Deny a permission for a user

[Allgoodnamesargone]

Hello,
Well i have no problem in my setup so far but this.
Let's assume we have a role named 'Admin' that has users:read and users:create permission.
And we have user Jack with 'Admin' role.
but how can i remove the users:read permission only for this user and not the whole role?

we know that Permissions are assignable to both Role and User and roles are built to minimize the work for the admins in assigning permissions to the users.
But i really cannot think how assigning a permission to a user can deny it from doing something.

[erikn69]

Read other issues or discussions before opening a new one, it is not so hard, look
#1895 (comment)
#1936
#1934

[Allgoodnamesargone]

Well i got time to implement the trait @erikn69 made
But i used to do minor modifications the trait.
Create HasRolesAndForbiddenPermissions.php file in App/Traits/Permissions folder with the content below:

<?php

namespace App\Traits\Permissions;

use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
use Illuminate\Support\Collection;
use Spatie\Permission\Contracts\Permission;
use Spatie\Permission\Exceptions\PermissionDoesNotExist;
use Spatie\Permission\PermissionRegistrar;

trait HasRolesAndForbiddenPermissions
{
    use \Spatie\Permission\Traits\HasRoles {
        hasPermissionTo as protected hasPermissionToTrait;
        hasPermissionViaRole as hasPermissionViaRoleTrait;
        hasDirectPermission as hasDirectPermissionTrait;
        getPermissionsViaRoles as getPermissionsViaRolesTrait;
        getAllPermissions as getAllPermissionsTrait;
    }

    /** @noinspection PhpUnused */
    public static function bootHasForbiddenPermissions(): void
    {
        static::deleting(static function (Model $model) {
            if (method_exists($model, 'isForceDeleting') && !$model->isForceDeleting()) {
                return;
            }

            $model->forbiddenPermissions()->detach();
        });
    }

    private function getPermissionClassKeyName(): string
    {
        $class = $this->getPermissionClass();

        return (new $class)->getKeyName();
    }

    public function forbiddenPermissions(): BelongsToMany
    {
        $relation = $this->morphToMany(
            config('permission.models.permission'),
            'model',
            config('permission.table_names.model_has_forbidden_permissions'),
            config('permission.column_names.model_morph_key'),
            PermissionRegistrar::$pivotPermission
        );

        if (!PermissionRegistrar::$teams) {
            return $relation;
        }

        return $relation->wherePivot(PermissionRegistrar::$teamsKey, getPermissionsTeamId());
    }

    public function hasPermissionTo($permission, $guardName = null): bool
    {
        if ($this->hasForbiddenPermission($permission)) {
            return false;
        }

        return $this->hasPermissionToTrait($permission, $guardName);
    }

    private function filterPermission($permission): Permission
    {
        $permissionClass = $this->getPermissionClass();

        if (is_string($permission)) {
            $permission = $permissionClass::findByName($permission, $this->getDefaultGuardName());
        }

        if (is_int($permission)) {
            $permission = $permissionClass::findById($permission, $this->getDefaultGuardName());
        }

        if (!$permission instanceof Permission) {
            throw new PermissionDoesNotExist();
        }

        return $permission;
    }

    public function hasForbiddenPermission($permission): bool
    {
        $permissionFound = $this->filterPermission($permission);

        return $this->forbiddenPermissions->contains($permissionFound->getKeyName(), $permissionFound->getKey());
    }

    /**
     * @param  string[]  $permissions
     * @return array
     */
    private function collectPermissions(string|array|Collection $permissions): array
    {
        return collect($permissions)
            ->flatten()
            ->reduce(function ($array, $permission) {
                if (empty($permission)) {
                    return $array;
                }

                $permission = $this->getStoredPermission($permission);
                if (!$permission instanceof Permission) {
                    return $array;
                }

                $this->ensureModelSharesGuard($permission);

                $array[$permission->getKey()] = PermissionRegistrar::$teams && !is_a(
                    $this,
                    config('permission.models.role')
                ) ?
                    [PermissionRegistrar::$teamsKey => getPermissionsTeamId()] : [];

                return $array;
            }, []);
    }

    /** @noinspection PhpUnused */
    public function forbidPermissionTo(string|array|Collection $permissions = []): static
    {
        if (is_string($permissions)) {
            /** @var array $permissions */
            $permissions = [$permissions];
        }

        $permissions = $this->collectPermissions($permissions);
        $model = $this->getModel();

        if ($model->exists) {
            $this->forbiddenPermissions()->sync($permissions, false);
            $model->load('forbiddenPermissions');
        } else {
            /** @var Model $class */
            $class = \get_class($model);

            $class::saved(
                static function ($object) use ($permissions, $model) {
                    if ($model->getKey() !== $object->getKey()) {
                        return;
                    }

                    $model->forbiddenPermissions()->sync($permissions, false);
                    $model->load('forbiddenPermissions');
                }
            );
        }

        return $this;
    }

    /** @noinspection PhpUnused */
    public function unforbidPermissionTo(string|array|Collection $permissions): static
    {
        $forbiddenPermissions = $this->forbiddenPermissions();
        $forbiddenPermissions->detach(array_keys($this->collectPermissions($permissions)));

        $this->load('forbiddenPermissions');

        return $this;
    }

    protected function hasPermissionViaRole(Permission $permission): bool
    {
        if ($this->hasForbiddenPermission($permission)) {
            return false;
        }

        return $this->hasPermissionViaRoleTrait($permission);
    }

    public function hasDirectPermission($permission): bool
    {
        if ($this->hasForbiddenPermission($permission)) {
            return false;
        }

        return $this->hasDirectPermissionTrait($permission);
    }

    public function getPermissionsViaRoles(): Collection
    {
        $keyName = $this->getPermissionClassKeyName();

        return $this->getPermissionsViaRolesTrait()->whereNotIn(
            $keyName,
            $this->forbiddenPermissions->pluck($keyName)->toArray()
        )->values();
    }

    public function getAllPermissions(): Collection
    {
        $keyName = $this->getPermissionClassKeyName();

        return $this->getAllPermissionsTrait()->whereNotIn(
            $keyName,
            $this->forbiddenPermissions->pluck($keyName)->toArray()
        )->values();
    }

    /** @noinspection PhpUnused */
    public function syncForbiddenPermissions(string|array|Collection $permissions = []
    ): static {
        if (is_string($permissions)) {
            $permissions = [$permissions];
        }

        $this->forbiddenPermissions()->detach();

        return $this->forbidPermissionTo($permissions);
    }

    /** @noinspection PhpUnused */
    public function getForbiddenPermissionNames(): Collection
    {
        return $this->forbiddenPermissions->pluck('name');
    }
}

Add the config below in permission.php config file in the table_names array:

         /*
         * When using the "HasPermissions" trait from this package, we need to know which
         * table should be used to retrieve your models forbidden permissions. We have chosen a
         * basic default value but you may easily change it to any table you like.
         */

        'model_has_forbidden_permissions' => 'model_has_forbidden_permissions',

Add the code below in create_permission_tables.php migration file, before the Schema::create($tableNames['model_has_roles']...:

        Schema::create(
            $tableNames['model_has_forbidden_permissions'],
            function (Blueprint $table) use ($tableNames, $columnNames, $teams) {
                $table->unsignedBigInteger(PermissionRegistrar::$pivotPermission);

                $table->string('model_type');
                $table->unsignedBigInteger($columnNames['model_morph_key']);
                $table->index([$columnNames['model_morph_key'], 'model_type'],
                    'model_has_forbidden_permissions_model_id_model_type_index');

                $table->foreign(PermissionRegistrar::$pivotPermission)
                    ->references('id') // permission id
                    ->on($tableNames['permissions'])
                    ->onDelete('cascade');
                if ($teams) {
                    $table->unsignedBigInteger($columnNames['team_foreign_key']);
                    $table->index(
                        $columnNames['team_foreign_key'],
                        'model_has_forbidden_permissions_team_foreign_key_index'
                    );

                    $table->primary(
                        [
                            $columnNames['team_foreign_key'], PermissionRegistrar::$pivotPermission,
                            $columnNames['model_morph_key'], 'model_type',
                        ],
                        'model_has_forbidden_permissions_permission_model_type_primary'
                    );
                } else {
                    $table->primary(
                        [PermissionRegistrar::$pivotPermission, $columnNames['model_morph_key'], 'model_type'],
                        'model_has_forbidden_permissions_permission_model_type_primary'
                    );
                }

            }
        );

And add Schema::dropIfExists($tableNames['model_has_forbidden_permissions']); in the down method of the migration file after Schema::drop($tableNames['model_has_permissions']);

Done, this is totally tested and working.

Thanks to @erikn69

[Allgoodnamesargone]

However, as always, an officially implemented method is better so it would be great if the developers implement such a thing in spatie/laravel-permission officially.

[erikn69]

\App\Models\CentralUser|\App\Models\Tenant\User|Model

?? Do you think that these models are generic and we all have them?

A lot of unnecessary duplicity

You did remove collections support on methods on your version, only string and array are supported,
is a mistake or intentional?

You breaks consistency, my version still is better option

[Allgoodnamesargone]

@erikn69 edited the code and removed those models.
Such a small mistakes can happen when you copy/paste a code from a project, i don't understand why you got mad?

While i was looking into your code in my project, i seen issue that was making the code to now work so i decided to do my work on it. for example, the one you edited 2 hours ago after my modifications.

You did remove collections support on methods on your version, only string and array are supported,
is a mistake or intentional?

Collections support was also not working everywhere, like in unforbidPermissionTo! guess why? because getStoredPermission doesn't support collections. unforbidPermissionTo has been failing silently without errors but also without doing it's job.
Anyway, i dropped the collection support because it was just useless while there are both string and array support, not actually useless but barely used.

Finally, i have edited the code to satisfy you, @erikn69 .
I would like to know about other issues if any so i fix and make it better, thanks.

[erikn69]

i don't understand why you got mad?

😄😄😄😄 you are lucky that there is someone who gives you corrections, the authors would never answer you

Finally, i have edited the code to satisfy you, @erikn69 .

I'm not using that, I'm just giving an example for anyone who wants that functionality with the intention of helping, so I try to make everything generic and consistent with the official source, at most my reward is credit when I am marked as answered on sign of thanks for the help

the one you edited 2 hours ago after my modifications.

When you write a lot of code without an editor or any testing it is very likely that there are typing or copy/paste errors

Also, It would also be very helpful if you use the 'markdown' correctly for readability, example ```php

[Allgoodnamesargone]

lol