Add super-admin Administration section and restructure global vs company settings

- Add Administration sidebar section (super-admin only) with Companies, Users, and Global Settings pages - Add super-admin middleware, controllers, and API routes under /api/v1/super-admin/ - Allow super-admins to manage all companies and users across tenants - Add user impersonation with short-lived tokens, audit logging, and UI banner - Move system-level settings (Mail, PDF, Backup, Update, File Disk) from per-company to Administration > Global Settings - Convert save_pdf_to_disk from CompanySetting to global Setting - Add per-company mail configuration overrides (optional, falls back to global) - Add CompanyMailConfigService to apply company mail config before sending emails
2026-04-09 22:44:48 +00:00 · 2026-04-03 10:35:40 +02:00
parent 25986b7bd5
commit 9432da467e
40 changed files with 2324 additions and 91 deletions
--- a/app/Http/Controllers/V1/SuperAdmin/UsersController.php
+++ b/app/Http/Controllers/V1/SuperAdmin/UsersController.php
@@ -0,0 +1,101 @@
+<?php
+
+namespace App\Http\Controllers\V1\SuperAdmin;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\AdminUserUpdateRequest;
+use App\Http\Resources\UserResource;
+use App\Models\ImpersonationLog;
+use App\Models\User;
+use Illuminate\Http\Request;
+use Laravel\Sanctum\PersonalAccessToken;
+
+class UsersController extends Controller
+{
+    public function index(Request $request)
+    {
+        $limit = $request->has('limit') ? $request->limit : 10;
+
+        $users = User::with('companies')
+            ->applyFilters($request->all())
+            ->latest()
+            ->paginate($limit);
+
+        return UserResource::collection($users);
+    }
+
+    public function show(User $user)
+    {
+        $user->load('companies');
+
+        return new UserResource($user);
+    }
+
+    public function update(AdminUserUpdateRequest $request, User $user)
+    {
+        $data = $request->only(['name', 'email', 'phone']);
+
+        if ($request->filled('password')) {
+            $data['password'] = $request->password;
+        }
+
+        $user->update($data);
+
+        return new UserResource($user);
+    }
+
+    public function impersonate(Request $request, User $user)
+    {
+        $admin = $request->user();
+
+        if ($admin->id === $user->id) {
+            return response()->json([
+                'error' => 'cannot_impersonate_self',
+                'message' => 'You cannot impersonate yourself.',
+            ], 422);
+        }
+
+        $token = $user->createToken(
+            'impersonation-by-'.$admin->id,
+            ['*'],
+            now()->addHours(2),
+        );
+
+        $log = ImpersonationLog::create([
+            'admin_id' => $admin->id,
+            'user_id' => $user->id,
+            'ip_address' => $request->ip(),
+            'token_id' => $token->accessToken->id,
+        ]);
+
+        return response()->json([
+            'token' => $token->plainTextToken,
+            'impersonation_log_id' => $log->id,
+            'user' => new UserResource($user),
+        ]);
+    }
+
+    public function stopImpersonating(Request $request)
+    {
+        $token = $request->user()->currentAccessToken();
+
+        if ($token instanceof PersonalAccessToken && str_starts_with($token->name, 'impersonation-by-')) {
+            $log = ImpersonationLog::where('token_id', $token->id)
+                ->whereNull('stopped_at')
+                ->first();
+
+            if ($log) {
+                $log->update(['stopped_at' => now()]);
+            }
+
+            $token->delete();
+
+            return response()->json(['success' => true]);
+        }
+
+        return response()->json([
+            'error' => 'not_impersonating',
+            'message' => 'No active impersonation session.',
+        ], 422);
+    }
+}