
Open
herpaderpaldent wants to merge 58 commits into
Open
Conversation
- Bump PHP ^8.1 → ^8.3, laravel/framework ^10 → ^11 - Bump seatplus/auth ^3 → ^4, seatplus/eveapi ^3.1 → ^4 - Replace tightenco/ziggy + spatie/laravel-permission with laravel/wayfinder ^0.1.16 - Bump inertiajs/inertia-laravel ^1.2 → ^2.0 - Add larastan/larastan, laravel/pint, pest-plugin-type-coverage to dev deps - Upgrade rector, testbench, pest to current major versions - phpunit.xml: switch DB from MySQL/MariaDB to PostgreSQL (5432, seatplus/secret) - CI: rewrite workflow — PHP 8.3, PostgreSQL 16 + Redis 7 services, actions/checkout@v4 - TestCase: add Model::shouldBeStrict(), add PermissionServiceProvider, fix provider order - Pest.php: remove PermissionRegistrar import and re-register call (no longer needed) - Code style: apply Pint formatting across test stubs and traits Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PR chain PRs 1-B through 1-E target intermediate branches, so removing the branch filter ensures CI runs on every PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PRs 1-B through 1-E target intermediate branches so pull_request will still fire on all of them from the workflow on those branches. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- phpunit.xml: keep DB_DATABASE=testbench, DB_USERNAME=default (matches original naming convention; local overrides are not committed) - CI workflow: update postgres service env to match testbench/default - composer.json: add config.audit.ignore for firebase/php-jwt advisories PKSA-y2cr-5h3j-g3ys and PKSA-2kqm-ps5x-s4f5, which are pulled in transitively via seatplus/esi-client ^3.0. Will be resolved properly when esi-client is upgraded (PR 1-G). Addresses review comment: #1471 (comment) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
esi-client has been upgraded to firebase/php-jwt ^6.0 in PR seatplus/esi-client#20. The security advisories PKSA-y2cr-5h3j-g3ys and PKSA-2kqm-ps5x-s4f5 are no longer relevant once that PR is merged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- redirectTo() must accept array to match parent class signature; wrap in collect() internally to retain Collection usage - Remove unused Collection import - CI: pg_isready needs -U default to match the POSTGRES_USER Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace all removed Role model methods (activateMember, removeMember, joinWaitlist, isModerator, acl_affiliations, acl_members, moderators) with the proper auth package service/action classes: - ManualRoleService::addMember/removeMember for manual membership - AutomaticRoleService::automaticallyAssignRoleTo for automatic sync - OnRequestRoleService::addCriteriaForRoleApplication/setModerator - OptInRoleService::addCriteriaForRole - ApplyAction/ApproveAction/OptOutAction/JoinAction/LeaveAction for HTTP actions - BaseRoleService::canModerate replaces Role::isModerator - role->affiliations() replaces role->acl_affiliations() - role->role_memberships() replaces role->members/acl_members/moderators - RoleType enum comparisons replace string comparisons - registerPermissions(Gate) fixes for spatie/permission v6.25+ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Match the updated parent signature in seatplus/auth. The parent now uses Symfony\Component\HttpFoundation\Response as the return type to allow subclasses to return Inertia\Response (PHP return type covariance requirement). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add return types, parameter types, and property types throughout all source files in src/ — controllers, middleware, resources, actions, form requests, services, models, jobs, and helpers — without changing any logic. Brings type coverage from ~79% to 100%. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ation - Replace all uses of Seatplus\Auth\Http\Middleware\CheckPermissionOrCorporationRole (removed in auth 4.x) with Seatplus\Auth\Http\Middleware\CheckAuthorization - Replace CheckPermissionAndAffiliation middleware with CheckAuthorization - Add named login/logout routes using dedicated controllers - Fix __DIR__ concatenation style (pint formatting) - Fix ACL middleware to use 'acl-permission' without hardcoded permission name Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update all test imports to use short class names (pint formatting) - Replace assertUnauthorized() with assertForbidden() where auth 4.x returns 403 instead of 401 for authenticated users without permission - Fix WalletsTest: use substr($ref_type, 0, 5) instead of substr($ref_type, 0, -5) to avoid empty string when ref_type is <= 5 chars - Clean up debug dump() calls from RecruitmentLifeCycleTest - Update TestCase to flush cache and reset PermissionRegistrar before each test to prevent permission caching across test cases - Update Pest.php and stubs for Laravel 11 compatibility Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add phpstan.neon.dist with Larastan, level 4, migration paths, baseline - Add phpstan-baseline.neon capturing 188 pre-existing errors - Pin pestphp/pest-plugin-type-coverage to 3.5.1 (v3.6.1 has a bug with PHPStan) - Pin phpstan/phpstan to 1.12.24 for compatibility - Pin seatplus/auth to ^4.0.3 - Fix AssignSuperuser::handle(): separate alert() call from return to satisfy void return type - Fix Handler::render(): use mixed type for $request parameter (LSP compliance) - Fix Authenticate::redirectTo(): add explicit return null for JSON case Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add .phpunit.cache/ to .gitignore (was only .phpunit.result.cache) - Remove all 131 accidentally-tracked .phpunit.cache/ files from git - Extend laravel.yml CI workflow: - Add concurrency group to cancel in-progress runs on new push - Add composer cache step for faster installs - Replace xdebug coverage (unused) with coverage: none - Run full test suite: lint, static analysis, type coverage, unit tests - Use composer scripts (test:lint, test:types, test:type-coverage, test:unit) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
pg_isready -U default tries to connect to a database named 'default' which does not exist. Specify -d testbench to match the created DB. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use POSTGRES_HOST_AUTH_METHOD=trust with user 'root' and db 'laravel' to match the credentials already defined in phpunit.xml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
DB_DATABASE=testbench, DB_USERNAME=default, DB_PASSWORD=secret in both phpunit.xml and the workflow service definition. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
CharacterInfoFactory (eveapi) assigns random in-game roles via afterCreating, potentially including Director. CanUserService bypasses all permission checks for Director, making assertForbidden tests flaky in CI. Reset CharacterRole to empty arrays in TestCase::setUp() so every test starts from a clean state. Tests that need specific EVE roles set them explicitly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The old workflow used oskarstark/php-cs-fixer-ga with .php_cs.dist.php, conflicting with Pint (now the project formatter) and reverting its fixes on every push. Switch to running vendor/bin/pint instead. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace sprintf with string concatenation in all route middleware definitions (Character: Assets, Contact, Contract, CorporationHistory, Mails, Skills, Wallet; Corporation: Wallet) - Remove commented-out fragment in Corporation/MemberCompliance.php - Remove stale 'does not work' comment from corporation.balance route - Update README badges to reference current workflow (laravel.yml) and branch (5.x) - Fix AssignSuperuser: typed closures use User instead of mixed - Fix GetCharacterAssetLocationAction: replace mixed with proper types (Builder, Collection, Asset, Location) to satisfy PHPStan Note: batch_update routes keep 'permission:' Spatie middleware rather than CheckAuthorization — these routes operate on applicants from external corporations, so character-ID scoped auth is semantically incorrect here. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace all mixed parameter and return type annotations across 61 files in packages/web/src/ with specific concrete PHP types to achieve 100% type coverage required by Pest type-coverage enforcement. Key changes: - Middleware: return types narrowed to \Symfony\Component\HttpFoundation\Response - Resources: callback params typed to concrete Eloquent models - Controllers: Builder, Collection, and model-specific types throughout - Services: array, string, int and specific model/DTO types - Pipes: ControlGroupUpdateData return types; fix pipeline terminal callback to return ControlGroupUpdateData (was returning null) - UpdateWatchlistAction: use Collection::put() instead of mergeRecursive() to ensure groupBy empty groups are Collections not arrays - CreateDispatchTransferObject::getPermission(): fix ?array → string|null (config returns string permission names, not arrays) - HelperController::getResourceVariants(): widen to array|string|null since Http::get()->json() can return either PHPStan baseline: removed stale SyncRoleAffiliations entries, updated UpdateWatchlistAction match type from (int|string) to string. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…s, DI refactoring - Remove phpstan-baseline.neon and update phpstan.neon.dist - Fix all 184 PHPStan errors across web package source files - Add @mixin annotations to all JsonResource classes - Fix @param PHPDoc in resource files - Remove dead addQueryMacros() and unused imports from WebServiceProvider - Fix SettingException namespace in Locale middleware - Restore deleted test body in ComplianceLifeCycleTest - Refactor DI in LeaveControlGroupController, ListMembersController - Fix typo allince_id -> alliance_id in GetEntityFromId - Remove unused checkPermission() in SidebarEntries - Simplify string|array ternary closures to string-only - Fix new static -> new self in GetIdsFromNamesService, EveMailService - Fix match expressions missing default cases - All 184 tests pass, 100% type coverage, PHPStan clean Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…bject
- Delete config/web.jobs.php — mapped string keys to deleted eveapi HydrateBatch classes
- Remove WebServiceProvider mergeConfigFrom for web.jobs
- Simplify CreateDispatchTransferObject: inline string keys directly in match branches, remove dead getManualJob() method and all HydrateBatch imports
- Fix DispatchIndividualJob and DispatchJobController validation to use WebJobsRepository::getJobKeys() instead of config('web.jobs')
- Fix WebJobsRepository: 'membertracking' key now correctly maps to getCorporationMemberTrackingJobs()
- Remove stale PHPStan baseline suppression for HydrateBatch classes
- Update DispatchJobControllerTest to use literal 'contacts' key
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat(1-A): Laravel 11 baseline — PHP 8.3, PostgreSQL CI, Wayfinder ^0.1.16, Inertia v2
… routing (#1472) * Refactor middleware: replace affiliation pipeline with CheckAuthorization - Remove CheckContactsAndAffiliation and CheckPermissionAndAffiliation (pipeline-based middleware replaced by simpler auth.CheckAuthorization from the auth package) - Authenticate: fix redirect route name auth.login → login - CheckACLPermission: rewrite to use RoleMembership.can_moderate instead of Role.moderators - CheckAffiliationForApplication: rewrite to use new GetAffiliatedIds service - CheckRequiredScopes: fix redirectTo() return type; extract render() as separate action - HandleInertiaRequests: update SidebarEntries call to getFilteredEntries() - Add LoginController and LogoutController (new dedicated auth controllers) - GetAffiliatedIds: new service wrapping CanUserService for permission-based ID resolution - SidebarEntries: refactor filter() → getFilteredEntries(), extract SidebarPermissionChecker - SidebarPermissionChecker: new dedicated permission checker for sidebar visibility - WebServiceProvider: remove deleted middleware imports, apply Pint formatting - routes/: add login/logout named routes, apply CheckAuthorization middleware throughout, remove references to deleted middleware classes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> # Conflicts: # routes/Routes/Character/Assets.php # routes/Routes/Character/Contact.php # routes/Routes/Character/Contract.php # routes/Routes/Character/CorporationHistory.php # routes/Routes/Character/Mails.php # routes/Routes/Character/Skills.php # routes/Routes/Character/Wallet.php # routes/Routes/Corporation/MemberCompliance.php # routes/Routes/Corporation/Wallet.php # routes/routes.php # src/Http/Controllers/Auth/LoginController.php # src/Http/Controllers/Auth/LogoutController.php # src/Http/Middleware/Authenticate.php # src/Http/Middleware/CheckACLPermission.php # src/Http/Middleware/CheckAffiliationForApplication.php # src/Http/Middleware/CheckRequiredScopes.php # src/Http/Middleware/Locale.php # src/Services/GetAffiliatedIds.php # src/Services/Sidebar/SidebarEntries.php # src/Services/Sidebar/SidebarPermissionChecker.php # src/WebServiceProvider.php * Fix styling * fix: propagate CI trigger fix from 1-A branch Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: restrict Laravel workflow triggers to branch 5.x only * fix(routes): remove stale comment from corporation.balance route definition * refactor: remove CheckACLPermission middleware and its references - Deleted `CheckACLPermission` middleware and related imports and aliases in `WebServiceProvider`. - Removed middleware usage in routes. * test(routes): update RouteTest to allow access control routes * Fix styling * ci: trigger CI run after 1-A merge Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: replace auto-commit Pint bot with check-only mode GITHUB_TOKEN commits do not trigger other workflows (by design), so the auto-commit pattern causes the Laravel CI to silently skip after every styling fix. Switch to --test mode: fail fast, force devs to run 'composer run lint' locally before pushing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: herpaderpaldent <herpaderpaldent@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Refactor controllers and services: GetAffiliatedIds, DispatchTransferObject, role services - GetAffiliatedIds: use in CorporationWalletController, ContactsController, ContractsController, SkillsController, WalletsController, HelperController, GetAffiliatedCharactersController, GetAffiliatedCorporationsController, GetRecruitmentIndexController, MemberTrackingController - DispatchTransferObject: new data transfer object for job dispatch; CreateDispatchTransferObject service to build it from requests - DispatchJobController: rewrite to use DispatchTransferObject - AssignSuperuser: inject BaseRoleService/ManualRoleService, use role service to assign superuser - GetRecruitIdsService: refactor for clarity and maintainability - ImpersonateRecruit: refactor character ID handling - UpdateControlGroupController: use new ControlGroupUpdateData container - ListMembersController / ListUserController / LeaveControlGroupController: cleanup - GetCorporationMemberComplianceAffiliatedIdsService: update affiliation logic - GetEntityFromId / GetIdsFromNamesService / GetNamesFromIdsService: refactor - EveMailService: refactor mail retrieval - AssetSearchScope / LocationWatchListScope / TypeWatchListScope: query scope refactors - SyncRoleAffiliations / SyncRoleName: minor cleanup - UpdateOrCreateSsoSettings: refactor - UserRessource / LocationRessource: update resource handling - Handler, Controller, ContactsRequest, DispatchIndividualJob, UpdateWatchlistRequest: style/cleanup - Various: apply Pint formatting (readonly constructors, double-quote interpolation) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve rebase conflicts, fix LeaveControlGroupController logic and pint formatting - Fix abort_if → abort_unless in LeaveControlGroupController.validateRequest - Add handleMembers() call after processLeaveRequest to sync Spatie role removal - Remove unused BaseRoleService injection from AssignSuperuser - Fix single_line_empty_body formatting in 5 files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: restore correct CI workflow, remove dump() debug statement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(acl): add typed role management controllers and ShowControlGroupController
Add four typed update controllers (Automatic, Manual, OnRequest, OptIn) that
delegate to the auth package's BaseRoleService directly, transforming the
RoleRequest named-key format to the tuple format expected by the service layer.
Add ShowControlGroupController that renders the AccessControl/RoleDetail Inertia
page and guards access for admins (administrate access control groups), managers
(manage access control group / create or update or delete access control group),
and role moderators (canModerate).
Add ManageRoleRequest that extends auth's RoleRequest and injects the route
role_id parameter via prepareForValidation().
Add RoleDetail.vue placeholder for Inertia page existence check — full
implementation follows in Phase 1.5-J-2.
All old routes and controllers are preserved for backward compatibility with the
existing frontend until Phase 1.5-J-2 replaces them.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): replace abbreviated lambda params with descriptive names
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): remove MIT license header from new controller files
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: rename 'create,update and delete' permission and fix acl.detail authorization
- Rename 'create,update and delete access control group' to 'create or update or delete access control group'
in web.permissions.php to avoid Laravel middleware comma-separator parsing issue
- Fix typed Update*GroupControllers: setRoleType() before criteria, delegate to auth actions
- Fix ControlGroupsController::edit() to merge auth.permissions config
- Remove redundant TypedControlGroupUpdateTest (superseded by typed controller tests)
The old comma-containing permission name caused Laravel to split the middleware
parameter incorrectly, silently cutting 'administrate access control groups' out
of the permissions list and causing 403 for admins on the acl.detail route.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: replace vite-plugin-run with official @laravel/vite-plugin-wayfinder
Installs @laravel/vite-plugin-wayfinder ^0.1.7 and removes vite-plugin-run.
The wayfinder() plugin handles route generation on file changes during dev,
replacing the manual vite-plugin-run artisan call.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(acl): implement RoleDetail page and per-type edit components
- Implement RoleDetail.vue as a proper typed component using <component :is>
to dispatch to per-type detail components
- Add Types/AutomaticDetail.vue: manages assigned criteria (corps/alliances
that auto-get the role), posts to acl.update.automatic
- Add Types/ManualDetail.vue: manages affiliated permission scope, posts to
acl.update.manual
- Add Types/OnRequestDetail.vue: manages affiliated eligibility criteria and
assigned moderators, posts to acl.update.on-request
- Add Types/OptInDetail.vue: manages affiliated join criteria, posts to
acl.update.opt-in
- Update ShowControlGroupController: normalize entity type from PHP FQCNs to
short strings (corporation/alliance/character), rename affiliation 'type'
to 'affiliation_type', add can_edit flag based on administrate permission
- Update TypedControlGroupUpdateTest: assert can_edit is returned correctly
for admins (true) and moderators (false)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(test): reset secondary_user character roles in ComplianceLifeCycleTest beforeEach
The test 'user without permission fails to see compliance' intermittently
got 200 instead of 403 in CI. The CheckAuthorization middleware uses
CanUserService which checks EVE corporation roles (Director) in addition
to Spatie permissions.
CharacterInfoFactory creates CharacterRole with roles=[] by default, but
under certain test ordering with Event::fakeFor, the CharacterRole for
secondary_user's character could retain non-empty roles including Director.
This mirrors the root cause fixed in auth's CheckAuthorizationTest.
Add CharacterRole::updateOrCreate in beforeEach (after secondary_user is
created) to explicitly force roles=[] for secondary_user's character,
matching the same defensive pattern already applied to test_character in
TestCase::setUp().
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: update all auth v4.0.4 API calls to use AffiliationData and CriteriaData DTOs
- AbstractControlGroupUpdatePipe::handleAffiliations: pass AffiliationData DTOs to syncAffiliateManyEntities
- AutomaticControlGroupUpdatePipe: pass CriteriaData DTOs to automaticallyAssignRoleTo
- OnRequestControlGroupUpdatePipe: pass CriteriaData DTOs to addCriteriaForRoleApplication
- OptInControlGroupUpdatePipe: pass CriteriaData DTOs to addCriteriaForRole
- UpdateAutomaticGroupController: same fixes for both affiliated and assigned
- UpdateOnRequestGroupController: same fixes for both affiliated and assigned
- UpdateOptInGroupController: same fixes for both affiliated and assigned
- LeaveControlGroupTest/UpdateControlGroupTest: use AffiliationData in direct service calls
- Bump composer.json seatplus/auth constraint to ^4.0.4
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): remove old UpdateControlGroupController, pipes, and route
The old `update.acl.affiliations` route and its supporting classes are
replaced by the typed per-role-type controllers introduced in this PR.
Deleted:
- UpdateControlGroupController and its Pipeline-based approach
- All five pipe classes (AbstractControlGroupUpdatePipe and subtypes)
- ControlGroupUpdateData container DTO
- The `update.acl.affiliations` POST route
Tests adapted to no longer use the old route:
- Tests that were just setup (ComplianceLifeCycleTest, RecruitmentLifeCycleTest,
AccessControlTest) now use direct service calls (ManualRoleService,
OnRequestRoleService) instead of HTTP
- JoinControlGroupTest uses direct service calls to configure role type +
affiliations + criteria, then tests the join flow via acl.join
- UpdateControlGroupTest rewritten to use direct service calls; tests
already covered by TypedControlGroupUpdateTest removed
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: delegate Update*GroupControllers to auth actions
Replace duplicated role management logic in all four typed update
controllers with direct delegation to the corresponding auth package
actions:
- UpdateAutomaticGroupController → ManageAutomaticRoleAction
- UpdateOnRequestGroupController → ManageOnRequestRoleAction (also fixes duplicate setRoleType call)
- UpdateOptInGroupController → ManageOptInRoleAction (also fixes duplicate setRoleType call)
- UpdateManualGroupController → ManageManualRoleAction (restores missing syncAffiliateManyEntities)
Also add missing test coverage for manual role affiliation sync.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: remove web permissions from acl.detail route
The detail page was gated by CheckAuthorization middleware using old
web permission strings. The controller already contains the correct
authorization logic natively:
- canEdit = superuser || 'administrate access control groups'
- canView = canEdit || canModerate() (RoleMembership-based)
Remove the middleware so moderators can access the page without holding
any web permission. Update the moderator test to prove access works
with only canModerate, not a named permission.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: remove old ACL web permissions
Remove 'create or update or delete access control group' and
'manage access control group' from the codebase. All routes that
relied on them now gate with 'administrate access control groups'.
- config/web.permissions.php: removed the two permission strings
- routes: both old middleware groups now use 'administrate access control groups'
- AccessControlTest: all occurrences replaced
- JoinControlGroupTest: unnecessary permission assignment removed
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: add SetModerator HTTP route for overview page
Add POST/DELETE /acl/{role_id}/moderator/{user_id} routes gated by
'administrate access control groups', served by SetModeratorController.
Works for manual and on-request roles; aborts 403 for other types.
Replace direct OnRequestRoleService::setModerator() calls in tests
with HTTP assertions through the new routes. Add assignPermission()
helper to Pest.php for assigning permissions to arbitrary users.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Split dual-purpose acl.join into acl.apply / acl.approve / acl.deny
- Add ApplicationController with apply(), approve(), deny() methods
- approve()/deny() check superuser || canModerate() before acting
- Remove JoinControlGroupController and JoinControlGroup form request
- Update ControlGroup.vue: join button uses acl.apply (no data body)
- Update ModerateMembers.vue: approve() uses acl.approve, deny button
calls denyMember() -> acl.deny, removeMember() keeps acl.leave
- Rewrite JoinControlGroupTest: cover apply/approve/deny/unauthorized flows
- Fix PHPStan false positive in SetModeratorController (@var after guard)
- Run composer run lint to fix ordered_imports and braces_position
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix moderator test to use HTTP route instead of direct service call
The 'shows role detail page to on-request moderator' test was bypassing
the HTTP layer by calling OnRequestRoleService::setModerator() directly.
Now it sets the moderator via POST acl.moderator.add (as an admin) and
verifies the moderator can access the detail page through the controller.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Replace direct setModerator() service calls with HTTP routes in tests
UpdateControlGroupTest and LeaveControlGroupTest were calling
OnRequestRoleService::setModerator() directly instead of going through
the web layer. Both now use POST acl.moderator.add as an admin user.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add acl.member.add/remove routes for manual role members; fix tests
- Add ManageManualMemberController with add()/remove() methods
- Calls manual()->addMember()/removeMember() + handleMembers()
- Gated by 'administrate access control groups' at route level
- Add POST/DELETE /acl/{role_id}/member/{user_id} routes
- Rewrite UpdateControlGroupTest 'adds/removes member' to use HTTP routes
instead of direct ManualRoleService calls
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix moderator tests: add remove coverage, drop spurious type-change step
UpdateControlGroupTest:
- Rename to 'sets and removes moderator' — now tests both add and remove
via acl.moderator.add and acl.moderator.remove
- Remove unnecessary acl.update.on-request step; moderators work on
manual roles too (SetModeratorController accepts both types)
JoinControlGroupTest:
- 'moderator can approve/deny' tests now set moderator via HTTP
(POST acl.moderator.add by admin) instead of direct setModerator() call
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(tests): replace scattered ACL tests with per-controller unit + lifecycle integration
- Add 16 controller unit tests (one per ACL controller) in tests/Unit/Controller/
- Add 4 lifecycle integration tests (one per role type) in tests/Integration/
- Delete 5 old scattered integration test files that mixed multiple concerns
- All tests are HTTP-only (no direct service invocations)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: add role-type guard to ApplicationController::apply() + close test gaps
- ApplicationController::apply() now 403s when role type is not ON_REQUEST,
matching the same guard that LeaveControlGroupController already has
- Add tests: applying to MANUAL, AUTOMATIC, and OPT_IN roles all return 403
- Add test: denies creating a control group without permission (403)
- LeaveControlGroupControllerTest: replace ManualRoleService setup with
OnRequestRoleService (correct service for on-request roles); add test
that acl.leave on a MANUAL role returns 403
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(tests): rename Unit/Controller to Feature/Controller, add missing 403 tests
- Move all 21 controller test files from tests/Unit/Controller/ to
tests/Feature/Controller/ to align with Laravel convention (HTTP-based
tests belong in Feature/, not Unit/)
- Register the new Feature/ directory in tests/Pest.php so Pest picks up
the TestCase binding
- ControlGroupsControllerTest: clarify index is accessible to any
authenticated user (no permission needed); add 403 tests for acl.edit,
acl.update, and acl.search.affiliatable; use 'administrate access
control groups' in search happy-path (was 'superuser', bypassing the
actual middleware under test)
- UpdateAutomaticGroupControllerTest: add unauthenticated 401 test
- UpdateManualGroupControllerTest: add unauthenticated 401 test
- UpdateOnRequestGroupControllerTest: add unauthenticated 401 test
- UpdateOptInGroupControllerTest: add unauthenticated 401 test
All 248 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(tests): merge Integration/ into Feature/, add Lifecycle/ subdir
- Move Integration/*LifecycleTest.php → Feature/Lifecycle/
- Move all other Integration/ tests flat into Feature/
- Move Unit/ConfigurationController/CommandControllerTest.php → Feature/Controller/
- Update Pest.php: ->in('Feature', 'Unit') — drop 'Integration'
- Remove now-empty Integration/ and Unit/ConfigurationController/ directories
Final structure:
tests/Feature/Controller/ — per-controller HTTP tests
tests/Feature/Lifecycle/ — multi-step role lifecycle flows
tests/Feature/ — all other HTTP tests
tests/Unit/ — pure class tests (services, models, middleware)
All 248 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(acl): guard acl.groups route with view access control permission
- Add CheckAuthorization middleware to acl.groups route
- Fix ControlGroupsControllerTest: add 403 test for unauthenticated user,
restore 'view access control' permission assertion on happy-path
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: remove duplicate delete test from ControlGroupsControllerTest
acl.delete is handled by DeleteControlGroupController, not
ControlGroupsController. DeleteControlGroupControllerTest already
owns those tests (unauthenticated, 403, happy-path).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): split ControlGroupsController into 5 single-action controllers
Each controller now does exactly one thing (SOLID / SRP):
- ShowControlGroupsController → GET / (acl.groups)
- CreateControlGroupController → POST /create (acl.create)
- EditControlGroupController → GET /acl/{id} (acl.edit)
- UpdateControlGroupController → POST /acl/{id} (acl.update)
- SearchAffiliatableController → GET /search (acl.search.affiliatable)
Redirects in create/update now use route() instead of action() so they
no longer depend on ControlGroupsController.
Delete ControlGroupsController.php.
Update routes/Routes/AccessControl/View.php to use new controllers.
Split ControlGroupsControllerTest into 5 matching test files:
- ShowControlGroupsControllerTest (3 tests)
- CreateControlGroupControllerTest (3 tests)
- EditControlGroupControllerTest (3 tests)
- UpdateControlGroupControllerTest (4 tests)
- SearchAffiliatableControllerTest (4 tests)
Fix RouteTest: 'does not protect acl routes' was incorrect after the
view access control middleware was added to acl.groups.
253 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): split ApplicationController into 3 single-action controllers
Each controller handles exactly one HTTP action (SOLID / SRP):
- ApplyToRoleController → POST /acl/{role_id}/apply (acl.apply)
- ApproveApplicationController → POST /acl/{role_id}/approve/{user_id} (acl.approve)
- DenyApplicationController → DELETE /acl/{role_id}/deny/{user_id} (acl.deny)
Delete ApplicationController.php.
Update routes/Routes/AccessControl/View.php.
Split ApplicationControllerTest into 3 matching test files:
- ApplyToRoleControllerTest (5 tests: unauth, on-request, 403 x3)
- ApproveApplicationControllerTest (3 tests: unauth, non-mod 403, approve)
- DenyApplicationControllerTest (3 tests: unauth, non-mod 403, deny)
256 tests pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): replace 4 typed Update controllers with ManageRoleController
- Remove UpdateAutomaticGroupController, UpdateManualGroupController,
UpdateOnRequestGroupController, UpdateOptInGroupController
- Add ManageRoleController with TYPE_ACTION_MAP dispatch
- All 4 typed routes now use ->defaults('type', ...) to route to one controller
- Remove corresponding test files, add ManageRoleControllerTest (8 tests)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): remove legacy EditGroup/UpdateControlGroup stack
- Delete EditControlGroupController (GET acl.edit) and its test
- Delete UpdateControlGroupController (POST acl.update) and its test
- Delete SyncRoleName, SyncRoleAffiliations, SyncRolePermissions services
- Delete UpdateControlGroup FormRequest
- Delete EditGroup.vue (superseded by type-specific detail pages)
- Remove acl.edit and acl.update routes from View.php
- CreateControlGroupController: redirect to acl.detail instead of acl.edit
- ControlGroup.vue: link to acl.detail instead of acl.edit
- ComplianceLifeCycleTest + RecruitmentLifeCycleTest: replace acl.update HTTP
scaffolding with direct Affiliation::create + Permission::findOrCreate calls
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(acl): allow moderators to add/remove members on manual roles
Moderators of a manual role should be able to manage membership,
but not change the role name, affiliations, or delete the role.
- ManageManualMemberController: add authorizeModeration() — allows
admin ('administrate access control groups') OR role moderator
- Move acl.member.add/remove routes out of admin middleware group
so moderators can reach them (auth check is inside controller)
- ManualRoleLifecycleTest: fix test description and assertions —
moderators CAN add/remove, cannot change role settings
- ManageManualMemberControllerTest: add moderator add/remove tests
and a non-moderator/non-admin 403 test
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test(lifecycle): replace service-based setup with HTTP calls in OnRequest and OptIn tests
OnRequestRoleLifecycleTest: both 'full lifecycle' and 'deny flow' tests
now configure type + affiliations + application criteria via
POST acl.update.on-request (affiliated[] + assigned[]) instead of
calling OnRequestRoleService directly.
OptInRoleLifecycleTest: 'eligible user can join' test now sets opt-in
type + join criteria via POST acl.update.opt-in (assigned[]) instead of
calling OptInRoleService directly. The joinRole() call via service is
retained since there is no HTTP join route for opt-in.
Removes unused imports: AffiliationData, CriteriaData, OnRequestRoleService
(from OnRequest test) and CriteriaData (from OptIn test).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(acl): add acl.join route for opt-in roles + fix lifecycle test
- Add JoinOptInRoleController: guards opt-in type, calls JoinAction then
handleMembers() to assign the Spatie role
- Add POST /acl/{role_id}/join -> acl.join route (no auth middleware;
any authenticated user can join if they meet criteria)
- OptInRoleLifecycleTest: replace direct OptInRoleService calls with
HTTP POST acl.join; remove unused OptInRoleService import
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test(compliance): replace direct Affiliation::create and ManualRoleService calls with HTTP
createScopeSetting() helper now uses:
- POST acl.update.manual with affiliated[] instead of Affiliation::create()
- POST acl.member.add instead of ManualRoleService::addMember() + assignRole()
Removes unused imports: Affiliation, ManualRoleService, CorporationInfo
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: replace direct service calls with HTTP in RecruitmentLifeCycleTest
All three locations that used ManualRoleService::addMember()+assignRole()
and Affiliation::create() directly are replaced with HTTP calls:
- Two inline recruiter setup blocks → POST acl.member.add
- createEnlistment() helper → POST acl.update.manual (affiliated[]) +
POST acl.member.add
Also removes unused imports: Affiliation, ManualRoleService, CorporationInfo.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: bump seatplus/auth to 4.0.5
Includes the eager load fix for RoleMembership->entity in
AbstractRoleService::updateMemberStatusBasedOnUserCompliance().
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: restore vite-plugin-run with monorepo-aware smart config
Reverts the @laravel/vite-plugin-wayfinder change (10204b5) which broke
the end-user publishing flow. packages/web/vite.config.js is published
to the core root via vendor:publish --tag=web, so end users depend on
vite-plugin-run to auto-run vendor:publish when vendor JS files change.
The config is now monorepo-aware: it detects whether packages/web exists
on disk and uses packages/** patterns (local dev) or vendor/seatplus/**
patterns (end-user install) for both the vendor:publish trigger and the
wayfinder:generate trigger. This eliminates the manually-maintained
divergence between the web package config and the root vite.config.js.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(vite): monorepo-only run tasks, remove non-monorepo watchers
End users install via create-project and only run `npm run build` once.
There is no dev server watching in production installs, so the run()
plugin tasks and vendor/** refresh patterns have no purpose outside the
monorepo.
- Remove `const base` variable and template-string patterns
- run() tasks (vendor:publish + wayfinder) only added when isMonorepo=true
- refresh array reduced to ['resources/js/**'] in all cases
- server.watch config unchanged (irrelevant for production npm run build)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test(acl): replace direct service calls with HTTP in controller tests
All feature tests now set up state exclusively through HTTP endpoints,
consistent with the project convention that Feature/* tests must not
call service classes or create models directly.
- ApplyToRoleControllerTest: POST acl.update.on-request via superuser
to configure role type/affiliations/criteria instead of OnRequestRoleService
- ApproveApplicationControllerTest: same HTTP setup before applying
- DenyApplicationControllerTest: same HTTP setup before applying
- LeaveControlGroupControllerTest: makeOnRequestMember() helper replaced
with HTTP: acl.update.on-request → acl.apply → acl.approve
Removed unused imports: OnRequestRoleService, AffiliationData,
CriteriaData, RoleType, AffiliationType where no longer referenced.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(acl): allow users to self-leave manual roles
A user who was manually assigned to a role should be able to remove
themselves — only automatic roles (where membership is re-synced on
every handleMembers() call) make no sense to leave.
- Add RoleType::MANUAL to ALLOWED_ROLE_TYPES
- Add MANUAL branch to processLeaveRequest() using removeMember()
- Replace the wrong '403 on manual role' test with:
- 'user can leave a manual role they were assigned to' (happy path)
- 'returns 403 when trying to leave an automatic role' (correct guard)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): split SetModeratorController into AddModeratorController + RemoveModeratorController
SetModeratorController had two public methods (add/remove), violating
the single-action controller convention used throughout this package.
- AddModeratorController — invokable, handles POST acl.moderator.add
- RemoveModeratorController — invokable, handles DELETE acl.moderator.remove
- Delete SetModeratorController
- Update routes to reference the two new controllers
- Rename test to ModeratorControllerTest, update description strings
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(acl): use neutral error message for moderator type guard
'Moderators can only be set on...' was wrong for the remove action
and implied moderators are impossible on opt-in roles (which is a
planned feature). Use the neutral 'This role type does not support
moderators' in both controllers.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): split ManageManualMemberController into Add/RemoveManualMemberController
ManageManualMemberController had two public methods (add/remove),
violating the single-action controller convention.
- AddManualMemberController — invokable, POST acl.member.add
- RemoveManualMemberController — invokable, DELETE acl.member.remove
- Delete ManageManualMemberController
- Update routes
- Rename test to ManualMemberControllerTest, update description strings
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(acl): generalise RemoveMemberController to work across all non-automatic role types
RemoveManualMemberController was incorrectly manual-specific. An
admin/moderator should be able to remove a member from any role type
(manual, on-request, opt-in). Only automatic roles cannot have members
removed (membership is re-synced automatically).
- Rename RemoveManualMemberController → RemoveMemberController
- Dispatch by role type: manual→removeMember, on-request→removeApplication,
opt-in→leaveRole; automatic→422
- Route acl.member.remove unchanged
- Rename test to MemberControllerTest; add coverage for on-request
and opt-in removal, automatic 422, and non-admin/non-moderator denial
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(acl): remove unreachable AUTOMATIC arm in RemoveMemberController match
PHPStan narrows RoleType after abort_unless(getType() !== AUTOMATIC),
making any AUTOMATIC match arm unreachable. Drop it — the 3-arm match
(MANUAL, ON_REQUEST, OPT_IN) is now exhaustive.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* revert(frontend): remove Vue changes, keep backend-only
Remove the per-type ACL Vue components and vite.config changes that
belong in a separate frontend PR. Restore EditGroup.vue, ControlGroup.vue,
ModerateMembers.vue and vite.config.js to their 4.x state.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(acl): add bare-minimum RoleDetail Vue component
Inertia test requires the component file to exist at
AccessControl/RoleDetail. Provides a stub page that renders role name
and accepts the role/can_edit/activeSidebarElement props passed by
ShowControlGroupController.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: patch pest-plugin-type-coverage for PHPStan RuleErrorTransformer API
`pestphp/pest-plugin-type-coverage` v4.0.4 calls
`RuleErrorTransformer::transform()` with wrong argument types:
- arg 3: `[]` (array) instead of `string $nodeType`
- arg 4: `$node` (Node object) instead of `int $nodeLine`
PHPStan's API has always expected `(RuleError, Scope, string, int)`.
Fix:
- Add `patches/pest-plugin-type-coverage-fix-transform-args.patch`
that corrects both calls to use `$nodeType` and `$node->getLine()`
- Add `cweagans/composer-patches` as a dev dependency so the patch
is re-applied automatically on `composer install`/`update`
- Allow the composer-patches plugin in config
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: upgrade larastan to v3, PHPStan to v2, fix all type errors
- Bump larastan/larastan ^2 → ^3 (requires PHPStan 2.x)
- Bump phpstan/phpstan 1.x → 2.x (transitive via larastan)
- Bump rector/rector ^1 → ^2 (PHPStan 2.x compat)
- Bump driftingly/rector-laravel ^1 → ^2 (rector 2.x compat)
- Bump tomasvotruba/type-coverage ^1 → ^2 (PHPStan 2.x compat)
PHPStan 2.x fixes:
- phpstan.neon.dist: add (?) suffix to 3 non-existent excludePaths entries
- phpstan.neon.dist: suppress larastan.noEnvCallsOutsideOfConfig (package config files)
- phpstan.neon.dist: suppress property.notFound for cross-package polymorphic relations
- phpstan.neon.dist: suppress trait.unused for HasWatchlist (registered at runtime)
- ContractsController: replace magic whereCharacterId/whereContractId with where()
- SidebarPermissionChecker: replace magic whereId() with where('id', ...)
- GetEntityFromId: remove nullsafe operators on non-nullable CharacterAffiliation
- SearchService: add @var annotation for Cache::remember() mixed return type
- HasCharacterNecessaryRole: extract typed $characterRoles to resolve CharacterRole::hasRole()
test:unit fix:
- Add --no-coverage to test:unit script (phpunit.xml has <source> which PHPUnit 12
initialises coverage for — without Xdebug in coverage mode this emits a warning
that failOnWarning=true turns into a failure)
- Update phpunit.xml schema URL to PHPUnit 12.5
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: upgrade to Pest 4, drop composer-patches workaround
Remove cweagans/composer-patches and the patch file that was working
around the pestphp/pest-plugin-type-coverage RuleErrorTransformer bug.
The upstream fix is now released so the patch is no longer needed.
Also removes tomasvotruba/type-coverage which is superseded by the
pest-plugin-type-coverage v4 built-in type coverage.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: remove obsolete Pest plugin type coverage patch
- Deleted `patches/pest-plugin-type-coverage-fix-transform-args.patch`.
- Upstream fix has been released, rendering the local patch unnecessary.
* fix: restore null-safe operators on Eloquent relations in GetEntityFromId
Larastan v3 infers BelongsTo/HasOne as non-null on in-memory models,
but at runtime the relation IS null when the related record is absent
from the local DB. The ?-> guard ensures the ?? fallback to $this->names
is reachable.
Suppress nullsafe.neverNull and property.notFound for this file
in phpstan.neon.dist — both are Larastan false positives for this pattern.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: split laravel.yml into lint + 4-shard parallel test jobs
Pest 4 supports --parallel --shard N/M. The single sequential job is
replaced with:
- lint job: coding standards, PHPStan, type coverage (no DB needed)
- test matrix job: 4 shards running in parallel, each with postgres+redis
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: remove patches.lock.json (composer-patches workaround fully removed)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: remove dead excludePaths entries from phpstan.neon.dist
The three files were deleted previously; the (?) suffix was a temporary
workaround to avoid PHPStan errors on missing paths. Remove them cleanly.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): remove --parallel from shard command to prevent migration race condition
LazilyRefreshDatabase cannot handle concurrent workers racing to create
the migrations table. The 4-shard matrix already provides CI-level
parallelism; --parallel within each shard is unnecessary and causes
SQLSTATE[42P01] failures on PostgreSQL.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: gate test shards on lint job passing
No point running 4 test shards if static analysis or coding standards
already failed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): add --no-coverage to pest shard command
phpunit.xml has failOnWarning=true; without --no-coverage pest emits
'WARN No code coverage driver available' which triggers exit code 1
before any tests run.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: add setup job to install deps once, lint+tests run in parallel
composer install runs once in 'setup', populates the cache.
'lint' and all 4 'test' shards both depend on 'setup' and restore
from cache — they run concurrently without re-downloading packages.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): use --shard=N/M syntax and restore Laravel branch protection check
- --shard requires = not a space in Pest v4
- Add summary 'Laravel' job (needs: lint + test) so branch protection
rule that gates on 'Laravel' status check still passes
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): revert to per-job composer install, add reportUnmatchedIgnoredErrors=false
The shared-cache setup job approach was unreliable: if lint/test got a
cache miss they had no fallback install step, leaving PHPStan without a
vendor dir and reporting all suppressions as 'unmatched'.
Restore the proven per-job cache+install pattern from ace49eb.
Add reportUnmatchedIgnoredErrors: false to phpstan.neon.dist so that
suppressions which don't match on a given Larastan version are silently
skipped rather than causing CI to fail.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: retrigger workflow
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…otations (#1483) * refactor: fix PHPStan errors with explicit type annotations and config cleanup Replace property.notFound/nullsafe.neverNull suppressions with proper code fixes: Code changes: - EveMailService: remove unused Model import, type MailRecipients closure param - SeatPlusController: typed vars for impersonated_user and main_character - MemberTrackingController: extract alliance chain to typed intermediate vars - ApplicationsController: typed var for enlistment relation - ImpersonateRecruit: typed var for main_character - DispatchJobController: convert arrow fns to block closures with typed vars - AssetResource: typed var in whenLoaded closure - ContractRessource: typed vars for start/end location - CorporationInfoRessource: typed var for alliance in whenLoaded closure - MemberTrackingResource: typed var for location relation - UserRessource: block closure with RefreshToken typed var - ApplicationRessource: private method with typed vars for CharacterUser chain - GetEntityFromId: typed vars for character/corporation/alliance relations - HasCharacterNecessaryRole: typed var for CharacterRole relation - ContractsController: replace whereCharacterId/whereContractId scopes with where() - SidebarPermissionChecker: replace whereId scope with where() - Delete HasWatchlist trait (zero usages) phpstan.neon.dist: - Add configDirectories so env() in config/ is recognised as valid - Remove reportUnmatchedIgnoredErrors: false (no longer needed) - Remove all property.notFound, nullsafe.neverNull, trait.unused, and larastan.noEnvCallsOutsideOfConfig suppressions (fixed in code) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: revert whereContractId back to where('contract_id', ...) in ContractsController The patch accidentally replaced the plain ->where() with a local scope. Restore the original form that was already in 5.x. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: add CheckAuthorizationWithExtendedScope middleware for compliance/recruiter access
Introduces a drop-in replacement for CheckAuthorization on all character
routes. Beyond the standard CanUserService primary check it adds two
fallback paths that only activate when a {character_id} is present in
the route and the primary check fails:
- Compliance reviewer fallback: users with 'member compliance: review user'
can access any character belonging to a user in their affiliated
compliance scope (via GetCorporationMemberComplianceAffiliatedIdsService).
- Recruiter fallback: users with 'can accept or deny applications' can
access any character that has an open application to their managed
corporations (via GetRecruitIdsService).
Routes without {character_id} (e.g. index and list endpoints) behave
identically to the original CheckAuthorization middleware.
Applied to all 7 character route files: Assets, Contact, Contract,
CorporationHistory, Mails, Skills, Wallet.
Resolves the two ->todo() stubs in ComplianceLifeCycleTest and
RecruitmentLifeCycleTest.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: use containment check instead of order-dependent assertion in ComplianceLifeCycleTest
getQuery() does not guarantee insertion order across databases.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: delete dead pipe/middleware files and clean up phpstan excludes
CheckCharacterAffiliationsAffiliatedIdPipe, CheckCorporationMemberCompliance
AffiliatedIdPipe, and CheckRecruitsAffiliatedIdPipe extended a base class
removed in auth 3.x and were never referenced after the middleware overhaul.
CheckContactsAndAffiliation and CheckPermissionAndAffiliation were already
absent from disk.
Removes the five excludePaths entries from phpstan.neon.dist now that the
files are gone. Also removes the stale comment that referred to PR 1-B.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: correct garbled comment in CheckAuthorizationWithExtendedScope
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: add docs/ROADMAP.md with current open work and upcoming PRs
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: remove stale config/web.jobs.php excludePath — file does not exist
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor(tests): add createRoleViaHttp helper and use HTTP calls in lifecycle tests
Replace direct Role::create / givePermissionTo / assignRole / affiliations()->create()
calls with HTTP endpoints (acl.create, acl.update.manual, acl.member.add) in:
- ComplianceLifeCycleTest: createScopeSetting helper + 'allows user with review
permission' test
- RecruitmentLifeCycleTest: createEnlistment helper
The shared createRoleViaHttp() helper lives in tests/Pest.php so it can be
reused across any test file. Permissions are still assigned directly — no HTTP
endpoint exists for that operation.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(tests): accept explicit $actor in createRoleViaHttp, default to test()->superuser
Prevents implicit dependency on test()->superuser being defined by a beforeEach
in the calling test file. Callers that do not set up test()->superuser can pass
their own admin user as the $actor parameter.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace all route() calls across 57 Vue files with typed Wayfinder
imports from @/routes/... TypeScript modules.
Changes:
- vite.config.js: add wayfinder run plugin entry
- app.js: remove ZiggyVue import and .use(ZiggyVue)
- All 57 Vue/JS files: replace route('x.y.z', params) with typed
function imports, e.g. import { foo } from '@/routes/x/y'
Key migration notes:
- dead routes (acl.edit, acl.update, acl.delete, schedules.delete,
update.acl.affiliations) mapped to correct Wayfinder equivalents
- type-based ACL update routing uses lookup map in EditGroup.vue
and ManageControlGroup.vue
- query params wrapped in { query: {...} } for DispatchUpdate,
DispatchableEntry, EsiAutosuggest, RequiredScopesWarning
- change.main_character: character_id moves from POST body to URL
path param
- DispatchUpdateButton: removed dead computed url() referencing
undefined dispatch_transfer_object
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add "type": "module" to package.json — all .js files treated as ESM, eliminating the CJS Vite Node API deprecation warning - postcss.config.js and tailwind.config.js converted to ESM - WebServiceProvider publishes vite.config.js (unchanged filename) Package version bumps (removed webpack-era dead packages): - vite: ^4 → ^6.0 - laravel-vite-plugin: ^0.8 → ^1.3 - @vitejs/plugin-vue: ^4 → ^5.2 - vite-plugin-run: ^0.5 → ^0.8 - tailwindcss: ^3.1 → ^3.4 - vue: ^3.0.0-0 → ^3.5 - @headlessui/vue: ^1.0 → ^1.7 - @heroicons/vue: ^2.0 → ^2.1 - @vueuse/core: ^10.0 → ^11.0 Removed: @vue/compiler-sfc, acorn, resolve-url-loader, rollup-plugin-copy, sass-loader, vue-loader, vue-template-compiler, @babel/plugin-syntax-dynamic-import Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Options API components that import route functions from '@/routes/*' need to expose them via setup() for the template to access them. Without this, calling eve().url in the template throws '_ctx.eve is not a function'. 15 files updated to return imported route functions from setup(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ective - vite.config.js: set startup: true for 'copy vendor' task in monorepo context so that 'npm run dev' auto-publishes packages/web assets to root without needing a manual vendor:publish - app.blade.php: remove @routes directive (Ziggy remnant — Wayfinder does not inject global route data into the page) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
References existing /img/seat_plus_logo.svg to prevent 404 on /favicon.ico. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ionsUsing - Upgrade inertiajs/inertia-laravel from ^2.0 to ^3.0 - Upgrade @inertiajs/vue3 from ^1.0 to ^3.0 (JS side) - Add axios as explicit dependency (no longer bundled with @inertiajs/vue3 v3) - Remove custom Seatplus\Web\Exception\Handler and ExceptionHandler singleton override - Register Inertia::handleExceptionsUsing() in WebServiceProvider::boot() using the v3 ExceptionResponse API with rootView, withSharedData, and usingMiddleware - Fix missing trailing commas before setup() in 12 Options API Vue components Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…onsUsing) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Error.vue: add setup() returning home()
- 13 components: inject setup() { return { routeFn } } for Wayfinder imports
used directly in templates
- ImpersonatingBanner.vue: add setup() returning impersonateStop
- DarkSidebar.vue: move userSettings import to <script setup> block
- ExpandContractComponent.vue: rename conflicting import (details→getContractDetailsUrl)
to avoid clash with local contractDetails ref
- UserSettings.vue: add logout to existing setup() return
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…-plugin-run startup tasks - EditSettings.vue had two setup() declarations (original + auto-injected); merge enable_esi_search into the existing setup() return - vite-plugin-run startup tasks (vendor:publish, wayfinder:generate) fired concurrently with vite build causing random ENOENT race conditions; add build:false so they only run in dev server mode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
In local dev, skip 500/503 from handleExceptionsUsing so Laravel's Ignition error page is shown instead of the Vue Error.vue page. 403 and 404 still render via Inertia in all environments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…for Inertia nav Inertia v3 removed the v2 modal overlay that showed non-Inertia HTML (like Ignition) in a popup for Inertia navigation requests. In v3, Inertia clients receiving raw HTML for an Inertia request show nothing. Strategy: - Inertia navigation requests (X-Inertia header): always render Error.vue so the user sees a proper error page rather than a broken state. - Initial page loads in local+debug mode: return null → Ignition renders (allows developers to see the full stack trace in the browser). - Production: all 403/404/500/503 render Error.vue regardless. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…Sidebar - Replace route(item.route) calls with item.uri (already resolved by SidebarEntries::initializeSidebar()) - Replace route().current() with usePage().props.activeSidebarElement from Inertia shared data - Remove Ziggy dependency from DarkSidebar entirely Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace all remaining Ziggy route() usages with Wayfinder typed functions
and URLSearchParams/pathname-based navigation:
- useLoadCompleteResource: signature (url, formData) - caller builds URL
- useInfinityScrolling: signature (url, method, postData)
- CharacterContactsComponent: Wayfinder detail() for contact endpoint
- Dashboard/Enlistments + Enlistment: Wayfinder enlistments()/applications()
- SkillQueue + Skills: Wayfinder queue()/skills() from get/character routes
- WalletJournalBalanceChart: Wayfinder corporation/character balance()
- Settings: navTabs now use uri field; isActive() compares pathname
- SeatPlusController::navigation(): adds uri field via route() server-side
- UserList: URLSearchParams for query params, pathname for navigation
- ScopeSettings: pathname.endsWith('/create') for creationMode
- Onboarding: Wayfinder onboarding() with query step param
No more Ziggy/route() dependency in any Vue/JS file.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Drop axios (~14KB gzipped) in favour of a thin native fetch() wrapper. - Add Functions/apiFetch.js: reads XSRF-TOKEN cookie, sets headers, serialises query params, returns parsed JSON body (throws on non-2xx) - useLoadCompleteResource: CancelToken → AbortController - useInfinityScrolling: CancelToken.source() → AbortController - useResolveId, useGetPrice: axios.get → apiFetch - EveImage, ResolveIdToName, EntityByIdBlock: axios.get → apiFetch - CharacterFilterModal, MailRepresentation: axios.get → apiFetch - ExpandContractComponent: axios.get → apiFetch - Autosuggest, EsiAutosuggest, LocationName: axios.get → apiFetch - DispatchableEntry: axios.get/post → apiFetch; fix import alias conflict - DispatchUpdate: axios.post → apiFetch - Settings: axios.get navigation → native fetch - HorizonStats: axios.get /queue/status → native fetch - EditSettings: all three axios usages → apiFetch - ActivityLogModal, UpdateCharacterComponent: axios → apiFetch - bootstrap.js: remove axios import and window.axios global - package.json: remove axios dependency app.js bundle: 560kB → 518kB (-42kB, ~14kB gzipped saved) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…/js/vendor/ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ent models
fetchAffiliatedCharacterIdsWithRelation() was returning CharacterInfo
models (with eager-loaded relations) which Vue received as objects like
{character_id: 95725047, assets: []}. Vue components expected plain
integers for iteration and API parameters.
Fix: collapse getCharacterIds() to pluck('character_id') directly and
remove the unused $characterRelation eager-loading — no consumer of
this method ever used the loaded relation data.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…entNode crash Inertia v3's swapComponent calls resetLayoutProps() synchronously before updating component.value. This triggers a Vue reactive update that tries to patch the old layout's VNode tree while it may have a null `el`, causing 'can't access property parentNode, node is null' in componentUpdateFn. The crash occurs specifically when navigating TO pages with layout:null (Mail/Index, Error, Onboarding) from layout-wrapped pages (SingleColumnLayout). Fix: in app.js resolve(), if a page declares layout:null, assign a TransparentLayout component instead. TransparentLayout is a no-op passthrough (() => slots.default?.()) that: - Gives Inertia a valid component to patch between (never null el) - Still renders the page's own embedded layout (MultiColumnLayout/DarkSidebar) - Ignores all props so no activeSidebarElement coupling needed Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
headers was imported at module level but not exposed via setup() return, making it inaccessible in the template as _ctx.headers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Bump php ^8.3 → ^8.5 - Bump laravel/framework ^11.0 → ^13.0 - Bump orchestra/testbench ^9.0 → ^11.0 (follows Laravel versioning) - Bump pestphp/pest-plugin-laravel ^4.0 → ^4.1 (Laravel 13 support) - Add VCS repos for seatplus/auth, seatplus/eveapi, seatplus/esi-client, and seatplus/esi-schema, pointing to their upgrade branches - Add seatplus/esi-client direct dep (dev-chore/php-8.5-upgrade as 4.1.0) to force Carbon 3 resolution (resolves Carbon 2 vs 3 conflict) - Set minimum-stability: dev + prefer-stable: true - Add phpstan-baseline.neon with 4 pre-existing errors - Include phpstan-baseline.neon in phpstan.neon.dist (was missing) - Add audit ignore for firebase/php-jwt security advisories (pre-existing in esi-client legacy auth path) 48 pre-existing test failures and TypeError in type-coverage (PHPStan v2 + pest-plugin-type-coverage v4 incompatibility) all exist on the parent branch — not caused by this upgrade. 201 tests pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrade the web package to PHP 8.5 and Laravel 13.
Changes
Runtime
php^8.3 → ^8.5laravel/framework^11.0 → ^13.0Dev dependencies
orchestra/testbench^9.0 → ^11.0 (follows Laravel versioning)pestphp/pest-plugin-laravel^4.0 → ^4.1 (Laravel 13 support)Other
seatplus/auth,seatplus/eveapi,seatplus/esi-client,seatplus/esi-schemapointing to their upgrade branchesseatplus/esi-client dev-chore/php-8.5-upgrade as 4.1.0requirement to force Carbon 3.x resolution (Laravel 13 requiresnesbot/carbon ^3.8.4)minimum-stability: dev+prefer-stable: truephpstan-baseline.neonwith 4 pre-existing errors and wired it intophpstan.neon.distfirebase/php-jwtsecurity advisories (pre-existing in esi-client legacy auth path)Test status
201 tests pass
48 pre-existing failures (same as parent branch
4.x)PHPStan: 0 errors (4 pre-existing suppressed via baseline)
Type-coverage: TypeError crash pre-exists on parent branch (PHPStan v2 + pest-plugin-type-coverage v4 compatibility issue)