web / api roles and permissions headache!

[tomekkicaj700]

Hi Guys!

I cannot figure this out.

In my seeder I created:

    Permission::findOrCreate(Permissions::CAN_MANAGE_USERS, "api");
    Permission::findOrCreate(Permissions::CAN_MANAGE_USERS, "web");
    Permission::findOrCreate(Permissions::CAN_MANAGE_WELDERS, "api");
    Permission::findOrCreate(Permissions::CAN_MANAGE_WELDERS, "web");

I created ADMIN roles for api and web:

   Role::create([
      "guard_name" => "api",
      "name" => Roles::ADMIN,
    ])->givePermissionTo([
      Permissions::CAN_MANAGE_USERS,
      Permissions::CAN_MANAGE_WELDERS,
    ]);

    Role::create([
      "guard_name" => "web",
      "name" => Roles::ADMIN,
    ])->givePermissionTo([
      Permissions::CAN_MANAGE_USERS,
      Permissions::CAN_MANAGE_WELDERS,
    ]);

I assign user 1 the ADMIN role:

User::find(1)->assignRole(Roles::ADMIN);

So, my user 1 has ADMIN role which has a separate set of permissions for guards: web and api

Now , in my unit tests:

1.
    $this->actingAs(User::find(1), "api");
    dd(
      auth()
        ->user()
        ->can(Permissions::CAN_MANAGE_WELDERS)
    );
returns FALSE

2.
    $this->actingAs(User::find(1), "web");
    dd(
      auth()
        ->user()
        ->can(Permissions::CAN_MANAGE_WELDERS)
    );
returns TRUE

I don't understand why test 1 fails ???
I'm really helpless, Spatie manual does't help, it just mentions 2 sets of permissions for api and web but it's what I just did, but it doesn't work.

Thanks!

[parallels999]

User::find(1)->assignRole(Roles::ADMIN);

That only assign Roles::ADMIN on web, not on api

[tomekkicaj700]

Then how do I make user 1 to have ADMIN role for both web and api guard?

[parallels999]

@drbyte there was a PR trying to make possible assignment on different guards #2291, but it was a big breaking change
how about this idea:

$user = User::find(1);
$user->usingGuard('web')->assignRole(Roles::ADMIN);
$user->usingGuard('api')->assignRole(Roles::ADMIN);

on usingGuard, it changes a property on $user, so

laravel-permission/src/Guard.php

Lines 16 to 26 in e64d2f9

	public static function getNames($model): Collection
	{
	$class = is_object($model) ? get_class($model) : $model;
	if (is_object($model)) {
	if (\method_exists($model, 'guardName')) {
	$guardName = $model->guardName();
	} else {
	$guardName = $model->getAttributeValue('guard_name');
	}
	}

public static function getNames($model): Collection 
 { 
     $class = is_object($model) ? get_class($model) : $model; 
  
     if (is_object($model)) { 
         if($model->usingGuard) {
             $guardName = $model->usingGuard;
         } else if (\method_exists($model, 'guardName')) { 
             $guardName = $model->guardName(); 
         } else { 
             $guardName = $model->getAttributeValue('guard_name'); 
         } 
     }

the idea can be improved, but I hope I have explained myself

[drbyte]

@parallels999 I see your point.
But I don't "get" why it's "needed" to pass a string guard_name when assigning roles/permissions.

Practically speaking, I don't think most implementations bother being aware of which Guard they "intend" to assign a role or permission "for".

In the case of legitimately intending a certain alternate guard, querying the model from the db will be enough to use it when assigning.

And in the majority of cases most apps only really care about a single set of permissions, agnostic of which guard the user is connected via.

[drbyte]

In your sample code you're using ->can(PERMISSION_NAME) instead of hasPermissionTo(PERMISSION_NAME, GUARD_NAME) or hasPermissionTo(PERMISSION_MODEL_INSTANCE).
Using can() requires a lookup of the guard_name and uses defaults, whereas with hasPermissionTo() you can pass a guard_name or an instance which already relates to the guard_name.

However, if your app structure does NOT differentiate between guards when it comes to roles/permissions, (ie: if ALL your roles/permissions are the SAME for ALL guards), you could try adding this override to your User model, and then you'd only need to create roles/permissions for that single guard_name, not duplicating them:

    protected function getDefaultGuardName(): string { return 'web'; }

[tomekkicaj700]

Thanks drbyte but still same problem, only the below returns true

    $this->actingAs(User::find(1), "api");  //no matter if  guard is "web" or "api" or none
    dd(
      auth()
        ->user()
        ->hasPermissionTo(Permissions::CAN_MANAGE_WELDERS, "web")
    );
returns TRUE

hasPermissionTo(Permissions::CAN_MANAGE_WELDERS, "api") always returns FALSE

my ROLES table looks like this:

id	name	guard_name
1	Admin	web
2	Admin	api

my MODEL_HAS_ROLES table looks like this:

role_id	model_type	model_id
1	App\Models\User	1

Now, I manually editted MODEL_HAS_ROLES and added new row:

role_id	model_type	model_id
1	App\Models\User	1
2	App\Models\User	1

..and everything works perfectly, both your suggestion:
hasPermissionTo(Permissions::CAN_MANAGE_WELDERS, "api")
and
can(Permissions::CAN_MANAGE_WELDERS)

Looks like I need to call:

User::find(1)->assignRole(Roles::ADMIN) with both "api" and "web" guards but assignRole doesn't seem to accept the guard
argument?

[drbyte]

$role = Role::findByName(Roles::ADMIN, 'api');

$user->assignRole($role);

Edit: I think you have to pass an attributes array to findByName...

[tomekkicaj700]

Many thanks! I didn't think of that!
Your other sollution with:
protected function getDefaultGuardName(): string { return 'web'; }

works too, I need to figure out yet if it's worthwhile to split permissions into web and api domains.

cheers
Tom