Team Permission doesn't work for why?

[carveybunt]

macOS: 12.5
laravel: 10.10
permission: 5.10

I enable team in Config/permission.php, and then migrate. In addition, I created the middleware file TeamSpermission, as shown in the document. And add it to $middlewarePriority in app/Http/Kernel.php.

I already defined a Super-Admin in AuthServiceProvider.php, the following:

use Illuminate\Support\Facades\Gate;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        $this->registerPolicies();

        Gate::before(function ($user, $ability) {
            return $user->hasRole('super admin','back_users') ? true : null;
        });
    }
}

I check permission via the middleware of the route.

Route::get("/org/list", "list")->middleware(['role_or_permission:super admin|OrganizationList,back_users']);

I got an error when I used super-admin or other users. Error following:

"message": "User does not have any of the necessary access rights.",

Where is my code or operation wrong? Someone can help me, please?

[erikn69]

is 'back_users' the guard_name??

#2470 (comment)

[carveybunt]

yes, 'back_users' is guard_name. So, how to make the team working？

[drbyte]

So, how to make the team working?

None of your code samples show anything about using teams. Please post the code you're using to activate a team for a user before trying to authorize that user.

[LuizCristino]

For some mysterious reasons, at least for me, when using teams, the gate on the documentation

Gate::before(function ($user, $ability) {
    return $user->hasRole('Super Admin') ? true : null;
});

Always returns false, even tough I created my role with team_id null

{
  "id" : 1,
  "team_id" : null,
  "name" : "Super Admin",
  "guard_name" : "web",
  "created_at" : "2023-09-19T19:08:55.000Z",
  "updated_at" : "2023-09-19T19:12:41.000Z"
}

The only thing I could suppose is that hasRoles() doesn't work with team_id null, it will always check for the current user team and skip global roles.

To anyone with the same problem, I created this function inside the User model

public function isSuperAdmin(): bool
{
    $isSuperAdmin = DB::table('model_has_roles')
        ->leftJoin('roles', 'model_has_roles.role_id', '=', 'roles.id')
        ->where('model_has_roles.model_type', '=', User::class)
        ->where('model_has_roles.model_id', '=', $this->id)
        ->where('roles.name', '=', config('constants.roles.super_admin')) // I defined some constant to re-use through the system
        ->whereNull('roles.team_id')
        ->exists();

    return $isSuperAdmin;
}

[parallels999]

I checked getPermissionsTeamId() and it's returning null inside the Gate

You have to set it on session, example: #2075

Did you set setPermissionsTeamId on middleware?

[LuizCristino]

Also yes. And added it to middlewarePriority inside \App\Http\Kernel.php

[erikn69]

I did make a test, it works as expected

  /** @test */
  public function it_allows_other_gate_before_callbacks_to_run_if_a_user_does_not_have_a_permission_on_teams()
  {
      config()->set('permission.teams', true);
      app(PermissionRegistrar::class)->teams = true;
      (require glob(__DIR__ . '/../database/migrations/add_teams_fields.php.stub')[0])->up();

      setPermissionsTeamId(1);
      $this->testAdmin->assignRole($this->testAdminRole);

      $this->assertFalse($this->testAdmin->can('admin-permission'));

      app(Gate::class)->before(function ($user) {
          return $user->hasRole($this->testAdminRole) ? true : null;
      });

      $this->assertTrue($this->testAdmin->can('admin-permission'));
      $this->assertFalse($this->testUser->can('edit-articles'));

      setPermissionsTeamId(2);
      $this->testAdmin->load('roles');

      $this->assertFalse($this->testAdmin->can('admin-permission'));
  }
//RESULT: 
//Time: 00:00.210, Memory: 26.00 MB
//OK (1 test, 4 assertions)

You probably have some customization that is influencing

[LuizCristino]

I think it's highly unlikely I started a new project and only installed the "spatie/laravel-permissions". I followed every step on the documentation. The documentation is complete, but also gives an “incomplete” feeling.

Although, I'll never dismiss the possibility that I did something wrong.

I appreciate your time and effort. Thank you.

[LuizCristino]

I will leave here the trait I created and am currently using it.

<?php

namespace App\Traits;

trait HasGlobalRoleTrait
{
  private function hasGlobalRole(string $roleName): bool
  {
    if (!is_subclass_of(static::class, \Illuminate\Database\Eloquent\Model::class)) {
      throw new \Exception('Class ' . static::class . ' has to extends \Illuminate\Database\Eloquent\Model');
    }

    $hasGlobalRole = \Illuminate\Support\Facades\DB::table('model_has_roles')
      ->leftJoin('roles', 'model_has_roles.role_id', '=', 'roles.id')
      ->where('model_has_roles.model_type', '=', static::class)
      ->where('model_has_roles.model_id', '=', $this->toArray()[$this->primaryKey])
      ->where('roles.name', '=', $roleName)
      ->whereNull('roles.team_id')
      ->exists();

    return $hasGlobalRole;
  }

  public function isSuperAdmin(): bool
  {
    return $this->hasGlobalRole(config('constants.roles.super_admin'));
  }

  public function isAdmin(): bool
  {
    return $this->hasGlobalRole(config('constants.roles.admin'));
  }
}