fix(rotate): don't skip when only PPSKs are flagged; move webhooks under /settings

* Password rotation was short-circuiting any run that had no whole-SSID
  wlan_ids configured, even if there were PPSKs with rotate_password=true
  in the database. The PPSK rotation block lived after the early-return,
  so per-PPSK rotation never fired. Now we only skip when there's nothing
  at all to rotate (neither wlan_ids nor PPSK opt-ins).
* Webhook routes moved from /app/network/webhooks to
  /app/network/settings/webhooks so the URL reflects that this is a
  settings tab. Route names unchanged.

v1.5.3.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

composer.json

@@ -1,7 +1,7 @@
 {
     "name": "dashboard/unifi",
     "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.5.1",
+    "version": "1.5.3",
     "type": "library",
     "license": "MIT",
     "autoload": {

src/Console/RotatePasswords.php

@@ -32,9 +32,16 @@ class RotatePasswords extends Command
         $run = UnifiCronRun::record('rotate-passwords', $triggeredBy, null, function () use ($unifi, $force) {
             $wlanIdsJson = Setting::get('unifi.password_rotation.wlan_ids', '[]');
             $wlanIds     = json_decode($wlanIdsJson, true);
+            if (! is_array($wlanIds)) $wlanIds = [];
 
-            if (empty($wlanIds) || ! is_array($wlanIds)) {
-                return ['status' => 'skipped', 'reason' => 'no SSIDs configured for rotation'];
+            $ppskQuery = UnifiPpsk::where('rotate_password', true)
+                ->where('state', 'active')
+                ->whereNotNull('unifi_id');
+
+            // Skip only if there's nothing at all to rotate — neither
+            // whole-SSID rotation targets nor per-PPSK rotation opt-ins.
+            if (empty($wlanIds) && ! $ppskQuery->exists()) {
+                return ['status' => 'skipped', 'reason' => 'no SSIDs or PPSKs configured for rotation'];
             }
 
             $wordlist = Setting::get('unifi.password_rotation.wordlist', '');
@@ -66,7 +73,7 @@ class RotatePasswords extends Command
 
             $rotatedPpsks = [];
             $failedPpsks  = [];
-            foreach (UnifiPpsk::where('rotate_password', true)->where('state', 'active')->whereNotNull('unifi_id')->get() as $ppsk) {
+            foreach ($ppskQuery->get() as $ppsk) {
                 $newPass = $passwords[array_rand($passwords)];
                 try {
                     $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);

src/Http/Controllers/UnifiPagesAccessController.php

@@ -34,6 +34,12 @@ class UnifiPagesAccessController extends Controller
             ->get()
             ->groupBy('nav_item_id');
 
+        // Only return users that ALREADY have grants. The full users list
+        // can be enormous (thousands of rows); the operator adds more via
+        // the searchUsers endpoint as needed.
+        $grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
+        $users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
+
         return response()->json([
             'pages' => $pages->map(fn ($p) => [
                 'id'         => $p->id,
@@ -42,11 +48,34 @@ class UnifiPagesAccessController extends Controller
                 'user_ids'   => $grants->get($p->id, collect())->where('grantee_type', 'user')->pluck('grantee_id')->all(),
                 'group_ids'  => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
             ])->values(),
-            'users'  => User::orderBy('name')->get(['id', 'name', 'email']),
+            'users'  => $users,
             'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']),
         ]);
     }
 
+    /**
+     * Typeahead-style search for users to add to the access matrix.
+     * Returns up to 20 matches against name or email. Empty query returns
+     * an empty array — caller must enter at least 2 chars.
+     */
+    public function searchUsers(Request $request)
+    {
+        $q = trim((string) $request->query('q', ''));
+        if (strlen($q) < 2) {
+            return response()->json(['users' => []]);
+        }
+
+        $users = User::where(function ($w) use ($q) {
+            $w->where('name',  'like', '%' . $q . '%')
+              ->orWhere('email', 'like', '%' . $q . '%');
+        })
+            ->orderBy('name')
+            ->limit(20)
+            ->get(['id', 'name', 'email']);
+
+        return response()->json(['users' => $users]);
+    }
+
     public function update(Request $request, NavItem $navItem)
     {
         $app = DashboardApp::where('slug', 'unifi')->first();

src/routes/unifi.php

@@ -75,19 +75,20 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             // Page Access — super-admin only. Lists unifi pages and lets
             // operators assign per-page user/group grants.
             Route::middleware('super.admin')->group(function () {
-                Route::get('/settings/pages-access',                [UnifiPagesAccessController::class, 'index'])  ->name('settings.pages-access.index');
-                Route::put('/settings/pages-access/{navItem}',      [UnifiPagesAccessController::class, 'update']) ->name('settings.pages-access.update');
+                Route::get('/settings/pages-access',                [UnifiPagesAccessController::class, 'index'])      ->name('settings.pages-access.index');
+                Route::get('/settings/pages-access/users/search',   [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
+                Route::put('/settings/pages-access/{navItem}',      [UnifiPagesAccessController::class, 'update'])     ->name('settings.pages-access.update');
             });
 
             // Cron logs — read-only history of scheduled-task runs.
             Route::get('/settings/cron-logs', [UnifiCronLogsController::class, 'index'])->name('settings.cron-logs.index');
 
-            // Webhooks
-            Route::get('/webhooks',                    [WebhookController::class, 'index'])  ->name('webhooks.index');
-            Route::post('/webhooks',                   [WebhookController::class, 'store'])  ->name('webhooks.store');
-            Route::put('/webhooks/{webhook}',          [WebhookController::class, 'update']) ->name('webhooks.update');
-            Route::delete('/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
-            Route::post('/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
+            // Webhooks — lives under /settings/* so it reads as a settings tab.
+            Route::get('/settings/webhooks',                    [WebhookController::class, 'index'])  ->name('webhooks.index');
+            Route::post('/settings/webhooks',                   [WebhookController::class, 'store'])  ->name('webhooks.store');
+            Route::put('/settings/webhooks/{webhook}',          [WebhookController::class, 'update']) ->name('webhooks.update');
+            Route::delete('/settings/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
+            Route::post('/settings/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
         });
     });