feat: Implement inspection mode features to enhance data privacy, including read-only access and UI adjustments for sensitive financial information across various components.

Author: RabbitVisual

Modules/Blog/app/Services/BlogService.php

@@ -0,0 +1,209 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Modules\Blog\Services;
+
+use App\Models\User;
+use Illuminate\Contracts\Pagination\LengthAwarePaginator;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Str;
+use Illuminate\Support\Facades\Storage;
+use Modules\Blog\Models\Post;
+use Modules\Blog\Models\BlogCategory;
+use Modules\Blog\Models\Comment;
+use Modules\Blog\Models\PostLike;
+use Modules\Blog\Models\SavedPost;
+use Modules\Core\Services\SettingService;
+
+class BlogService
+{
+    public function __construct(
+        protected SettingService $settingService
+    ) {}
+
+    /**
+     * Get published posts with optional search and category filter.
+     */
+    public function getPublishedPosts(array $filters = []): LengthAwarePaginator
+    {
+        $query = Post::where('status', 'published')
+            ->with('author', 'category')
+            ->orderBy('created_at', 'desc');
+
+        if (!empty($filters['q'])) {
+            $q = $filters['q'];
+            $query->where(function ($qry) use ($q) {
+                $qry->where('title', 'like', "%{$q}%")
+                    ->orWhere('content', 'like', "%{$q}%");
+            });
+        }
+
+        if (!empty($filters['category_id'])) {
+            $query->where('category_id', $filters['category_id']);
+        }
+
+        return $query->paginate($filters['per_page'] ?? 12);
+    }
+
+    /**
+     * Get a published post by slug with relations.
+     */
+    public function getPostBySlug(string $slug): ?Post
+    {
+        return Post::where('slug', $slug)
+            ->where('status', 'published')
+            ->with('author', 'category', 'approvedComments.user')
+            ->first();
+    }
+
+    /**
+     * Generate unique slug from title.
+     */
+    public function generateSlug(string $title, ?int $excludeId = null): string
+    {
+        $slug = Str::slug($title);
+        $query = Post::where('slug', 'like', $slug . '%');
+        if ($excludeId !== null) {
+            $query->where('id', '!=', $excludeId);
+        }
+        $count = $query->count();
+        return $count > 0 ? $slug . '-' . ($count + 1) : $slug;
+    }
+
+    /**
+     * Create a new post.
+     */
+    public function createPost(array $data, int $authorId): Post
+    {
+        $slug = $data['slug'] ?? $this->generateSlug($data['title']);
+
+        $featuredImage = null;
+        if (!empty($data['featured_image'])) {
+            $featuredImage = $this->storeUploadedFile($data['featured_image'], 'blog');
+        }
+
+        $ogImage = null;
+        if (!empty($data['og_image'])) {
+            $ogImage = $this->storeUploadedFile($data['og_image'], 'blog/seo');
+        }
+
+        return Post::create([
+            'author_id' => $authorId,
+            'category_id' => $data['category_id'],
+            'title' => $data['title'],
+            'slug' => $slug,
+            'content' => $data['content'],
+            'status' => $data['status'] ?? 'draft',
+            'is_premium' => (bool) ($data['is_premium'] ?? false),
+            'featured_image' => $featuredImage,
+            'meta_description' => $data['meta_description'] ?? null,
+            'og_image' => $ogImage,
+        ]);
+    }
+
+    /**
+     * Update an existing post.
+     */
+    public function updatePost(Post $post, array $data): Post
+    {
+        if (isset($data['title']) && $data['title'] !== $post->title) {
+            $data['slug'] = $data['slug'] ?? $this->generateSlug($data['title'], $post->id);
+        }
+
+        if (!empty($data['featured_image'])) {
+            $data['featured_image'] = $this->storeUploadedFile($data['featured_image'], 'blog');
+        }
+
+        if (!empty($data['og_image'])) {
+            $data['og_image'] = $this->storeUploadedFile($data['og_image'], 'blog/seo');
+        }
+
+        $fillable = ['title', 'slug', 'category_id', 'content', 'status', 'is_premium', 'meta_description', 'featured_image', 'og_image'];
+        $updates = array_intersect_key($data, array_flip($fillable));
+        if (isset($updates['is_premium'])) {
+            $updates['is_premium'] = (bool) $updates['is_premium'];
+        }
+
+        $post->update($updates);
+        return $post;
+    }
+
+    /**
+     * Store a comment; respects auto_approve_comments setting.
+     */
+    public function storeComment(Post $post, array $data, int $userId): Comment
+    {
+        $autoApprove = (bool) $this->settingService->get('blog.auto_approve_comments', false);
+
+        return Comment::create([
+            'post_id' => $post->id,
+            'user_id' => $userId,
+            'content' => $data['content'],
+            'is_approved' => $autoApprove,
+        ]);
+    }
+
+    /**
+     * Toggle like for a post. Returns ['liked' => bool, 'count' => int].
+     */
+    public function toggleLike(Post $post, User $user): array
+    {
+        $like = PostLike::where('post_id', $post->id)->where('user_id', $user->id)->first();
+
+        if ($like) {
+            $like->delete();
+            return ['liked' => false, 'count' => $post->likes()->count()];
+        }
+
+        PostLike::create(['post_id' => $post->id, 'user_id' => $user->id]);
+        return ['liked' => true, 'count' => $post->likes()->count()];
+    }
+
+    /**
+     * Toggle save for a post. Returns ['saved' => bool].
+     */
+    public function toggleSave(Post $post, User $user): array
+    {
+        $saved = SavedPost::where('post_id', $post->id)->where('user_id', $user->id)->first();
+
+        if ($saved) {
+            $saved->delete();
+            return ['saved' => false];
+        }
+
+        SavedPost::create(['post_id' => $post->id, 'user_id' => $user->id]);
+        return ['saved' => true];
+    }
+
+    /**
+     * Create a category.
+     */
+    public function storeCategory(array $data): BlogCategory
+    {
+        return BlogCategory::create([
+            'name' => $data['name'],
+            'slug' => Str::slug($data['name']),
+            'icon' => $data['icon'] ?? null,
+        ]);
+    }
+
+    /**
+     * Update a category.
+     */
+    public function updateCategory(BlogCategory $category, array $data): BlogCategory
+    {
+        $category->update([
+            'name' => $data['name'],
+            'slug' => Str::slug($data['name']),
+            'icon' => $data['icon'] ?? $category->icon,
+        ]);
+        return $category;
+    }
+
+    protected function storeUploadedFile($file, string $path): string
+    {
+        $stored = $file->store($path, 'public');
+        return 'storage/' . $stored;
+    }
+}

Modules/Blog/routes/web.php

@@ -1,12 +1,5 @@
 <?php
 
 use Illuminate\Support\Facades\Route;
-use Modules\Blog\Http\Controllers\BlogController;
 
-Route::middleware(['auth', 'verified'])->group(function () {
-    Route::get('blog', [BlogController::class, 'index'])->name('blog.index');
-    Route::get('blog/{slug}', [BlogController::class, 'show'])->name('blog.show');
-    Route::post('blog/comment/{id}', [BlogController::class, 'storeComment']);
-    Route::post('blog/like/{id}', [BlogController::class, 'toggleLike']);
-    Route::post('blog/save/{id}', [BlogController::class, 'toggleSave']);
-});
+// Public blog routes disabled: blog is served under PanelUser at /user/blog (paneluser.blog.*)

Modules/Core/app/Http/Controllers/AccountController.php

@@ -7,7 +7,7 @@
 use Modules\Core\Http\Requests\StoreAccountRequest;
 use Modules\Core\Http\Requests\UpdateAccountRequest;
 use Modules\Core\Models\Account;
-
+use Modules\Core\Services\InspectionGuard;
 use Modules\Core\Services\SubscriptionLimitService;
 
 class AccountController extends Controller
@@ -112,10 +112,14 @@ public function update(UpdateAccountRequest $request, Account $account)
     {
         $this->authorize('update', $account);
 
+        $balance = InspectionGuard::shouldHideFinancialData()
+            ? $account->balance
+            : $request->balance;
+
         $account->update([
             'name' => $request->name,
             'type' => $request->type,
-            'balance' => $request->balance,
+            'balance' => $balance,
         ]);
 
         return redirect()->route('core.accounts.index')

Modules/Core/app/Http/Controllers/CoreController.php

@@ -16,6 +16,7 @@
 use Modules\Core\Models\Goal;
 use Modules\Core\Models\Transaction;
 use Modules\Core\Services\FinancialHealthService;
+use Modules\Core\Services\InspectionGuard;
 use Modules\Core\Services\SubscriptionLimitService;
 
 class CoreController extends Controller
@@ -116,6 +117,10 @@ public function dashboard()
         // Prepare category spending data for chart
         $categoryData = $this->prepareCategoryData($user);
 
+        // Mask chart data when inspection active without financial permission
+        $cashFlowData = InspectionGuard::maskChartData($cashFlowData);
+        $categoryData = InspectionGuard::maskChartData($categoryData);
+
         // Recent transactions for Pro dashboard table
         $recentTransactions = Transaction::where('user_id', $user->id)
             ->with('category')

Modules/Core/app/Http/Middleware/BlockSensitiveInspectionActions.php

@@ -4,34 +4,61 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Modules\Core\Services\InspectionGuard;
 use Symfony\Component\HttpFoundation\Response;
 
+/**
+ * Bloqueia alterações de dados durante inspeção remota.
+ * Modo inspeção = SOMENTE LEITURA. O agente pode visualizar, mas não criar, editar ou excluir.
+ */
 class BlockSensitiveInspectionActions
 {
     /**
-     * Handle an incoming request.
+     * Rotas que PODEM receber POST/PUT/PATCH durante inspeção (exceções necessárias).
      */
+    private const INSPECTION_ALLOWED_MUTATIONS = [
+        'user.inspection.accept',
+        'user.inspection.reject',
+        'support.inspection.stop',
+    ];
+
+    /**
+     * Rotas de exportação: bloqueadas quando usuário negou exibir dados financeiros.
+     */
+    private const FINANCIAL_EXPORT_ROUTES = [
+        'core.reports.export.cashflow.pdf',
+        'core.reports.export.cashflow.csv',
+        'core.reports.export.categories.csv',
+    ];
+
     public function handle(Request $request, Closure $next): Response
     {
-        if (session()->has('impersonate_inspection_id')) {
-            // Define sensitive route names or patterns
-            $sensitiveRoutes = [
-                'user.security.password',
-                'user.profile.update', // Optional: maybe agent can help fix profile? But password is critical.
-                'user.profile.delete', // If it exists
-                'admin.users.delete',
-                'admin.settings.update',
-            ];
-
-            if ($request->routeIs($sensitiveRoutes) || $request->isMethod('DELETE')) {
-                if ($request->ajax() || $request->wantsJson()) {
-                    return response()->json([
-                        'message' => 'Ação bloqueada: Agentes em modo de inspeção não podem realizar esta alteração sensível.',
-                    ], 403);
-                }
-
-                return back()->with('error', 'Ação bloqueada durante o modo de inspeção por motivos de segurança.');
+        if (! session()->has('impersonate_inspection_id')) {
+            return $next($request);
+        }
+
+        // Bloquear TODAS as mutações (POST, PUT, PATCH, DELETE) exceto as permitidas
+        $isMutation = in_array($request->method(), ['POST', 'PUT', 'PATCH', 'DELETE'], true);
+
+        if ($isMutation && ! $request->routeIs(self::INSPECTION_ALLOWED_MUTATIONS)) {
+            if ($request->ajax() || $request->wantsJson()) {
+                return response()->json([
+                    'message' => 'Modo inspeção: somente leitura. Não é possível criar, editar ou excluir dados.',
+                ], 403);
+            }
+
+            return back()->with('error', 'Modo inspeção ativo: somente visualização. Alterações não são permitidas.');
+        }
+
+        // Exportações: bloquear se usuário negou dados financeiros
+        if (InspectionGuard::shouldHideFinancialData() && $request->routeIs(self::FINANCIAL_EXPORT_ROUTES)) {
+            if ($request->ajax() || $request->wantsJson()) {
+                return response()->json([
+                    'message' => 'Exportação bloqueada: dados financeiros não autorizados para esta sessão.',
+                ], 403);
             }
+
+            return back()->with('error', 'Exportação bloqueada durante a inspeção por privacidade.');
         }
 
         return $next($request);

Modules/Core/app/Http/Middleware/StoreInspectionViewUrl.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Modules\Core\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Durante inspeção ativa: armazena a URL atual que o agente está visualizando
+ * para que o cliente possa acompanhar em tempo real via polling.
+ */
+class StoreInspectionViewUrl
+{
+    private const CACHE_PREFIX = 'inspection_view_';
+    private const CACHE_TTL_SECONDS = 90;
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        $inspectionId = session('impersonate_inspection_id');
+        if ($inspectionId && $request->isMethod('GET') && ! $request->ajax()) {
+            Cache::put(self::CACHE_PREFIX . $inspectionId, $request->fullUrl(), self::CACHE_TTL_SECONDS);
+        }
+
+        return $response;
+    }
+}

Modules/Core/app/Models/TicketMessage.php

@@ -15,6 +15,11 @@ class TicketMessage extends Model
         'user_id',
         'message',
         'is_admin_reply',
+        'is_system',
+    ];
+
+    protected $casts = [
+        'is_system' => 'boolean',
     ];
 
     public function ticket()