* add spatie/permissions
* add policies
* add role resource
* add root admin role handling
* replace some "root_admin" with function
* add model specific permissions
* make permission selection nicer
* fix user creation
* fix tests
* add back subuser checks in server policy
* add custom model for role
* assign new users to role if root_admin is set
* add api for roles
* fix phpstan
* add permissions for settings page
* remove "restore" and "forceDelete" permissions
* add user count to list
* prevent deletion if role has users
* update user list
* fix server policy
* remove old `root_admin` column
* small refactor
* fix tests
* forgot can checks here
* forgot use
* disable editing own roles & disable assigning root admin
* don't allow to rename root admin role
* remove php bombing exception handler
* fix role assignment when creating a user
* fix disableOptionWhen
* fix missing `root_admin` attribute on react frontend
* add permission check for bulk delete
* rename viewAny to viewList
* improve canAccessPanel check
* fix admin not displaying for non-root admins
* make sure non root admins can't edit root admins
* fix import
* fix settings page permission check
* fix server permissions for non-subusers
* fix settings page permission check v2
* small cleanup
* cleanup config file
* move consts from resouce into enum & model
* Update database/migrations/2024_08_01_114538_remove_root_admin_column.php
Co-authored-by: Lance Pioch <lancepioch@gmail.com>
* fix config
* fix phpstan
* fix phpstan 2.0
---------
Co-authored-by: Lance Pioch <lancepioch@gmail.com>
Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table.
Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison.
