Spatie\Permission\Exceptions\GuardDoesNotMatch exception when using custom auth user provider

[cwoodrgr]

Greetings,

When implement this package, I have run into a problem.

I am creating a Role in my tests like so:

$role = Role::create(['name' => 'Super Admin']);

When I run the tests, the following exception is thrown:

Spatie\Permission\Exceptions\GuardDoesNotMatch : The given role or permission should use guard `` instead of `web`

My package versions are:
laravel/framework => 8.74.0
directorytree/ldaprecord-laravel => 2.5.2
spatie/laravel-permission => 5.4

I am using a non-standard auth provider setup because I use the directorytree/ldaprecord-laravel package for authentication.

The user provider looks something like this:

// config/auth.php

'providers' => [
    // ...

    'users' => [
        'driver' => 'ldap',
        'model' => LdapRecord\Models\ActiveDirectory\User::class,
        'rules' => [],
        'database' => [
            'model' => App\User::class,
            'sync_passwords' => true,
            'sync_attributes' => [
                'name' => 'cn',
                'email' => 'mail',
            ],
            'sync_existing' => [
                'email' => 'mail',
            ],
            'password_column' => 'password',
        ],
    ],
],

If I revert my user provider back to a "standard" setup:

'users'    => [
            'driver' => 'eloquent',
            'model'  => \App\Models\User::class,
        ],

I no longer get the exception and the Role works; however, I can no longer log in because ldap authentication breaks.

I have tried specifying a guard_name on the Role as well as defining a $guard_name property on my model, non of which resolved the issue.

For example:

When I specify a guard_name on the Role:

$role = Role::create(['name' => 'Super Admin', 'guard_name' => '']);

It still throws the same exception but the message changes slightly:

Spatie\Permission\Exceptions\GuardDoesNotMatch : The given role or permission should use guard `` instead of ``.

Any advice on this would be appreciated.

Thank you.

[erikn69]

Don't show your provider, show your guards, example:

    'guards' => [
        'web' => [
            'driver' => 'session_multiple',//'session',
            'provider' => 'users',
        ],
        'api' => [
            'driver' => 'passport',//'token',
            'provider' => 'users',
            //'hash' => false,
        ],
    ],

Save the Role with the real guard_name
Also, for test you have to set guard_name on model, or as default on config, read documentation

[cwoodrgr]

Here is my guard, it is unchanged from default install of Laravel:

'defaults' => [
        'guard'     => 'web',
        'passwords' => 'users',
    ],

'guards' => [
        'web'  => [
            'driver'   => 'session',
            'provider' => 'users',
        ],
    ],

I can change the gaurd_name in the creation of the Role:

$role = Role::create(['name' => 'Super Admin', 'guard_name' => 'web']);

However, that doesn't appear to do anything different. I still get the same exception.

And I if I understand correctly 'web' is the default guard in Laravel.

I also forgot to mention I am use Sanctum and the guard specified in the sanctum.php config file is 'web'.

I have ready through lots of the documentation and was unable to reach a solution which is why I asked the question. If you have a specific reference in the documentation that will help me with this issue could you please include a link to the page because I must have missed it.

Thanks.

[erikn69]

could you create a minimal Laravel app that demonstrates the issue? Or maybe create a failing tests for authors to look at? example

[cwoodrgr]

Here is a link to an example app.

I only created one test but it is throwing the exception in question.

https://github.com/cwoodrgr/laravel-permission-ldaprecord-issue

[erikn69]

It's the first answer that i did give you, and in the second i mentioned it again, read again, read docs
I have noticed that the documentation does not work, or no one read it

[captainfodder]

Well I think I found the solution, it worked for me but I'm very new to Laravel so I don't fully understand why this fixed it for me or if it is the proper solution. There is a closed issue here that had the solution: #358

I added the following to the bottom of my 'app/Models/User.php' file:
protected string $guard_name = 'web';

I'm guessing this should work for you @cwoodrgr since you are using the default guard & providers like I am, but your mileage may vary.

[erikn69]

is LdapRecord\Models\ActiveDirectory\User::class an eloquent model?
has LdapRecord\Models\ActiveDirectory\User::class guard_name propertie?

[cwoodrgr]

I can get a demo app up shortly.

LdapRecord\Models\ActiveDirectory\User::class is not an eloquent model

I did try creating a new class extending LdapRecord\Models\ActiveDirectory\User and including a 'guard_name' property set to 'web' and referencing that class in my user provider. That did not change the exception.

[erikn69]

Maybe not supported non eloquent models, i'm not the author, i can't answer that

[captainfodder]

I too am having this issue and also using the same LDAP package.

   Spatie\Permission\Exceptions\GuardDoesNotMatch 

  The given role or permission should use guard `` instead of `web`.

  at vendor/spatie/laravel-permission/src/Exceptions/GuardDoesNotMatch.php:12
      8▕ class GuardDoesNotMatch extends InvalidArgumentException
      9▕ {
     10▕     public static function create(string $givenGuard, Collection $expectedGuards)
     11▕     {
  ➜  12▕         return new static("The given role or permission should use guard `{$expectedGuards->implode(', ')}` instead of `{$givenGuard}`.");
     13▕     }
     14▕ }
     15▕ 

      +4 vendor frames 
  5   database/seeders/UserSeeder.php:106
      App\Models\User::assignRole("read only")

      +23 vendor frames 
  29  artisan:37
      Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))

My package versions are:
laravel/framework => 9.8.1
directorytree/ldaprecord-laravel => 2.5.5
spatie/laravel-permission => 5.5.2

I am using the same default guards, but I modified my provider to make work with ldaprecord:
"config/auth.php":

    'defaults' => [
        'guard' => 'web',
        'passwords' => 'users',
    ],
    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
    ],
    'providers' => [
        'users' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\OpenLDAP\User::class,
            'database' => [
                'model' => \App\Models\User::class,
                'sync_passwords' => true,
                'sync_attributes' => [
                    'name' => 'cn',
                    'email' => 'mail',
                    'username' => 'uid',
                ],
                'sync_existing' => [
                    'username' => 'uid',
                ],
            ],
        ],
    ],

[erikn69]

#1950 (reply in thread)
If you find the solution let a feedback

[captainfodder]

I don't know if it helps anyone with this but I am getting this error when I am running php artisan db:seed --class=UserSeeder within my PhpStorm terminal.

This is the contents of my UserSeeder.php file:

<?php

namespace Database\Seeders;

use Illuminate\Database\Console\Seeds\WithoutModelEvents;
use Illuminate\Database\Seeder;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

class UserSeeder extends Seeder
{
    /**
     * Run the database seeds.
     *
     * @return void
     */
    public function run()
    {
        // create default base user
        $baseUser = User::where('email', '[email protected]')->first();
        if (!$baseUser) {
            $baseUser = new User();
            $baseUser->name = 'Default User';
            $baseUser->domain = 'local';
            $baseUser->username = 'default.user';
            $baseUser->email = '[email protected]';
            $baseUser->active = 0;
            $baseUser->administrator = 0;
            $baseUser->password = Hash::make('{redacted}');
            $baseUser->save();
        }

        // reset cached roles and permissions
        app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions();
        // create permissions
        Permission::create(['name' => 'view customers']);
        Permission::create(['name' => 'edit customers']);
        Permission::create(['name' => 'delete customers']);

        // create roles and assign created permissions
        Role::create(['name' => 'read only'])
            ->givePermissionTo([
                'view customers',
            ]);

        $baseUser->assignRole('read only');
    }
}

[erikn69]

https://spatie.be/docs/laravel-permission/v5/advanced-usage/extending

[captainfodder]

Well I think I found the solution, it worked for me but I'm very new to Laravel so I don't fully understand why this fixed it for me or if it is the proper solution. There is a closed issue here that had my solution: #358

I added the following to the bottom of my 'app/Models/User.php' file:
protected string $guard_name = 'web';

then I ran these three commands to re-test and the code executed successfully:

$ php artisan migrate:rollback
Rolling back: 2022_04_19_102932_create_permission_tables
Rolled back:  2022_04_19_102932_create_permission_tables (8.12ms)
$ php artisan migrate
Migrating: 2022_04_19_102932_create_permission_tables
Migrated:  2022_04_19_102932_create_permission_tables (76.35ms)
$ php artisan db:seed --class=UserSeeder
Database seeding completed successfully.

[andrekutianski]

In my scenario I need that User Model can be associate with roles for multiple guards, to accomplish that I just define $guard_name on Model as array with all guard_names that can this can be associated.

namespace App\Models;

Class User extends UserModel
{

// ...

protected array $guard_name = ['api', 'web'];

// ...

}

With that, I can assign model to multiple guards.