Skip to main content

Permission Drift Check

Panduan ini untuk memeriksa apakah data permission/role di database masih sinkron dengan:

  • docs/bitwewe/admin-panel/permission-matrix.json

Tujuan

  • Mendeteksi permission yang hilang di DB
  • Mendeteksi permission liar (ada di DB tapi tidak ada di matrix)
  • Mendeteksi mismatch assignment role -> permission

1) Cek cepat via Tinker

Jalankan di backend:

php artisan tinker

Lalu:

$matrix = json_decode(file_get_contents(base_path('../doc-tech/docs/docs/bitwewe/admin-panel/permission-matrix.json')), true);

$dbPerms = \Spatie\Permission\Models\Permission::pluck('name')->sort()->values()->all();
$filePerms = collect($matrix['permissions'])->sort()->values()->all();

$missingInDb = array_values(array_diff($filePerms, $dbPerms));
$extraInDb = array_values(array_diff($dbPerms, $filePerms));

[
  'missing_in_db_count' => count($missingInDb),
  'extra_in_db_count' => count($extraInDb),
  'missing_in_db' => $missingInDb,
  'extra_in_db' => $extraInDb,
];

2) Cek assignment role

Masih di Tinker:

use Spatie\Permission\Models\Role;

$matrix = json_decode(file_get_contents(base_path('../doc-tech/docs/docs/bitwewe/admin-panel/permission-matrix.json')), true);

$mismatch = [];

foreach ($matrix['roles'] as $roleName => $expected) {
    $role = Role::where('name', $roleName)->first();
    if (!$role) {
        $mismatch[$roleName] = ['error' => 'role_not_found'];
        continue;
    }

    $actual = $role->permissions()->pluck('name')->sort()->values()->all();
    $expectedList = $expected === ['*']
        ? collect($matrix['permissions'])->sort()->values()->all()
        : collect($expected)->sort()->values()->all();

    $missing = array_values(array_diff($expectedList, $actual));
    $extra = array_values(array_diff($actual, $expectedList));

    if (!empty($missing) || !empty($extra)) {
        $mismatch[$roleName] = [
            'missing' => $missing,
            'extra' => $extra,
        ];
    }
}

$mismatch;

3) Kriteria lulus

  • missing_in_db_count = 0
  • extra_in_db_count = 0 (atau terdokumentasi sebagai exception)
  • Tidak ada mismatch assignment untuk role kritikal:
    • super-admin
    • compliance-admin
    • wallet-ops-l1
    • wallet-ops-l2

4) Tindakan jika mismatch

  1. Jika matrix lebih baru: jalankan sync seeder dari permission-seed-template.
  2. Jika DB sengaja berbeda: update permission-matrix.json + naikkan version.
  3. Buat catatan perubahan di PR agar audit trail jelas.