From bc497382a397ff841f1505a9f9d3c80e810b8cce Mon Sep 17 00:00:00 2001
From: kevin <nyavoevin@gmail.com>
Date: Tue, 28 Apr 2026 10:30:54 +0300
Subject: [PATCH] Add persmission in API in role CRUD controller

---
 .../Http/Controllers/Api/AuthController.php    |  4 ++--
 thanasoft-back/bootstrap/app.php               |  8 ++++++++
 thanasoft-back/routes/api.php                  | 18 ++++++++++--------
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/thanasoft-back/app/Http/Controllers/Api/AuthController.php b/thanasoft-back/app/Http/Controllers/Api/AuthController.php
index d564bea..5d9c517 100644
--- a/thanasoft-back/app/Http/Controllers/Api/AuthController.php
+++ b/thanasoft-back/app/Http/Controllers/Api/AuthController.php
@@ -73,7 +73,7 @@ class AuthController extends BaseController
             $token = $user->createToken('api')->plainTextToken;
 
             return $this->sendResponse([
-                'user' => $user,
+                'user' => $user->load('roles', 'permissions'),
                 'token' => $token,
             ], 'Login successful.');
 
@@ -143,7 +143,7 @@ class AuthController extends BaseController
             $token = $user->createToken('api')->plainTextToken;
 
             return $this->sendResponse([
-                'user' => $user,
+                'user' => $user->load('roles', 'permissions'),
                 'token' => $token,
             ], 'Mot de passe cree et connexion reussie.');
         } catch (ValidationException $e) {
diff --git a/thanasoft-back/bootstrap/app.php b/thanasoft-back/bootstrap/app.php
index 172e8fb..020402e 100644
--- a/thanasoft-back/bootstrap/app.php
+++ b/thanasoft-back/bootstrap/app.php
@@ -3,6 +3,9 @@
 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
+use Spatie\Permission\Middleware\PermissionMiddleware;
+use Spatie\Permission\Middleware\RoleMiddleware;
+use Spatie\Permission\Middleware\RoleOrPermissionMiddleware;
 
 return Application::configure(basePath: dirname(__DIR__))
     ->withRouting(
@@ -13,6 +16,11 @@ return Application::configure(basePath: dirname(__DIR__))
     )
     ->withMiddleware(function (Middleware $middleware): void {
         $middleware->statefulApi();
+        $middleware->alias([
+            'role' => RoleMiddleware::class,
+            'permission' => PermissionMiddleware::class,
+            'role_or_permission' => RoleOrPermissionMiddleware::class,
+        ]);
     })
     ->withExceptions(function (Exceptions $exceptions): void {
         //
diff --git a/thanasoft-back/routes/api.php b/thanasoft-back/routes/api.php
index 5acaf1f..7763e49 100644
--- a/thanasoft-back/routes/api.php
+++ b/thanasoft-back/routes/api.php
@@ -66,14 +66,16 @@ Route::middleware('auth:sanctum')->group(function () {
     Route::apiResource('client-groups', ClientGroupController::class);
     Route::apiResource('price-lists', PriceListController::class);
     Route::apiResource('users', UserController::class);
-    Route::get('access-control', [AccessControlController::class, 'index']);
-    Route::post('access-control/roles', [AccessControlController::class, 'storeRole']);
-    Route::put('access-control/roles/{id}', [AccessControlController::class, 'updateRole']);
-    Route::delete('access-control/roles/{id}', [AccessControlController::class, 'destroyRole']);
-    Route::put('access-control/roles/{id}/permissions', [AccessControlController::class, 'syncRolePermissions']);
-    Route::post('access-control/permissions', [AccessControlController::class, 'storePermission']);
-    Route::put('access-control/permissions/{id}', [AccessControlController::class, 'updatePermission']);
-    Route::delete('access-control/permissions/{id}', [AccessControlController::class, 'destroyPermission']);
+    Route::middleware('permission:config.view_roles')->group(function () {
+        Route::get('access-control', [AccessControlController::class, 'index']);
+        Route::post('access-control/roles', [AccessControlController::class, 'storeRole']);
+        Route::put('access-control/roles/{id}', [AccessControlController::class, 'updateRole']);
+        Route::delete('access-control/roles/{id}', [AccessControlController::class, 'destroyRole']);
+        Route::put('access-control/roles/{id}/permissions', [AccessControlController::class, 'syncRolePermissions']);
+        Route::post('access-control/permissions', [AccessControlController::class, 'storePermission']);
+        Route::put('access-control/permissions/{id}', [AccessControlController::class, 'updatePermission']);
+        Route::delete('access-control/permissions/{id}', [AccessControlController::class, 'destroyPermission']);
+    });
 
     Route::apiResource('client-locations', ClientLocationController::class);
     Route::apiResource('client-locations', ClientLocationController::class);