Implement RBAC (only built in roles) (#15212)

* Install bouncer

* Seeder and level migration

* Display and edit roles

* remove unused deluser page

* Update Radius and SSO to assign roles

* update AlertUtil direct level check to use roles instead

* rewrite ircbot auth handling

* Remove legacy auth getUserlist and getUserlevel methods, add getRoles
Set roles in LegacyUserProvider

* Small cleanups

* centralize role sync code
show roles on user preferences page

* VueSelect component WIP and a little docs

* WIP

* SelectControllers id and text fields.

* LibrenmsSelect component extracted from SettingSelectDynamic

* Handle multiple selections

* allow type coercion

* full width settings

* final style adjustments

* Final compiled assets update

* Style fixes

* Fix SSO tests

* Lint cleanups

* small style fix

* don't use json yet

* Update baseline for usptream package issues

* Change schema, not 100% sure it is correct
not sure why xor doesn't work

app/Http/Requests/UpdateUserRequest.php

@@ -2,9 +2,12 @@
 
 namespace App\Http\Requests;
 
+use App\Models\User;
 use Hash;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 use LibreNMS\Config;
+use Silber\Bouncer\BouncerFacade as Bouncer;
 
 class UpdateUserRequest extends FormRequest
 {
@@ -15,14 +18,17 @@ class UpdateUserRequest extends FormRequest
      */
     public function authorize(): bool
     {
-        if ($this->user()->isAdmin()) {
-            return true;
-        }
-
+        /** @var User|null $user */
         $user = $this->route('user');
         if ($user && $this->user()->can('update', $user)) {
-            // normal users cannot edit their level or ability to modify a password
-            unset($this['level'], $this['can_modify_passwd']);
+            // normal users cannot update their roles or ability to modify a password
+            if ($this->user()->cannot('manage', Bouncer::role())) {
+                unset($this['roles']);
+            }
+
+            if ($user->is($this->user())) {
+                unset($this['can_modify_passwd']);
+            }
 
             return true;
         }
@@ -37,7 +43,7 @@ class UpdateUserRequest extends FormRequest
      */
     public function rules(): array
     {
-        if ($this->user()->isAdmin()) {
+        if ($this->user()->can('update', User::class)) {
             return [
                 'realname' => 'nullable|max:64|alpha_space',
                 'email' => 'nullable|email|max:64',
@@ -45,7 +51,8 @@ class UpdateUserRequest extends FormRequest
                 'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
                 'new_password_confirmation' => 'nullable|same:new_password',
                 'dashboard' => 'int',
-                'level' => 'int',
+                'roles' => 'array',
+                'roles.*' => Rule::in(Bouncer::role()->pluck('name')),
                 'enabled' => 'nullable',
                 'can_modify_passwd' => 'nullable',
             ];
@@ -72,7 +79,8 @@ class UpdateUserRequest extends FormRequest
     {
         $validator->after(function ($validator) {
             // if not an admin and new_password is set, check old password matches
-            if (! $this->user()->isAdmin()) {
+            $user = $this->route('user');
+            if ($user && $this->user()->can('update', $user) && $this->user()->is($user)) {
                 if ($this->has('new_password')) {
                     if ($this->has('old_password')) {
                         $user = $this->route('user');