feat: integrate Adminer database browser with role-based access control

Author: David-Crty

app/Enums/UserRole.php

@@ -49,6 +49,24 @@ public static function assignable(): array
         return [self::Viewer, self::Member, self::Admin];
     }
 
+    /**
+     * Whether this role meets or exceeds the given minimum role.
+     */
+    public function meetsMinimum(self $required): bool
+    {
+        return $this->level() >= $required->level();
+    }
+
+    public function level(): int
+    {
+        return match ($this) {
+            self::Demo => 0,
+            self::Viewer => 1,
+            self::Member => 2,
+            self::Admin => 3,
+        };
+    }
+
     /**
      * Validation rule string for assignable roles.
      */

app/Http/Controllers/Web/AdminerController.php

@@ -0,0 +1,73 @@
+<?php
+
+namespace App\Http\Controllers\Web;
+
+use App\Enums\DatabaseType;
+use App\Http\Controllers\Controller;
+use App\Models\DatabaseServer;
+use App\Services\AdminerService;
+use Illuminate\Support\Facades\Gate;
+
+class AdminerController extends Controller
+{
+    public function __invoke(AdminerService $adminer): void
+    {
+        Gate::authorize('adminer', DatabaseServer::class);
+
+        $credentials = null;
+        $serverId = session()->pull('adminer_server_id');
+
+        // Initial load: build credentials from the database server stored in session
+        if ($serverId) {
+            /** @var DatabaseServer $server */
+            $server = DatabaseServer::findOrFail($serverId);
+            abort_unless($server->supportsAdminer(), 403);
+
+            $credentials = $this->buildCredentials($server);
+            $_POST['auth'] = [
+                'driver' => $credentials['driver'],
+                'server' => $credentials['server'],
+                'username' => $credentials['username'],
+                'password' => $credentials['password'],
+                'db' => $credentials['db'],
+            ];
+        }
+
+        // Release the session lock before Adminer runs. Adminer is long-lived
+        // and loads sub-resources (CSS/JS) through this same route — holding
+        // the lock would block those requests and cause timeouts.
+        session()->save();
+
+        $adminer->render($credentials);
+    }
+
+    /**
+     * @return array{driver: string, server: string, username: string, password: string, db: string}
+     */
+    private function buildCredentials(DatabaseServer $server): array
+    {
+        $driver = match ($server->database_type) { // @phpstan-ignore match.unhandled (supportsAdminer() filters unsupported types)
+            DatabaseType::MYSQL => 'server',
+            DatabaseType::POSTGRESQL => 'pgsql',
+            DatabaseType::SQLITE => 'sqlite',
+        };
+
+        $serverAddress = $server->database_type === DatabaseType::SQLITE
+            ? ''
+            : $server->host.':'.$server->port;
+
+        $db = '';
+        $databaseNames = $server->backups->first()?->database_names;
+        if ($databaseNames && count($databaseNames) === 1) {
+            $db = $databaseNames[0];
+        }
+
+        return [
+            'driver' => $driver,
+            'server' => $serverAddress,
+            'username' => $server->username ?? '',
+            'password' => $server->getDecryptedPassword(),
+            'db' => $db,
+        ];
+    }
+}

app/Livewire/Configuration/Application.php

@@ -2,13 +2,53 @@
 
 namespace App\Livewire\Configuration;
 
+use App\Enums\UserRole;
+use App\Livewire\Forms\ConfigurationForm;
+use App\Traits\Toast;
 use Illuminate\Contracts\View\View;
+use Livewire\Attributes\Computed;
 use Livewire\Attributes\Title;
 use Livewire\Component;
+use Symfony\Component\HttpFoundation\Response;
 
 #[Title('Configuration')]
 class Application extends Component
 {
+    use Toast;
+
+    public ConfigurationForm $form;
+
+    public function mount(): void
+    {
+        $this->form->loadFromConfig();
+    }
+
+    #[Computed]
+    public function isAdmin(): bool
+    {
+        return auth()->user()->isAdmin();
+    }
+
+    public function saveApplicationConfig(): void
+    {
+        abort_unless(auth()->user()->isAdmin(), Response::HTTP_FORBIDDEN);
+
+        $this->form->saveApplication();
+
+        $this->success(__('Application configuration saved.'));
+    }
+
+    /**
+     * @return array<int, array{id: string, name: string}>
+     */
+    public function getAdminerRoleOptions(): array
+    {
+        return array_map(
+            fn (UserRole $role) => ['id' => $role->value, 'name' => $role->label()],
+            UserRole::assignable(),
+        );
+    }
+
     /**
      * @return array<int, array{key: string, label: string, class?: string}>
      */
@@ -50,6 +90,7 @@ public function render(): View
         return view('livewire.configuration.application', [
             'headers' => $this->getHeaders(),
             'appConfig' => $this->getAppConfig(),
+            'adminerRoleOptions' => $this->getAdminerRoleOptions(),
         ]);
     }
 }

app/Livewire/DatabaseServer/AdminerModal.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Livewire\DatabaseServer;
+
+use Illuminate\View\View;
+use Livewire\Attributes\On;
+use Livewire\Component;
+
+class AdminerModal extends Component
+{
+    public bool $showModal = false;
+
+    public string $serverName = '';
+
+    public string $databaseIcon = '';
+
+    public string $databaseType = '';
+
+    public string $adminerUrl = '';
+
+    #[On('open-adminer-modal')]
+    public function openModal(string $serverName, string $databaseIcon, string $databaseType, string $adminerUrl): void
+    {
+        $this->serverName = $serverName;
+        $this->databaseIcon = $databaseIcon;
+        $this->databaseType = $databaseType;
+        $this->adminerUrl = $adminerUrl;
+        $this->showModal = true;
+    }
+
+    public function closeModal(): void
+    {
+        $this->showModal = false;
+        $this->adminerUrl = '';
+    }
+
+    public function render(): View
+    {
+        return view('livewire.database-server.adminer-modal');
+    }
+}

app/Livewire/DatabaseServer/Index.php

@@ -12,6 +12,7 @@
 use App\Traits\Toast;
 use Illuminate\Contracts\View\View;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\View as ViewFacade;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
@@ -132,6 +133,23 @@ public function confirmRestore(string $id): void
         $this->dispatch('open-restore-modal', mode: 'from-server', targetServerId: $id);
     }
 
+    public function openAdminer(string $id): void
+    {
+        $server = DatabaseServer::findOrFail($id);
+
+        abort_unless($server->supportsAdminer(), 403);
+        $this->authorize('adminer', DatabaseServer::class);
+
+        session()->put('adminer_server_id', $server->id);
+
+        $this->dispatch('open-adminer-modal',
+            serverName: $server->name,
+            databaseIcon: $server->database_type->icon(),
+            databaseType: $server->database_type->label(),
+            adminerUrl: route('adminer'),
+        );
+    }
+
     public function runBackup(string $backupId, TriggerBackupAction $action): void
     {
         $backup = Backup::with(['databaseServer', 'volume', 'backupSchedule'])->findOrFail($backupId);
@@ -173,6 +191,7 @@ public function render(): View
         return view('livewire.database-server.index', [
             'servers' => $servers,
             'headers' => $this->headers(),
+            'canAdminer' => Gate::allows('adminer', DatabaseServer::class),
         ]);
     }
 }

app/Livewire/Forms/ConfigurationForm.php

@@ -2,12 +2,19 @@
 
 namespace App\Livewire\Forms;
 
+use App\Enums\UserRole;
 use App\Facades\AppConfig;
 use Cron\CronExpression;
+use Illuminate\Validation\Rule;
 use Livewire\Form;
 
 class ConfigurationForm extends Form
 {
+    // Application settings
+    public bool $adminer_enabled = false;
+
+    public string $adminer_role = 'admin';
+
     // Backup settings
     public string $working_directory = '';
 
@@ -34,6 +41,8 @@ class ConfigurationForm extends Form
 
     public function loadFromConfig(): void
     {
+        $this->adminer_enabled = (bool) AppConfig::get('app.adminer_enabled');
+        $this->adminer_role = (string) AppConfig::get('app.adminer_role');
         $this->working_directory = (string) AppConfig::get('backup.working_directory');
         $this->compression = (string) AppConfig::get('backup.compression');
         $this->compression_level = (int) AppConfig::get('backup.compression_level');
@@ -45,6 +54,31 @@ public function loadFromConfig(): void
         $this->verify_files_cron = (string) AppConfig::get('backup.verify_files_cron');
     }
 
+    /**
+     * @return array<string, mixed>
+     */
+    private function applicationRules(): array
+    {
+        return [
+            'adminer_enabled' => ['boolean'],
+            'adminer_role' => ['required', 'string', Rule::in(array_column(UserRole::assignable(), 'value'))],
+        ];
+    }
+
+    public function saveApplication(): void
+    {
+        $this->validate($this->applicationRules());
+
+        $appKeyMap = [
+            'adminer_enabled' => 'app.adminer_enabled',
+            'adminer_role' => 'app.adminer_role',
+        ];
+
+        foreach ($appKeyMap as $property => $configKey) {
+            AppConfig::set($configKey, $this->{$property});
+        }
+    }
+
     /**
      * @return array<string, mixed>
      */

app/Models/DatabaseServer.php

@@ -165,6 +165,16 @@ public function getDecryptedPassword(): string
         }
     }
 
+    /**
+     * Check if this server supports browsing via Adminer.
+     * Requires a compatible database type (MySQL, PostgreSQL, SQLite) and no SSH.
+     */
+    public function supportsAdminer(): bool
+    {
+        return in_array($this->database_type, [DatabaseType::MYSQL, DatabaseType::POSTGRESQL, DatabaseType::SQLITE])
+            && $this->ssh_config_id === null;
+    }
+
     /**
      * Check if this server requires an SSH tunnel for connections.
      * SQLite servers never need SSH tunnels since they use local file paths.

app/Models/User.php

@@ -151,7 +151,7 @@ public function belongsToOrganization(Organization $organization): bool
     /**
      * Get the user's role in the current org context.
      */
-    private function currentOrgRole(): ?UserRole
+    public function currentOrgRole(): ?UserRole
     {
         return $this->roleIn(app(\App\Services\CurrentOrganization::class)->model());
     }

app/Policies/DatabaseServerPolicy.php

@@ -2,6 +2,8 @@
 
 namespace App\Policies;
 
+use App\Enums\UserRole;
+use App\Facades\AppConfig;
 use App\Models\DatabaseServer;
 use App\Models\User;
 
@@ -61,6 +63,32 @@ public function delete(User $user, DatabaseServer $databaseServer): bool
         return $user->canPerformActions();
     }
 
+    /**
+     * Determine whether the user can open the Adminer database browser.
+     * Requires the feature to be enabled and the user to meet the configured minimum role.
+     * Server compatibility (database type, SSH) is checked separately via DatabaseServer::supportsAdminer().
+     */
+    public function adminer(User $user): bool
+    {
+        if (! AppConfig::get('app.adminer_enabled')) {
+            return false;
+        }
+
+        $requiredRole = UserRole::tryFrom((string) AppConfig::get('app.adminer_role'));
+
+        if ($requiredRole === null) {
+            return false;
+        }
+
+        if ($user->isSuperAdmin()) {
+            return true;
+        }
+
+        $currentRole = $user->currentOrgRole();
+
+        return $currentRole !== null && $currentRole->meetsMinimum($requiredRole);
+    }
+
     /**
      * Determine whether the user can run a backup.
      * Demo users can trigger backups.