feat(access): strict allowlist + add groups by search

* UnifiPageGrant::userCanAccess no longer falls back to "open" when a page has no grants saved. Pages now require an explicit grant for every non-super-admin user — either a direct user grant or via a group they belong to. Matches the new dashboard-wide access model. * Route enforcement returns 404 (was 403) so ungranted users can't even confirm the page exists. * New /settings/pages-access/groups/search endpoint mirrors the user typeahead. Groups are no longer all listed by default — only super-admin groups (locked-on) and groups with at least one existing grant show up in the matrix. Operators add more via search. v1.7.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 19:59:28 -04:00
parent f953fde2be
commit f5848907f5
5 changed files with 45 additions and 10 deletions
--- a/src/UnifiServiceProvider.php
+++ b/src/UnifiServiceProvider.php
@@ -44,7 +44,9 @@ class UnifiServiceProvider extends ServiceProvider
                if (! $item) return;

                if (! UnifiPageGrant::userCanAccess($user, $item)) {
-                    abort(403, 'You do not have access to this page.');
+                    // 404 instead of 403 — don't leak that the page
+                    // exists. The Access tab is the only way in.
+                    abort(404);
                }
            } catch (\Throwable) {
                // unifi_page_grants table may not exist yet on a fresh