iLeben’s admin panel is protected by Laravel Sanctum session-based authentication, meaning panel users log in with an email and password rather than a bearer token. Role enforcement is handled by Spatie Laravel Permission (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/scooller/Leben-site/llms.txt
Use this file to discover all available pages before exploring further.
spatie/laravel-permission ^7.3), which attaches named roles to users and controls access at the resource, page, and action levels. Two roles are recognized by the application: admin (full access) and marketing (read-only catalog view). Users who do not hold either role are rejected by canAccessPanel() on the User model before they reach any Filament page.
Roles Overview
| Role | Panel Access | Create / Edit / Delete | SiteSettings | Usuarios | Pagos & Tokens |
|---|---|---|---|---|---|
admin | ✅ | ✅ | ✅ | ✅ | ✅ |
marketing | ✅ | ❌ | ❌ | ❌ | ❌ |
User:
user_type column acts as a fallback for installs that have not yet run Spatie’s role sync, so both mechanisms are checked in every gate.
User Fields
Theusers table and the User model expose the following fillable attributes:
| Field | Type | Notes |
|---|---|---|
name | string | Full display name |
email | string | Unique login credential |
rut | string | Chilean tax ID, optional |
phone | string | Contact phone number, optional |
user_type | string | Role field: admin, marketing, or cliente / customer |
password | hashed string | Stored as bcrypt hash via Laravel’s hashed cast |
UserResource in Filament is restricted to admin users only — neither the navigation entry nor the canViewAny() gate is accessible to marketing users.
Creating the First Admin User
On a fresh install, no users exist. Usephp artisan tinker to seed the first admin account before accessing the panel.
Export
The users table includes Filament’sExportAction so admins can download a CSV of all user records. Like plant and payment exports, user exports are dispatched as queued jobs on the database queue, and a persistent notification appears in the Filament notification tray when the download is ready.
UserActivitiesPage
The panel ships a custom page —UserActivitiesPage — that extends the base AlizHarb\ActivityLog\Pages\UserActivitiesPage class. It renders a chronological audit trail for a specific user, showing every model change attributed to that account. Admins reach it through the Actividad action on a user record.
The page also hosts a header action for importing contact submissions via CSV:
rango_renta, apellido, phone, UTM parameters). A dedicated progress page (ContactImportProgress) tracks the job in real time from inside the panel.
API Tokens (PersonalAccessToken)
iLeben extends Sanctum’sPersonalAccessToken to add an authorized_url field and an active scope. These tokens are used by the external React frontend to authenticate API calls that require elevated data access (e.g., payment gateway configuration in GET /api/v1/site-config).
admin users can view, create, or delete tokens. Editing is intentionally disabled (canEdit() returns false).
The middleware on the public API endpoint uses PersonalAccessToken::findToken() (without relying on the session) to validate the bearer token and determine whether to expose sensitive payment gateway configuration in the site-config response.
Tokens with a non-null
expires_at are automatically excluded by the active scope. Use the panel to revoke tokens immediately by deleting the record, or set expires_at to a past timestamp.