Repository: spatie/laravel-permission Branch: main Commit: c2d537a43aab Files: 161 Total size: 651.4 KB Directory structure: gitextract_mhl3dih5/ ├── .editorconfig ├── .gitattributes ├── .github/ │ ├── FUNDING.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── 1_Bug_report.yml │ │ └── config.yml │ ├── dependabot.yml │ └── workflows/ │ ├── dependabot-auto-merge.yml │ ├── fix-php-code-style-issues.yml │ ├── phpstan.yml │ ├── run-tests.yml │ ├── test-cache-drivers.yml │ └── update-changelog.yml ├── .gitignore ├── CHANGELOG.md ├── LICENSE.md ├── README.md ├── art/ │ └── README.md ├── composer.json ├── config/ │ └── permission.php ├── database/ │ └── migrations/ │ ├── add_teams_fields.php.stub │ └── create_permission_tables.php.stub ├── docs/ │ ├── _index.md │ ├── about-us.md │ ├── advanced-usage/ │ │ ├── _index.md │ │ ├── cache.md │ │ ├── custom-permission-check.md │ │ ├── events.md │ │ ├── exceptions.md │ │ ├── extending.md │ │ ├── other.md │ │ ├── phpstorm.md │ │ ├── seeding.md │ │ ├── testing.md │ │ ├── timestamps.md │ │ ├── ui-options.md │ │ └── uuid.md │ ├── basic-usage/ │ │ ├── _index.md │ │ ├── artisan.md │ │ ├── basic-usage.md │ │ ├── blade-directives.md │ │ ├── direct-permissions.md │ │ ├── enums.md │ │ ├── middleware.md │ │ ├── multiple-guards.md │ │ ├── new-app.md │ │ ├── passport.md │ │ ├── role-permissions.md │ │ ├── super-admin.md │ │ ├── teams-permissions.md │ │ └── wildcard-permissions.md │ ├── best-practices/ │ │ ├── _index.md │ │ ├── performance.md │ │ ├── roles-vs-permissions.md │ │ └── using-policies.md │ ├── changelog.md │ ├── installation-laravel.md │ ├── introduction.md │ ├── prerequisites.md │ ├── questions-issues.md │ ├── support-us.md │ └── upgrading.md ├── ide.json ├── phpstan-baseline.neon ├── phpstan.neon.dist ├── phpunit.xml.dist ├── pint.json ├── resources/ │ └── boost/ │ └── skills/ │ └── laravel-permission-development/ │ └── SKILL.md ├── src/ │ ├── Commands/ │ │ ├── AssignRoleCommand.php │ │ ├── CacheResetCommand.php │ │ ├── CreatePermissionCommand.php │ │ ├── CreateRoleCommand.php │ │ ├── ShowCommand.php │ │ └── UpgradeForTeamsCommand.php │ ├── Contracts/ │ │ ├── Permission.php │ │ ├── PermissionsTeamResolver.php │ │ ├── Role.php │ │ └── Wildcard.php │ ├── DefaultTeamResolver.php │ ├── Events/ │ │ ├── PermissionAttachedEvent.php │ │ ├── PermissionDetachedEvent.php │ │ ├── RoleAttachedEvent.php │ │ └── RoleDetachedEvent.php │ ├── Exceptions/ │ │ ├── GuardDoesNotMatch.php │ │ ├── PermissionAlreadyExists.php │ │ ├── PermissionDoesNotExist.php │ │ ├── RoleAlreadyExists.php │ │ ├── RoleDoesNotExist.php │ │ ├── UnauthorizedException.php │ │ ├── WildcardPermissionInvalidArgument.php │ │ ├── WildcardPermissionNotImplementsContract.php │ │ └── WildcardPermissionNotProperlyFormatted.php │ ├── Guard.php │ ├── Middleware/ │ │ ├── PermissionMiddleware.php │ │ ├── RoleMiddleware.php │ │ └── RoleOrPermissionMiddleware.php │ ├── Models/ │ │ ├── Permission.php │ │ └── Role.php │ ├── PermissionRegistrar.php │ ├── PermissionServiceProvider.php │ ├── Traits/ │ │ ├── HasPermissions.php │ │ ├── HasRoles.php │ │ └── RefreshesPermissionCache.php │ ├── WildcardPermission.php │ └── helpers.php └── tests/ ├── Commands/ │ ├── CommandTest.php │ └── TeamCommandTest.php ├── Integration/ │ ├── BladeTest.php │ ├── CacheTest.php │ ├── CustomGateTest.php │ ├── GateTest.php │ ├── MultipleGuardsTest.php │ ├── PermissionRegistrarTest.php │ ├── PolicyTest.php │ ├── RouteTest.php │ └── WildcardRouteTest.php ├── Middleware/ │ ├── PermissionMiddlewareTest.php │ ├── RoleMiddlewareTest.php │ ├── RoleOrPermissionMiddlewareTest.php │ └── WildcardMiddlewareTest.php ├── Models/ │ ├── PermissionTest.php │ ├── RoleTest.php │ ├── RoleWithNestingTest.php │ └── WildcardRoleTest.php ├── Pest.php ├── TestSupport/ │ ├── ContentPolicy.php │ ├── TestCase.php │ ├── TestHelper.php │ ├── TestModels/ │ │ ├── Admin.php │ │ ├── Client.php │ │ ├── Content.php │ │ ├── Manager.php │ │ ├── Permission.php │ │ ├── Role.php │ │ ├── RuntimeRole.php │ │ ├── SoftDeletingUser.php │ │ ├── TestRolePermissionsEnum.php │ │ ├── User.php │ │ ├── UserWithoutHasRoles.php │ │ └── WildcardPermission.php │ └── resources/ │ └── views/ │ ├── can.blade.php │ ├── guardHasAllRoles.blade.php │ ├── guardHasAllRolesArray.blade.php │ ├── guardHasAllRolesPipe.blade.php │ ├── guardHasAnyRole.blade.php │ ├── guardHasAnyRolePipe.blade.php │ ├── guardHasRole.blade.php │ ├── guardRole.blade.php │ ├── guardunlessrole.blade.php │ ├── hasAllRoles.blade.php │ ├── hasAnyRole.blade.php │ ├── hasRole.blade.php │ ├── haspermission.blade.php │ ├── role.blade.php │ └── unlessrole.blade.php └── Traits/ ├── HasPermissionsTest.php ├── HasPermissionsWithCustomModelsTest.php ├── HasRolesTest.php ├── HasRolesWithCustomModelsTest.php ├── TeamHasPermissionsTest.php ├── TeamHasRolesTest.php └── WildcardHasPermissionsTest.php ================================================ FILE CONTENTS ================================================ ================================================ FILE: .editorconfig ================================================ ; This file is for unifying the coding style for different editors and IDEs. ; More information at http://editorconfig.org root = true [*] charset = utf-8 indent_size = 4 indent_style = space end_of_line = lf insert_final_newline = true trim_trailing_whitespace = true [*.md] trim_trailing_whitespace = false ================================================ FILE: .gitattributes ================================================ # Path-based git attributes # https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html # Ignore all test and documentation with "export-ignore". /.github export-ignore /.gitattributes export-ignore /.gitignore export-ignore /phpunit.xml.dist export-ignore /art export-ignore /docs export-ignore /tests export-ignore /.editorconfig export-ignore /.php_cs.dist.php export-ignore /phpstan* export-ignore /CHANGELOG.md export-ignore /CONTRIBUTING.md export-ignore ================================================ FILE: .github/FUNDING.yml ================================================ github: spatie ================================================ FILE: .github/ISSUE_TEMPLATE/1_Bug_report.yml ================================================ name: Bug Report description: "Report a reproducible bug." body: - type: markdown attributes: value: | Before creating a new Bug Report, please check that there isn't already a similar issue on [the issue tracker](https://github.com/spatie/laravel-permission/issues) or in [the discussions](https://github.com/spatie/laravel-permission/discussions). Also, **many issues/questions/problems are already answered** in the [documentation](https://spatie.be/docs/laravel-permission) already. **Please be sure to check the docs** because it will save you time! - type: textarea attributes: label: Description description: A clear and concise description of what the bug is. validations: required: true - type: textarea attributes: label: Steps To Reproduce description: How do you trigger this bug? Please walk us through it step by step. value: | 1. 2. 3. ... validations: required: true - type: input attributes: label: Example Application description: "Here is a link to my Github repo containing a minimal Laravel application which shows my problem:" - type: markdown attributes: value: | You can use `composer show` to get package version numbers: - type: input attributes: label: "Version of spatie/laravel-permission package:" validations: required: true - type: input attributes: label: "Version of laravel/framework package:" validations: required: true - type: input attributes: label: "PHP version:" validations: required: true - type: input attributes: label: "Database engine and version:" - type: input attributes: label: "OS: Windows/Mac/Linux version:" ================================================ FILE: .github/ISSUE_TEMPLATE/config.yml ================================================ blank_issues_enabled: true contact_links: - name: Feature Request url: https://github.com/spatie/laravel-permission/discussions/new?category=ideas about: Share ideas for new features - name: Ask a Question url: https://github.com/spatie/laravel-permission/discussions/new?category=q-a about: Ask the community for help ================================================ FILE: .github/dependabot.yml ================================================ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" ================================================ FILE: .github/workflows/dependabot-auto-merge.yml ================================================ name: dependabot-auto-merge on: pull_request_target permissions: pull-requests: write contents: write jobs: dependabot: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} steps: - name: Dependabot metadata id: metadata uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" compat-lookup: true - name: Auto-merge Dependabot PRs for semver-minor updates if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor'}} run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - name: Auto-merge Dependabot PRs for semver-patch updates if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}} run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - name: Auto-merge Dependabot PRs for Action major versions when compatibility is higher than 90% if: ${{steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type == 'version-update:semver-major' && steps.metadata.outputs.compatibility-score >= 90}} run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GH_TOKEN: ${{secrets.GITHUB_TOKEN}} ================================================ FILE: .github/workflows/fix-php-code-style-issues.yml ================================================ name: Fix PHP code style issues on: push: paths: - '**.php' jobs: php-code-styling: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 with: ref: ${{ github.head_ref }} - name: Fix PHP code style issues uses: aglipanci/laravel-pint-action@v2 - name: Commit changes uses: stefanzweifel/git-auto-commit-action@v7 with: commit_message: Fix styling ================================================ FILE: .github/workflows/phpstan.yml ================================================ name: PHPStan on: push: paths: - '**.php' - 'phpstan.neon.dist' pull_request: paths: - '**.php' - 'phpstan.neon.dist' jobs: phpstan: name: phpstan runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: 8.4 coverage: none - name: Install composer dependencies uses: ramsey/composer-install@v4 - name: Install larastan run: | composer require "larastan/larastan" --no-interaction --no-update composer update --prefer-dist --no-interaction - name: Run PHPStan run: ./vendor/bin/phpstan --error-format=github ================================================ FILE: .github/workflows/run-tests.yml ================================================ name: Run Tests - Current on: - push - pull_request jobs: test: runs-on: ubuntu-latest strategy: fail-fast: false matrix: php: [8.5, 8.4] laravel: ["^13", "^12"] dependency-version: [prefer-stable, prefer-lowest] include: - laravel: "^13" testbench: 11.* - laravel: "^12" testbench: 10.* name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.dependency-version }} steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} extensions: curl, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, iconv coverage: none - name: Install dependencies run: | composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" "symfony/console:>=4.3.4" "mockery/mockery:^1.3.2" "nesbot/carbon:>=2.72.6" --no-interaction --no-update composer update --${{ matrix.dependency-version }} --prefer-dist --no-interaction - name: Execute tests run: vendor/bin/pest ================================================ FILE: .github/workflows/test-cache-drivers.yml ================================================ name: "Run Tests - Cache Drivers" on: [push, pull_request] jobs: cache: runs-on: ubuntu-latest services: redis: image: redis ports: - 6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 strategy: fail-fast: false name: Cache Drivers steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: 8.4 extensions: curl, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, iconv, memcache coverage: none - name: Install dependencies run: | composer require "predis/predis" --no-interaction --no-update composer update --prefer-stable --prefer-dist --no-interaction - name: Execute tests - memcached cache driver run: | vendor/bin/pest env: CACHE_DRIVER: memcached - name: Execute tests - redis cache driver run: | vendor/bin/pest env: CACHE_DRIVER: redis REDIS_PORT: ${{ job.services.redis.ports['6379'] }} - name: Execute tests - database cache driver run: | vendor/bin/pest env: CACHE_DRIVER: database - name: Execute tests - file cache driver run: | vendor/bin/pest env: CACHE_DRIVER: file - name: Execute tests - array cache driver run: | vendor/bin/pest env: CACHE_DRIVER: array ================================================ FILE: .github/workflows/update-changelog.yml ================================================ name: "Update Changelog" on: release: types: [released] jobs: update: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 with: ref: main - name: Update Changelog uses: stefanzweifel/changelog-updater-action@v1 with: latest-version: ${{ github.event.release.name }} release-notes: ${{ github.event.release.body }} - name: Commit updated CHANGELOG uses: stefanzweifel/git-auto-commit-action@v7 with: branch: main commit_message: Update CHANGELOG file_pattern: CHANGELOG.md ================================================ FILE: .gitignore ================================================ build composer.lock vendor tests/temp .idea .phpunit.cache .phpunit.result.cache .php-cs-fixer.cache tests/TestSupport/CreatePermissionCustomTables.php ================================================ FILE: CHANGELOG.md ================================================ # Changelog All notable changes to `laravel-permission` will be documented in this file ## 7.2.4 - 2026-03-17 ### What's Changed * Internals only. * Bump ramsey/composer-install from 3 to 4 by @dependabot[bot] in https://github.com/spatie/laravel-permission/pull/2936 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/7.2.3...7.2.4 ## 6.25.0 - 2026-03-17 ### What's Changed * Add Laravel 13 compatibility to old branch, so that 3rd party packages can support L13 without urgent upgrading * Convert test suite from PHPUnit to Pest by @freekmurze in https://github.com/spatie/laravel-permission/pull/2912 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.24.1...6.25.0 ## 7.2.3 - 2026-02-23 - Update config comments to point to new v7 event class names ## 7.2.2 - 2026-02-22 ### What's Changed * Clear wildcard permission index when assigning or removing roles by @freekmurze in https://github.com/spatie/laravel-permission/pull/2925 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/7.2.1...7.2.2 ## 7.2.1 - 2026-02-21 ### What's Changed - Add Laravel 13 support - Upgrade to laravel/passport ^13.0 - Drop prefer-lowest from CI matrix ## 7.2.0 - 2026-02-18 ### What's Changed * Fix: do not treat string '0' as empty role/permission input by @laraib15 in https://github.com/spatie/laravel-permission/pull/2916 ### New Contributors * @laraib15 made their first contribution in https://github.com/spatie/laravel-permission/pull/2916 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/7.1.0...7.2.0 ## 7.1.0 - 2026-02-14 ### What's Changed * [v7] Bring back support for PHP 8.3 by @ssw1cblarrion in https://github.com/spatie/laravel-permission/pull/2918 ### New Contributors * @ssw1cblarrion made their first contribution in https://github.com/spatie/laravel-permission/pull/2918 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/7.0.0...7.1.0 ## 7.0.0 - 2026-02-11 ### Modernize codebase for v7 The aim for v7 is to modernize the codebase while keeping the upgrade path easy. Modern PHP/Laravel features, Pest tests, but no big architectural changes. A future v8 could then tackle larger changes and streamline the package more fundamentally. #### Version requirements - Requires PHP ^8.4 and Laravel ^12.0 - Test suite uses Pest ^3.0 #### Service provider - Converted to `PackageServiceProvider` from `spatie/laravel-package-tools` - Removed Lumen support #### Class renames - Event classes now have an `Event` suffix (`PermissionAttached` → `PermissionAttachedEvent`, etc.) - Command classes now have a `Command` suffix (`CacheReset` → `CacheResetCommand`, etc.) #### Type safety - Added return types and parameter types throughout traits, middleware, exceptions, contracts, and commands #### Code modernization - `is_a($this, X::class)` → `$this instanceof X` - `get_class($obj)` → `$obj::class` - `strpos($x, $y) !== false` → `str_contains($x, $y)` - Constructor promotion in `WildcardPermission` - Proper `use` imports for global classes #### Cleanup - Removed deprecated `clearClassPermissions()` method - Removed `__construct` from `Wildcard` contract - Modernized migration stubs #### Testing - Converted entire test suite from PHPUnit to Pest (#2912) **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.24.1...7.0.0 ## 6.24.1 - 2026-02-09 ### What's Changed * Add team support to permission:assign-role command by @freekmurze in https://github.com/spatie/laravel-permission/pull/2910 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.24.0...6.24.1 ## 6;24.1 - 2026-02-09 ### What's Changed * Add team support to permission:assign-role command by @freekmurze in https://github.com/spatie/laravel-permission/pull/2910 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.24.0...6;24.1 ## 6.24.0 - 2025-12-13 ### What's Changed * Add BackedEnum Support to RoleOrPermissionMiddleware by @imhayatunnabi in https://github.com/spatie/laravel-permission/pull/2890 * Add Missing roleOrPermission() route macro by @imhayatunnabi in https://github.com/spatie/laravel-permission/pull/2893 * PHP 8.5: Fix deprecated usage of `null` as array key by @jnoordsij in https://github.com/spatie/laravel-permission/pull/2904 ### Internals/Testing * Skip prefer-lowest dependency version for Laravel 11 by @drbyte in https://github.com/spatie/laravel-permission/pull/2903 * Bump actions/checkout from 5 to 6 by @dependabot[bot] in https://github.com/spatie/laravel-permission/pull/2901 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.23.0...6.24.0 ## 6.23.0 - 2025-11-03 ### What's Changed * Performance enhancement: Reduce unnecessary container resolution calls by @imhayatunnabi in https://github.com/spatie/laravel-permission/pull/2889 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.22.0...6.23.0 ## 6.22.0 - 2025-10-27 ### What's Changed * Dispatch RoleDetached on syncRoles when events are enabled by @josedaian in https://github.com/spatie/laravel-permission/pull/2869 * Refactor exception handling in migration stub by @alisalehi1380 in https://github.com/spatie/laravel-permission/pull/2886 * Fix TOCTOU race condition in permission loading for concurrent (Octane etc) environments by @imhayatunnabi in https://github.com/spatie/laravel-permission/pull/2883 * Add assign-role command by @sediqzada94 in https://github.com/spatie/laravel-permission/pull/2834 * Test PHP 8.5 by @erikn69 in https://github.com/spatie/laravel-permission/pull/2880 * Bump stefanzweifel/git-auto-commit-action from 6 to 7 by @dependabot[bot] in https://github.com/spatie/laravel-permission/pull/2882 * Update issue template by @AlexVanderbist in https://github.com/spatie/laravel-permission/pull/2875 * Bump actions/checkout from 4 to 5 by @dependabot[bot] in https://github.com/spatie/laravel-permission/pull/2870 * Quick Panel (TALL Flowbite Starter Kit) by @aliqasemzadeh in https://github.com/spatie/laravel-permission/pull/2881 ### New Contributors * @josedaian made their first contribution in https://github.com/spatie/laravel-permission/pull/2869 * @alisalehi1380 made their first contribution in https://github.com/spatie/laravel-permission/pull/2886 * @imhayatunnabi made their first contribution in https://github.com/spatie/laravel-permission/pull/2883 * @sediqzada94 made their first contribution in https://github.com/spatie/laravel-permission/pull/2834 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.21.0...6.22.0 ## 6.21.0 - 2025-07-23 ### What's Changed * Allow removing multiple roles with the `removeRole` method by @TobMoeller in https://github.com/spatie/laravel-permission/pull/2859 * [Docs] Correct middleware order for documentation example in `teams-permissions.md` by @dualklip in https://github.com/spatie/laravel-permission/pull/2863 ### New Contributors * @dualklip made their first contribution in https://github.com/spatie/laravel-permission/pull/2863 * @TobMoeller made their first contribution in https://github.com/spatie/laravel-permission/pull/2859 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.20.0...6.21.0 ## 6.20.0 - 2025-06-14 ### What's Changed * Add translations support for exception messages by @nAa6666 in https://github.com/spatie/laravel-permission/pull/2852 ### New Contributors * @nAa6666 made their first contribution in https://github.com/spatie/laravel-permission/pull/2852 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.19.0...6.20.0 ## 6.19.0 - 2025-05-31 ### What's Changed * Revert "Remove `collectPermissions` that is not being assigned" by @erikn69 in https://github.com/spatie/laravel-permission/pull/2851 * Fix guard_name not used to set default attribute in Role and Permission model by @Ken-vdE in https://github.com/spatie/laravel-permission/pull/2837 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.18.0...6.19.0 ## 6.18.0 - 2025-05-14 ### What's Changed * refactor exception throwing in migration file to use throw_if() by @ccaioadriano in https://github.com/spatie/laravel-permission/pull/2819 * Fix: Example in config comment includes `permission.` prefix on `wildcard_permission` key by @jerrens in https://github.com/spatie/laravel-permission/pull/2835 * Fix commented config key typo by @erikn69 in https://github.com/spatie/laravel-permission/pull/2844 * Remove `collectPermissions` that is not being assigned by @JHWelch in https://github.com/spatie/laravel-permission/pull/2840 * [Docs] Update multiple-guards.md by @Ken-vdE in https://github.com/spatie/laravel-permission/pull/2836 * [Docs] Remove extra period by @coreyhn in https://github.com/spatie/laravel-permission/pull/2841 * Add JetAdmin as UI Option. by @aliqasemzadeh in https://github.com/spatie/laravel-permission/pull/2814 ### New Contributors * @ccaioadriano made their first contribution in https://github.com/spatie/laravel-permission/pull/2819 * @coreyhn made their first contribution in https://github.com/spatie/laravel-permission/pull/2841 * @jerrens made their first contribution in https://github.com/spatie/laravel-permission/pull/2835 * @Ken-vdE made their first contribution in https://github.com/spatie/laravel-permission/pull/2836 * @JHWelch made their first contribution in https://github.com/spatie/laravel-permission/pull/2840 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.17.0...6.18.0 ## 6.17.0 - 2025-04-09 ### What's Changed * Route macro functions: add backed enum support by @Yi-pixel in https://github.com/spatie/laravel-permission/pull/2823 ### New Contributors * @Yi-pixel made their first contribution in https://github.com/spatie/laravel-permission/pull/2823 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.16.0...6.17.0 ## 6.16.0 - 2025-02-28 ### What's Changed * Middleware: support enums in role/permission middleware by @marklawntalk in https://github.com/spatie/laravel-permission/pull/2813 ### New Contributors * @marklawntalk made their first contribution in https://github.com/spatie/laravel-permission/pull/2813 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.15.0...6.16.0 ## 6.15.0 - 2025-02-17 ### What's Changed * Added 4 events for adding and removing roles or permissions by @sven-wegner in https://github.com/spatie/laravel-permission/pull/2742 * Fixed bug of loading user roles of different teams to current team by @mohamedds-12 in https://github.com/spatie/laravel-permission/pull/2803 ### New Contributors * @sven-wegner made their first contribution in https://github.com/spatie/laravel-permission/pull/2742 * @mohamedds-12 made their first contribution in https://github.com/spatie/laravel-permission/pull/2803 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.14.0...6.15.0 ## 6.14.0 - 2025-02-13 ### What's Changed * LDAP model lookup from Auth Provider by @crossplatformconsulting in https://github.com/spatie/laravel-permission/pull/2750 ### Internals * Add PHPUnit annotations, for future compatibility with PHPUnit 12 by @drbyte in https://github.com/spatie/laravel-permission/pull/2806 ### New Contributors * @crossplatformconsulting made their first contribution in https://github.com/spatie/laravel-permission/pull/2750 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.13.0...6.14.0 ## 6.13.0 - 2025-02-05 ### What's Changed * LazyLoading: Explicitly call `loadMissing('permissions')` when the relation is needed, and test with `Model::preventLazyLoading()` by @erikn69 in https://github.com/spatie/laravel-permission/pull/2776 * [Docs] Add instructions to reinitialize cache for multi-tenancy key settings when updating multiple tenants in a single request cycle, by @sudkumar in https://github.com/spatie/laravel-permission/pull/2804 ### New Contributors * @sudkumar made their first contribution in https://github.com/spatie/laravel-permission/pull/2804 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.12.0...6.13.0 ## 6.12.0 - 2025-01-31 ### What's Changed * Support Laravel 12 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.11.0...6.12.0 ## 6.11.0 - 2025-01-30 ### What's Changed * Add configurable team resolver for permission team id (helpful for Jetstream, etc) by @adrenallen in https://github.com/spatie/laravel-permission/pull/2790 ### Internals * Replace php-cs-fixer with Laravel Pint by @bobbrodie in https://github.com/spatie/laravel-permission/pull/2780 ### Documentation Updates * [Docs] Include namespace in example in uuid.md by @ken-tam in https://github.com/spatie/laravel-permission/pull/2764 * [Docs] Include Laravel 11 example in exceptions.md by @frankliniwobi in https://github.com/spatie/laravel-permission/pull/2768 * [Docs] Fix typo in code example in passport.md by @m3skalina in https://github.com/spatie/laravel-permission/pull/2782 * [Docs] Correct username in new-app.md by @trippodi in https://github.com/spatie/laravel-permission/pull/2785 * [Docs] Add composer specificity by @imanghafoori1 in https://github.com/spatie/laravel-permission/pull/2772 * [Docs] Update installation-laravel.md to fix providers.php location. by @curiousteam in https://github.com/spatie/laravel-permission/pull/2796 ### New Contributors * @ken-tam made their first contribution in https://github.com/spatie/laravel-permission/pull/2764 * @frankliniwobi made their first contribution in https://github.com/spatie/laravel-permission/pull/2768 * @bobbrodie made their first contribution in https://github.com/spatie/laravel-permission/pull/2780 * @m3skalina made their first contribution in https://github.com/spatie/laravel-permission/pull/2782 * @trippodi made their first contribution in https://github.com/spatie/laravel-permission/pull/2785 * @imanghafoori1 made their first contribution in https://github.com/spatie/laravel-permission/pull/2772 * @curiousteam made their first contribution in https://github.com/spatie/laravel-permission/pull/2796 * @adrenallen made their first contribution in https://github.com/spatie/laravel-permission/pull/2790 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.10.1...6.11.0 ## 6.10.1 - 2024-11-08 ### What's Changed * Fix #2749 regression bug in `6.10.0` : "Can no longer delete permissions" by @erikn69 in https://github.com/spatie/laravel-permission/pull/2759 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.10.0...6.10.1 ## 6.10.0 - 2024-11-05 ### What's Changed * Fix `GuardDoesNotMatch should accept collection` by @erikn69 in https://github.com/spatie/laravel-permission/pull/2748 * Improve performance for hydrated collections by @inserve-paul in https://github.com/spatie/laravel-permission/pull/2749 * Only show error if `cache key exists` and `forgetCachedPermissions` fails by @erikn69 in https://github.com/spatie/laravel-permission/pull/2707 * Remove v5 cache fallback alias by @drbyte in https://github.com/spatie/laravel-permission/pull/2754 * Include `Larastan` in `dev` by @drbyte in https://github.com/spatie/laravel-permission/pull/2755 #### Docs * [Docs example] Check for 'all' or 'any' permissions before specific permissions by @ceilidhboy in https://github.com/spatie/laravel-permission/pull/2694 * [Docs] Fix typo in uuid.md by @levizoesch in https://github.com/spatie/laravel-permission/pull/2705 * [Docs] Upgrade Guide - Add PR links to upgrade guide by @mraheelkhan in https://github.com/spatie/laravel-permission/pull/2716 * [Docs] use more modern syntax for nullable return type by @galangaidilakbar in https://github.com/spatie/laravel-permission/pull/2719 * [Docs] camelCase variable naming in example by @KamilWojtalak in https://github.com/spatie/laravel-permission/pull/2723 * [Docs] Update using-policies.md by @marcleonhard in https://github.com/spatie/laravel-permission/pull/2741 * [Docs] Example of pushing custom middleware before SubstituteBindings middleware by @WyattCast44 in https://github.com/spatie/laravel-permission/pull/2740 #### Other * PHP 8.4 tests by @erikn69 in https://github.com/spatie/laravel-permission/pull/2747 * Fix comment typo by @machacekmartin in https://github.com/spatie/laravel-permission/pull/2753 ### New Contributors * @ceilidhboy made their first contribution in https://github.com/spatie/laravel-permission/pull/2694 * @levizoesch made their first contribution in https://github.com/spatie/laravel-permission/pull/2705 * @galangaidilakbar made their first contribution in https://github.com/spatie/laravel-permission/pull/2719 * @KamilWojtalak made their first contribution in https://github.com/spatie/laravel-permission/pull/2723 * @marcleonhard made their first contribution in https://github.com/spatie/laravel-permission/pull/2741 * @WyattCast44 made their first contribution in https://github.com/spatie/laravel-permission/pull/2740 * @inserve-paul made their first contribution in https://github.com/spatie/laravel-permission/pull/2749 * @machacekmartin made their first contribution in https://github.com/spatie/laravel-permission/pull/2753 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.9.0...6.10.0 ## 6.9.0 - 2024-06-22 ### What's Changed * Use `->withPivot()` for teamed relationships (allows `getPivotColumns()`) by @juliangums in https://github.com/spatie/laravel-permission/pull/2679 * Update docblock on `$role->hasPermissionTo()` to include `BackedEnum` by @drbyte co-authored by @SanderMuller * [Docs] Clarify that `$guard_name` can be an array by @angelej in https://github.com/spatie/laravel-permission/pull/2659 * Fix misc typos in changelog by @szepeviktor in https://github.com/spatie/laravel-permission/pull/2686 ### New Contributors * @angelej made their first contribution in https://github.com/spatie/laravel-permission/pull/2659 * @SanderMuller made their first contribution in #2676 * @szepeviktor made their first contribution in https://github.com/spatie/laravel-permission/pull/2686 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.8.0...6.9.0 ## 6.8.0 - 2024-06-21 ### What's Changed * Fix can't save the same model twice by @erikn69 in https://github.com/spatie/laravel-permission/pull/2658 * Fix phpstan from #2616 by @erikn69 in https://github.com/spatie/laravel-permission/pull/2685 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.7.0...6.8.0 ## 6.7.0 - 2024-04-19 ### What's Changed - Fixed remaining Octane event contract. Update to #2656 in release `6.5.0` **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.6.0...6.7.0 ## 6.6.0 - 2024-04-19 ### What's Changed * Roles: Support for casting role names to enums by @gajosadrian in https://github.com/spatie/laravel-permission/pull/2616 * Fix permission:show UUID error #2581 by @drbyte in https://github.com/spatie/laravel-permission/pull/2582 * Cover WildcardPermission instance verification based on its own guard (Allow hasAllPermissions and hasAnyPermission to run on custom guard for WildcardPermission) by @AlexandreBellas in https://github.com/spatie/laravel-permission/pull/2608 * Register Laravel "About" details by @drbyte in https://github.com/spatie/laravel-permission/pull/2584 ### New Contributors * @gajosadrian made their first contribution in https://github.com/spatie/laravel-permission/pull/2616 * @AlexandreBellas made their first contribution in https://github.com/spatie/laravel-permission/pull/2608 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.5.0...6.6.0 ## 6.5.0 - 2024-04-18 ### What's Changed * Octane: Fix wrong event listener by @erikn69 in https://github.com/spatie/laravel-permission/pull/2656 * Teams: Add nullable team_id by @Androlax2 in https://github.com/spatie/laravel-permission/pull/2607 * Blade: simplify the definition of multiple Blade "if" directives by @alissn in https://github.com/spatie/laravel-permission/pull/2628 * DocBlocks: Update HasPermissions::collectPermissions() docblock by @Plytas in https://github.com/spatie/laravel-permission/pull/2641 #### Internals * Update role-permissions.md by @killjin in https://github.com/spatie/laravel-permission/pull/2631 * Bump ramsey/composer-install from 2 to 3 by @dependabot in https://github.com/spatie/laravel-permission/pull/2630 * Bump dependabot/fetch-metadata from 1 to 2 by @dependabot in https://github.com/spatie/laravel-permission/pull/2642 ### New Contributors * @alissn made their first contribution in https://github.com/spatie/laravel-permission/pull/2628 * @Androlax2 made their first contribution in https://github.com/spatie/laravel-permission/pull/2607 * @Plytas made their first contribution in https://github.com/spatie/laravel-permission/pull/2641 * @killjin made their first contribution in https://github.com/spatie/laravel-permission/pull/2631 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.4.0...6.5.0 ## 6.4.0 - 2024-02-28 * Laravel 11 Support ### What's Changed * Add Laravel 11 to workflow run tests by @mraheelkhan in https://github.com/spatie/laravel-permission/pull/2605 * And Passport 12 ### Internals * Update to use Larastan Org by @arnebr in https://github.com/spatie/laravel-permission/pull/2585 * laravel-pint-action to major version tag by @erikn69 in https://github.com/spatie/laravel-permission/pull/2586 ### New Contributors * @arnebr made their first contribution in https://github.com/spatie/laravel-permission/pull/2585 * @mraheelkhan made their first contribution in https://github.com/spatie/laravel-permission/pull/2605 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.3.0...6.4.0 ## 6.3.0 - 2023-12-24 ### What's Changed * Octane Fix: Clear wildcard permissions on Tick in https://github.com/spatie/laravel-permission/pull/2583 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.2.0...6.3.0 ## 6.2.0 - 2023-12-09 ### What's Changed * Skip duplicates on sync (was triggering Integrity Constraint Violation error) by @erikn69 in https://github.com/spatie/laravel-permission/pull/2574 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.1.0...6.2.0 ## 6.1.0 - 2023-11-09 ### What's Changed - Reset teamId on Octane by @erikn69 in https://github.com/spatie/laravel-permission/pull/2547 NOTE: The `\Spatie\Permission\Listeners\OctaneReloadPermissions` listener introduced in 6.0.0 is removed in 6.1.0, because the logic is directly incorporated into the ServiceProvider now. Thanks @jameshulse for the heads-up and code-review. **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.0.1...6.1.0 ## 6.0.1 - 2023-11-06 ### What's Changed - Provide a default team_foreign_key value in case config file isn't upgraded yet or teams feature is unused. Fixes #2535 - [Docs] Update unsetRelation() example in teams-permissions.md by @shdehnavi in https://github.com/spatie/laravel-permission/pull/2534 - [Docs] Update link in direct-permissions.md by @sevannerse in https://github.com/spatie/laravel-permission/pull/2539 ### New Contributors - @sevannerse made their first contribution in https://github.com/spatie/laravel-permission/pull/2539 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/6.0.0...6.0.1 ## 6.0.0 - 2023-10-25 ### What's Changed - Full uuid/guid/ulid support by @erikn69 in https://github.com/spatie/laravel-permission/pull/2089 - Refactor: Change static properties to non-static by @olivernybroe in https://github.com/spatie/laravel-permission/pull/2324 - Fix Role::withCount if belongsToMany declared by @xenaio-daniil in https://github.com/spatie/laravel-permission/pull/2280 - Fix: Lazily bind dependencies by @olivernybroe in https://github.com/spatie/laravel-permission/pull/2321 - Avoid loss of all permissions/roles pivots on sync error by @erikn69 in https://github.com/spatie/laravel-permission/pull/2341 - Fix delete permissions on Permissions Model by @erikn69 in https://github.com/spatie/laravel-permission/pull/2366 - Detach users on role/permission physical deletion by @erikn69 in https://github.com/spatie/laravel-permission/pull/2370 - Rename clearClassPermissions method to clearPermissionsCollection by @erikn69 in https://github.com/spatie/laravel-permission/pull/2369 - Use anonymous migrations (for L8+) by @erikn69 in https://github.com/spatie/laravel-permission/pull/2374 - [BC] Return string on getPermissionClass(), getRoleClass() by @erikn69 in https://github.com/spatie/laravel-permission/pull/2368 - Only offer publishing when running in console by @erikn69 in https://github.com/spatie/laravel-permission/pull/2377 - Don't add commands in web interface context by @angeljqv in https://github.com/spatie/laravel-permission/pull/2405 - [BC] Fix Role->hasPermissionTo() signature to match HasPermissions trait by @erikn69 in https://github.com/spatie/laravel-permission/pull/2380 - Force that getPermissionsViaRoles, hasPermissionViaRole must be used only by authenticable by @erikn69 in https://github.com/spatie/laravel-permission/pull/2382 - fix BadMethodCallException: undefined methods hasAnyRole, hasAnyPermissions by @erikn69 in https://github.com/spatie/laravel-permission/pull/2381 - Add PHPStan workflow with fixes by @erikn69 in https://github.com/spatie/laravel-permission/pull/2376 - Add BackedEnum support by @drbyte in https://github.com/spatie/laravel-permission/pull/2391 - Drop PHP 7.3 support by @angeljqv in https://github.com/spatie/laravel-permission/pull/2388 - Drop PHP 7.4 support by @drbyte in https://github.com/spatie/laravel-permission/pull/2485 - Test against PHP 8.3 by @erikn69 in https://github.com/spatie/laravel-permission/pull/2512 - Fix call to an undefined method Role::getRoleClass by @erikn69 in https://github.com/spatie/laravel-permission/pull/2411 - Remove force loading model relationships by @erikn69 in https://github.com/spatie/laravel-permission/pull/2412 - Test alternate cache drivers by @erikn69 in https://github.com/spatie/laravel-permission/pull/2416 - Use attach instead of sync on traits by @erikn69 in https://github.com/spatie/laravel-permission/pull/2420 - Fewer sqls in syncRoles, syncPermissions by @erikn69 in https://github.com/spatie/laravel-permission/pull/2423 - Add middleware using static method by @jnoordsij in https://github.com/spatie/laravel-permission/pull/2424 - Update PHPDocs for IDE autocompletion by @erikn69 in https://github.com/spatie/laravel-permission/pull/2437 - [BC] Wildcard permissions algorithm performance improvements (ALERT: Breaking Changes) by @danharrin in https://github.com/spatie/laravel-permission/pull/2445 - Add withoutRole and withoutPermission scopes by @drbyte in https://github.com/spatie/laravel-permission/pull/2463 - Add support for service-to-service Passport client by @SuperDJ in https://github.com/spatie/laravel-permission/pull/2467 - Register OctaneReloadPermissions listener for Laravel Octane by @erikn69 in https://github.com/spatie/laravel-permission/pull/2403 - Add guard name to exceptions by @drbyte in https://github.com/spatie/laravel-permission/pull/2481 - Update contracts to allow for UUID by @drbyte in https://github.com/spatie/laravel-permission/pull/2480 - Avoid triggering eloquent.retrieved event by @erikn69 in https://github.com/spatie/laravel-permission/pull/2498 - [BC] Rename "Middlewares" namespace to "Middleware" by @drbyte in https://github.com/spatie/laravel-permission/pull/2499 - `@haspermission` directive by @axlwild in https://github.com/spatie/laravel-permission/pull/2515 - Add guard parameter to can() by @drbyte in https://github.com/spatie/laravel-permission/pull/2526 ### New Contributors - @xenaio-daniil made their first contribution in https://github.com/spatie/laravel-permission/pull/2280 - @JensvandeWiel made their first contribution in https://github.com/spatie/laravel-permission/pull/2336 - @fsamapoor made their first contribution in https://github.com/spatie/laravel-permission/pull/2361 - @yungifez made their first contribution in https://github.com/spatie/laravel-permission/pull/2394 - @HasanEksi made their first contribution in https://github.com/spatie/laravel-permission/pull/2418 - @jnoordsij made their first contribution in https://github.com/spatie/laravel-permission/pull/2424 - @danharrin made their first contribution in https://github.com/spatie/laravel-permission/pull/2445 - @SuperDJ made their first contribution in https://github.com/spatie/laravel-permission/pull/2467 - @ChillMouse made their first contribution in https://github.com/spatie/laravel-permission/pull/2438 - @Okipa made their first contribution in https://github.com/spatie/laravel-permission/pull/2492 - @edalzell made their first contribution in https://github.com/spatie/laravel-permission/pull/2494 - @sirosfakhri made their first contribution in https://github.com/spatie/laravel-permission/pull/2501 - @juliangums made their first contribution in https://github.com/spatie/laravel-permission/pull/2516 - @nnnnnnnngu made their first contribution in https://github.com/spatie/laravel-permission/pull/2524 - @axlwild made their first contribution in https://github.com/spatie/laravel-permission/pull/2515 - @shdehnavi made their first contribution in https://github.com/spatie/laravel-permission/pull/2527 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.11.1...6.0.0 ## 5.11.1 - 2023-10-25 No functional changes. Just several small updates to the Documentation. **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.11.0...5.11.1 ## 5.11.0 - 2023-08-30 ### What's Changed - [V5] Avoid triggering `eloquent.retrieved` event by @erikn69 in https://github.com/spatie/laravel-permission/pull/2490 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.10.2...5.11.0 ## 5.10.2 - 2023-07-04 ### What's Changed - Fix Eloquent Strictness on `permission:show` Command by @erikn69 in https://github.com/spatie/laravel-permission/pull/2457 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.10.1...5.10.2 ## 5.10.1 - 2023-04-12 ### What's Changed - [V5] Fix artisan command `permission:show` output of roles with underscores by @erikn69 in https://github.com/spatie/laravel-permission/pull/2396 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.10.0...5.10.1 ## 5.10.0 - 2023-03-22 ### What's Changed - Fix delete permissions on Permissions Model by @erikn69 in https://github.com/spatie/laravel-permission/pull/2366 ## 5.9.1 - 2023-02-06 Apologies for the break caused by 5.9.0 ! ### Reverted Lazy binding of dependencies. - Revert "fix: Lazily bind dependencies", originally #2309 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.9.0...5.9.1 ## 5.9.0 - 2023-02-06 ### What's Changed - Add `permission-` prefix to publish tag names by @sedehi in https://github.com/spatie/laravel-permission/pull/2301 - Fix detaching user models on teams feature #2220 by @erikn69 in https://github.com/spatie/laravel-permission/pull/2221 - Hint model properties by @AJenbo in https://github.com/spatie/laravel-permission/pull/2230 - Custom wildcard verification/separators support by @erikn69 in https://github.com/spatie/laravel-permission/pull/2252 - fix: Lazily bind dependencies by @olivernybroe in https://github.com/spatie/laravel-permission/pull/2309 - Extract query to `getPermissionsWithRoles` method. by @xiCO2k in https://github.com/spatie/laravel-permission/pull/2316 - This will allow to extend the PermissionRegistrar class and change the query. ### New Contributors - @sedehi made their first contribution in https://github.com/spatie/laravel-permission/pull/2301 - @parallels999 made their first contribution in https://github.com/spatie/laravel-permission/pull/2265 - @AJenbo made their first contribution in https://github.com/spatie/laravel-permission/pull/2230 - @olivernybroe made their first contribution in https://github.com/spatie/laravel-permission/pull/2309 - @xiCO2k made their first contribution in https://github.com/spatie/laravel-permission/pull/2316 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.8.0...5.9.0 ## 5.8.0 - 2023-01-14 ### What's Changed - Laravel 10.x Support by @erikn69 in https://github.com/spatie/laravel-permission/pull/2298 #### Administrative - [Docs] Link updated to match name change of related tool repo by @aliqasemzadeh in https://github.com/spatie/laravel-permission/pull/2253 - Fix tests badge by @erikn69 in https://github.com/spatie/laravel-permission/pull/2300 - Add Laravel Pint Support by @patinthehat in https://github.com/spatie/laravel-permission/pull/2269 - Normalize composer.json by @patinthehat in https://github.com/spatie/laravel-permission/pull/2259 - Add Dependabot Automation by @patinthehat in https://github.com/spatie/laravel-permission/pull/2257 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.7.0...5.8.0 ## 5.7.0 - 2022-11-23 ### What's Changed - [Bugfix] Avoid checking permissions-via-roles on `Role` model (ref `Model::preventAccessingMissingAttributes()`) by @juliomotol in https://github.com/spatie/laravel-permission/pull/2227 ### New Contributors - @juliomotol made their first contribution in https://github.com/spatie/laravel-permission/pull/2227 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.6.0...5.7.0 ## 5.6.0 - 2022-11-19 ### What's Changed - No longer throws an exception when checking `hasAllPermissions()` if the permission name does not exist by @mtawil in https://github.com/spatie/laravel-permission/pull/2248 ### Doc Updates - [Docs] Add syncPermissions() in role-permissions.md by @xorinzor in https://github.com/spatie/laravel-permission/pull/2235 - [Docs] Fix broken Link that link to freek's blog post by @chengkangzai in https://github.com/spatie/laravel-permission/pull/2234 ### New Contributors - @xorinzor made their first contribution in https://github.com/spatie/laravel-permission/pull/2235 - @chengkangzai made their first contribution in https://github.com/spatie/laravel-permission/pull/2234 - @mtawil made their first contribution in https://github.com/spatie/laravel-permission/pull/2248 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.16...5.6.0 ## 5.5.16 - 2022-10-23 ### What's Changed - optimize `for` loop in WildcardPermission by @SubhanSh in https://github.com/spatie/laravel-permission/pull/2113 ### New Contributors - @SubhanSh made their first contribution in https://github.com/spatie/laravel-permission/pull/2113 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.15...5.5.16 ## 5.5.15 - 2022-10-23 Autocomplete all Blade directives via Laravel Idea plugin ### What's Changed - Autocomplete all Blade directives via Laravel Idea plugin by @maartenpaauw in https://github.com/spatie/laravel-permission/pull/2210 - Add tests for display roles/permissions on UnauthorizedException by @erikn69 in https://github.com/spatie/laravel-permission/pull/2228 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.14...5.5.15 ## 5.5.14 - 2022-10-21 FIXED BREAKING CHANGE. (Sorry about that!) ### What's Changed - Revert "Avoid calling the config helper in the role/perm model constructor" by @drbyte in https://github.com/spatie/laravel-permission/pull/2225 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.13...5.5.14 ## 5.5.13 - 2022-10-21 ### What's Changed - fix UnauthorizedException: Wrong configuration was used in forRoles by @Sy-Dante in https://github.com/spatie/laravel-permission/pull/2224 ### New Contributors - @Sy-Dante made their first contribution in https://github.com/spatie/laravel-permission/pull/2224 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.12...5.5.13 ## 5.5.12 - 2022-10-19 Fix regression introduced in `5.5.10` ### What's Changed - Fix undefined index guard_name by @erikn69 in https://github.com/spatie/laravel-permission/pull/2219 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.11...5.5.12 ## 5.5.11 - 2022-10-19 ### What's Changed - Support static arrays on blade directives by @erikn69 in https://github.com/spatie/laravel-permission/pull/2168 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.10...5.5.11 ## 5.5.10 - 2022-10-19 ### What's Changed - Avoid calling the config helper in the role/perm model constructor by @adiafora in https://github.com/spatie/laravel-permission/pull/2098 as discussed in https://github.com/spatie/laravel-permission/issues/2097 regarding `DI` ### New Contributors - @adiafora made their first contribution in https://github.com/spatie/laravel-permission/pull/2098 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.9...5.5.10 ## 5.5.9 - 2022-10-19 Compatibility Bugfix ### What's Changed - Prevent `MissingAttributeException` for `guard_name` by @ejunker in https://github.com/spatie/laravel-permission/pull/2216 ### New Contributors - @ejunker made their first contribution in https://github.com/spatie/laravel-permission/pull/2216 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.8...5.5.9 ## 5.5.8 - 2022-10-19 `HasRoles` trait ### What's Changed - Fix returning all roles instead of the assigned by @erikn69 in https://github.com/spatie/laravel-permission/pull/2194 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.7...5.5.8 ## 5.5.7 - 2022-10-19 Optimize HasPermissions trait ### What's Changed - Delegate permission collection filter to another method by @angeljqv in https://github.com/spatie/laravel-permission/pull/2182 - Delegate permission filter to another method by @angeljqv in https://github.com/spatie/laravel-permission/pull/2183 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.6...5.5.7 ## 5.5.6 - 2022-10-19 Just a maintenance release. ### What's Changed - Actions: add PHP 8.2 Build by @erikn69 in https://github.com/spatie/laravel-permission/pull/2214 - Docs: Fix small syntax error in teams-permissions.md by @miten5 in https://github.com/spatie/laravel-permission/pull/2171 - Docs: Update documentation for multiple guards by @gms8994 in https://github.com/spatie/laravel-permission/pull/2169 - Docs: Make Writing Policies link clickable by @maartenpaauw in https://github.com/spatie/laravel-permission/pull/2202 - Docs: Add note about non-standard User models by @androidacy-user in https://github.com/spatie/laravel-permission/pull/2179 - Docs: Fix explanation of results for hasAllDirectPermissions in role-permission.md by @drdan18 in https://github.com/spatie/laravel-permission/pull/2139 - Docs: Add ULIDs reference by @erikn69 in https://github.com/spatie/laravel-permission/pull/2213 ### New Contributors - @miten5 made their first contribution in https://github.com/spatie/laravel-permission/pull/2171 - @gms8994 made their first contribution in https://github.com/spatie/laravel-permission/pull/2169 - @maartenpaauw made their first contribution in https://github.com/spatie/laravel-permission/pull/2202 - @androidacy-user made their first contribution in https://github.com/spatie/laravel-permission/pull/2179 - @drdan18 made their first contribution in https://github.com/spatie/laravel-permission/pull/2139 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.5...5.5.6 ## 5.5.5 - 2022-06-29 ### What's Changed - Custom primary keys tests(Only tests) by @erikn69 in https://github.com/spatie/laravel-permission/pull/2096 - [PHP 8.2] Fix `${var}` string interpolation deprecation by @Ayesh in https://github.com/spatie/laravel-permission/pull/2117 - Use `getKey`, `getKeyName` instead of `id` by @erikn69 in https://github.com/spatie/laravel-permission/pull/2116 - On WildcardPermission class use static instead of self for extending by @erikn69 in https://github.com/spatie/laravel-permission/pull/2111 - Clear roles array after hydrate from cache by @angeljqv in https://github.com/spatie/laravel-permission/pull/2099 ### New Contributors - @Ayesh made their first contribution in https://github.com/spatie/laravel-permission/pull/2117 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.4...5.5.5 ## 5.5.4 - 2022-05-16 ## What's Changed - Support custom primary key names on models by @erikn69 in https://github.com/spatie/laravel-permission/pull/2092 - Fix UuidTrait on uuid doc page by @abhishekpaul in https://github.com/spatie/laravel-permission/pull/2094 - Support custom fields on cache by @erikn69 in https://github.com/spatie/laravel-permission/pull/2091 ## New Contributors - @abhishekpaul made their first contribution in https://github.com/spatie/laravel-permission/pull/2094 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.3...5.5.4 ## 5.5.3 - 2022-05-05 ## What's Changed - Update .gitattributes by @angeljqv in https://github.com/spatie/laravel-permission/pull/2065 - Remove double semicolon from add_teams_fields.php.stub by @morganarnel in https://github.com/spatie/laravel-permission/pull/2067 - [V5] Allow revokePermissionTo to accept Permission[] by @erikn69 in https://github.com/spatie/laravel-permission/pull/2014 - [V5] Improve typing in role's findById and findOrCreate method by @itsfaqih in https://github.com/spatie/laravel-permission/pull/2022 - [V5] Cache loader improvements by @erikn69 in https://github.com/spatie/laravel-permission/pull/1912 ## New Contributors - @morganarnel made their first contribution in https://github.com/spatie/laravel-permission/pull/2067 - @itsfaqih made their first contribution in https://github.com/spatie/laravel-permission/pull/2022 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.2...5.5.3 ## 5.5.2 - 2022-03-09 ## What's Changed - [Fixes BIG bug] register blade directives after resolving blade compiler by @tabacitu in https://github.com/spatie/laravel-permission/pull/2048 ## New Contributors - @tabacitu made their first contribution in https://github.com/spatie/laravel-permission/pull/2048 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.1...5.5.2 ## 5.5.1 - 2022-03-03 ## What's Changed - Spelling correction by @gergo85 in https://github.com/spatie/laravel-permission/pull/2024 - update broken link to laravel exception by @kingzamzon in https://github.com/spatie/laravel-permission/pull/2023 - Fix Blade Directives incompatibility with renderers by @erikn69 in https://github.com/spatie/laravel-permission/pull/2039 ## New Contributors - @gergo85 made their first contribution in https://github.com/spatie/laravel-permission/pull/2024 - @kingzamzon made their first contribution in https://github.com/spatie/laravel-permission/pull/2023 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.5.0...5.5.1 ## 5.5.0 - 2022-01-11 - add support for Laravel 9 ## 5.4.0 - 2021-11-17 ## What's Changed - Add support for PHP 8.1 by @freekmurze in https://github.com/spatie/laravel-permission/pull/1926 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.3.2...5.4.0 ## 5.3.2 - 2021-11-17 ## What's Changed - [V5] Support for custom key names on Role,Permission by @erikn69 in https://github.com/spatie/laravel-permission/pull/1913 **Full Changelog**: https://github.com/spatie/laravel-permission/compare/5.3.1...5.3.2 ## 5.3.1 - 2021-11-04 - Fix hints, support int on scopePermission (#1908) ## 5.3.0 - 2021-10-29 - Option for custom logic for checking permissions (#1891) ## 5.2.0 - 2021-10-28 - [V5] Fix detaching on all teams instead of only current #1888 by @erikn69 in https://github.com/spatie/laravel-permission/pull/1890 - [V5] Add uuid compatibility support on teams by @erikn69 in https://github.com/spatie/laravel-permission/pull/1857 - Adds setRoleClass method to PermissionRegistrar by @timschwartz in https://github.com/spatie/laravel-permission/pull/1867 - Load permissions for preventLazyLoading by @bahramsadin in https://github.com/spatie/laravel-permission/pull/1884 - [V5] Doc for `Super Admin` on teams by @erikn69 in https://github.com/spatie/laravel-permission/pull/1845 ## 5.1.1 - 2021-09-01 - Avoid Roles over-hydration #1834 ## 5.1.0 - 2021-08-31 - No longer flush cache on User role/perm assignment changes #1832 - NOTE: You should test your app to be sure that you don't accidentally have deep dependencies on cache resets happening automatically in these cases. - ALSO NOTE: If you have added custom code which depended on these flush operations, you may need to add your own cache-reset calls. ## 5.0.0 - 2021-08-31 - Change default-guard-lookup to prefer current user's guard (see BC note in #1817 ) - Teams/Groups feature (see docs, or PR #1804) - Customized pivots instead of `role_id`,`permission_id` #1823 ## 4.4.1 - 2021-09-01 - Avoid Roles over-hydration #1834 ## 4.4.0 - 2021-08-28 - Avoid BC break (removed interface change) on cache change added in 4.3.0 #1826 - Made cache even smaller #1826 - Avoid re-sync on non-persisted objects when firing Eloquent::saved #1819 ## 4.3.0 - 2021-08-17 - Speed up permissions cache lookups, and make cache smaller #1799 ## 4.2.0 - 2021-06-04 - Add hasExactRoles method #1696 ## 4.1.0 - 2021-06-01 - Refactor to resolve guard only once during middleware - Refactor service provider by extracting some methods ## 4.0.1 - 2021-03-22 - Added note in migration for field lengths on MySQL 8. (either shorten the columns to 125 or use InnoDB) ## 4.0.0 - 2021-01-27 - Drop support on Laravel 5.8 #1615 - Fix bug when adding roles to a model that doesn't yet exist #1663 - Enforce unique constraints on database level #1261 - Changed PermissionRegistrar::initializeCache() public to allow reinitializing cache in custom situations. #1521 - Use Eloquent\Collection instead of Support\Collection for consistency, collection merging, etc #1630 This package now requires PHP 7.2.5 and Laravel 6.0 or higher. If you are on a PHP version below 7.2.5 or a Laravel version below 6.0 you can use an older version of this package. ## 3.18.0 - 2020-11-27 - Allow PHP 8.0 ## 3.17.0 - 2020-09-16 - Optional `$guard` parameter may be passed to `RoleMiddleware`, `PermissionMiddleware`, and `RoleOrPermissionMiddleware`. See #1565 ## 3.16.0 - 2020-08-18 - Added Laravel 8 support ## 3.15.0 - 2020-08-15 - Change `users` relationship type to BelongsToMany ## 3.14.0 - 2020-08-15 - Declare table relations earlier to improve guarded/fillable detection accuracy (relates to Aug 2020 Laravel security patch) ## 3.13.0 - 2020-05-19 - Provide migration error text to stop caching local config when installing packages. ## 3.12.0 - 2020-05-14 - Add missing config setting for `display_role_in_exception` - Ensure artisan `permission:show` command uses configured models ## 3.11.0 - 2020-03-03 - Allow guardName() as a function with priority over $guard_name property #1395 ## 3.10.1 - 2020-03-03 - Update patch to handle intermittent error in #1370 ## 3.10.0 - 2020-03-02 - Ugly patch to handle intermittent error: `Trying to access array offset on value of type null` in #1370 ## 3.9.0 - 2020-02-26 - Add Wildcard Permissions feature #1381 (see PR or docs for details) ## 3.8.0 - 2020-02-18 - Clear in-memory permissions on boot, for benefit of long running processes like Swoole. #1378 ## 3.7.2 - 2020-02-17 - Refine test for Lumen dependency. Ref #1371, Fixes #1372. ## 3.7.1 - 2020-02-15 - Internal refactoring of scopes to use whereIn instead of orWhere #1334, #1335 - Internal refactoring to flatten collection on splat #1341 ## 3.7.0 - 2020-02-15 - Added methods to check any/all when querying direct permissions #1245 - Removed older Lumen dependencies #1371 ## 3.6.0 - 2020-01-17 - Added Laravel 7.0 support - Allow splat operator for passing roles to `hasAnyRole()` ## 3.5.0 - 2020-01-07 - Added missing `guardName` to Exception `PermissionDoesNotExist` #1316 ## 3.4.1 - 2019-12-28 - Fix 3.4.0 for Lumen ## 3.4.0 - 2019-12-27 - Make compatible with Swoole - ie: for long-running Laravel instances ## 3.3.1 - 2019-12-24 - Expose Artisan commands to app layer, not just to console ## 3.3.0 - 2019-11-22 - Remove duplicate and unreachable code - Remove checks for older Laravel versions ## 3.2.0 - 2019-10-16 - Implementation of optional guard check for hasRoles and hasAllRoles - See #1236 ## 3.1.0 - 2019-10-16 - Use bigIncrements/bigInteger in migration - See #1224 ## 3.0.0 - 2019-09-02 - Update dependencies to allow for Laravel 6.0 - Drop support for Laravel 5.7 and older, and PHP 7.1 and older. (They can use v2 of this package until they upgrade.) - To be clear: v3 requires minimum Laravel 5.8 and PHP 7.2 ## 2.38.0 - 2019-09-02 - Allow support for multiple role/permission models - Load roles relationship only when missing - Wrap helpers in function_exists() check ## 2.37.0 - 2019-04-09 - Added `permission:show` CLI command to display a table of roles/permissions - `removeRole` now returns the model, consistent with other methods - model `$guarded` properties updated to `protected` - README updates ## 2.36.1 - 2019-03-05 - reverts the changes made in 2.36.0 due to some reported breaks. ## 2.36.0 - 2019-03-04 - improve performance by reducing another iteration in processing query results and returning earlier ## 2.35.0 - 2019-03-01 - overhaul internal caching strategy for better performance and fix cache miss when permission names contained spaces - deprecated hasUncachedPermissionTo() (use hasPermissionTo() instead) - added getPermissionNames() method ## 2.34.0 - 2019-02-26 - Add explicit pivotKeys to roles/permissions BelongsToMany relationships ## 2.33.0 - 2019-02-20 - Laravel 5.8 compatibility ## 2.32.0 - 2019-02-13 - Fix duplicate permissions being created through artisan command ## 2.31.0 - 2019-02-03 - Add custom guard query to role scope - Remove use of array_wrap helper function due to future deprecation ## 2.30.0 - 2019-01-28 - Change cache config time to DateInterval instead of integer This is in preparation for compatibility with Laravel 5.8's cache TTL change to seconds instead of minutes. NOTE: If you leave your existing `config/permission.php` file alone, then with Laravel 5.8 the `60 * 24` will change from being treated as 24 hours to just 24 minutes. Depending on your app, this may or may not make a significant difference. Updating your config file to a specific DateInterval will add specificity and insulate you from the TTL change in Laravel 5.8. Refs: https://laravel-news.com/cache-ttl-change-coming-to-laravel-5-8 https://github.com/laravel/framework/commit/fd6eb89b62ec09df1ffbee164831a827e83fa61d ## 2.29.0 - 2018-12-15 - Fix bound `saved` event from firing on all subsequent models when calling assignRole or givePermissionTo on unsaved models. However, it is preferable to save the model first, and then add roles/permissions after saving. See #971. ## 2.28.2 - 2018-12-10 - Use config settings for cache reset in migration stub ## 2.28.1 - 2018-12-07 - Remove use of Cache facade, for Lumen compatibility ## 2.28.0 - 2018-11-30 - Rename `getCacheKey` method in HasPermissions trait to `getPermissionCacheKey` for clearer specificity. ## 2.27.0 - 2018-11-21 - Add ability to specify a cache driver for roles/permissions caching ## 2.26.2 - 2018-11-20 - Added the ability to reset the permissions cache via an Artisan command: - `php artisan permission:cache-reset` ## 2.26.1 - 2018-11-19 - minor update to de-duplicate code overhead - numerous internal updates to cache tests infrastructure ## 2.26.0 - 2018-11-19 - Substantial speed increase by caching the associations between models and permissions ### NOTES: The following changes are not "breaking", but worth making the updates to your app for consistency. 1. Config file: The `config/permission.php` file changed to move cache-related settings into a sub-array. **You should review the changes and merge the updates into your own config file.** Specifically the `expiration_time` value has moved into a sub-array entry, and the old top-level entry is no longer used. 2. See the original config file here: 3. https://github.com/spatie/laravel-permission/blob/main/config/permission.php 4. 5. Cache Resets: If your `app` or `tests` are clearing the cache by specifying the cache key, **it is better to use the built-in forgetCachedPermissions() method** so that it properly handles tagged cache entries. Here is the recommended change: 6. ```diff - app()['cache']->forget('spatie.permission.cache'); + $this->app->make(\Spatie\Permission\PermissionRegistrar::class)->forgetCachedPermissions(); ``` 1. Also this is a good time to point out that now with v2.25.0 and v2.26.0 most permission-cache-reset scenarios may no longer be needed in your app, so it's worth reviewing those cases, as you may gain some app speed improvement by removing unnecessary cache resets. ## 2.25.0 - 2018-11-07 - A model's `roles` and `permissions` relations (respectively) are now automatically reloaded after an Assign/Remove role or Grant/Revoke of permissions. This means there's no longer a need to call `->fresh()` on the model if the only reason is to reload the role/permission relations. (That said, you may want to call it for other reasons.) - Added support for passing id to HasRole() ## 2.24.0 - 2018-11-06 - Fix operator used on RoleOrPermissionMiddleware, and avoid throwing PermissionDoesNotExist if invalid permission passed - Auto-reload model role relation after using AssignRole - Avoid empty permission creation when using the CreateRole command ## 2.23.0 - 2018-10-15 - Avoid unnecessary queries of user roles when fetching all permissions ## 2.22.1 - 2018-10-15 - Fix Lumen issue with Route helper added in 2.22.0 ## 2.22.0 - 2018-10-11 - Added `Route::role()` and `Route::permission()` middleware helper functions - Added new `role_or_permission` middleware to allow specifying "or" combinations ## 2.21.0 - 2018-09-29 - Revert changes from 2.17.1 in order to support Lumen 5.7 ## 2.20.0 - 2018-09-19 - It will sync roles/permissions to models that are not persisted, by registering a `saved` callback. - (It would previously throw an Integrity constraint violation QueryException on the pivot table insertion.) ## 2.19.2 - 2018-09-19 - add `@elserole` directive: - Usage: ```php @role('roleA') // user hasRole 'roleA' @elserole('roleB') // user hasRole 'roleB' but not 'roleA' @endrole ``` ## 2.19.1 - 2018-09-14 - Spark-related fix to accommodate missing guard[providers] config ## 2.19.0 - 2018-09-10 - Add ability to pass in IDs or mixed values to `role` scope - Add `@unlessrole`/`@endunlessrole` Blade directives ## 2.18.0 - 2018-09-06 - Expanded CLI `permission:create-role` command to create optionally create-and-link permissions in one command. Also now no longer throws an error if the role already exists. ## 2.17.1 - 2018-08-28 - Require laravel/framework instead of illuminate/* starting from ~5.4.0 - Removed old dependency for illuminate/database@~5.3.0 (Laravel 5.3 is not supported) ## 2.17.0 - 2018-08-24 - Laravel 5.7 compatibility ## 2.16.0 - 2018-08-20 - Replace static Permission::class and Role::class with dynamic value (allows custom models more easily) - Added type checking in hasPermissionTo and hasDirectPermission ## 2.15.0 - 2018-08-15 - Make assigning the same role or permission twice not throw an exception ## 2.14.0 - 2018-08-13 - Allow using another key name than `model_id` by defining new `columns` array with `model_morph_key` key in config file. This improves UUID compatibility as discussed in #777. ## 2.13.0 - 2018-08-02 - Fix issue with null values passed to syncPermissions & syncRoles ## 2.12.2 - 2018-06-13 - added hasAllPermissions method ## 2.12.1 - 2018-04-23 - Reverted 2.12.0. REVERTS: "Add ability to pass guard name to gate methods like can()". Requires reworking of guard handling if we're going to add this feature. ## 2.12.0 - 2018-04-22 - Add ability to pass guard name to gate methods like can() ## 2.11.0 - 2018-04-16 - Improve speed of permission lookups with findByName, findById, findOrCreate ## 2.10.0 - 2018-04-15 - changes the type-hinted Authenticatable to Authorizable in the PermissionRegistrar. - (Previously it was expecting models to implement the Authenticatable contract; but really that should have been Authorizable, since that's where the Gate functionality really is.) ## 2.9.2 - 2018-03-12 - Now findOrCreate() exists for both Roles and Permissions - Internal code refactoring for future dev work ## 2.9.1 - 2018-02-23 - Permissions now support passing integer id for sync, find, hasPermissionTo and hasDirectPermissionTo ## 2.9.0 - 2018-02-07 - add compatibility with Laravel 5.6 - Allow assign/sync/remove Roles from Permission model ## 2.8.2 - 2018-02-07 - Allow a collection containing a model to be passed to role/permission scopes ## 2.8.1 - 2018-02-03 - Fix compatibility with Spark v2.0 to v5.0 ## 2.8.0 - 2018-01-25 - Support getting guard_name from extended model when using static methods ## 2.7.9 - 2018-01-23 Changes related to throwing UnauthorizedException: - When UnauthorizedException is thrown, a property is added with the expected role/permission which triggered it - A configuration option may be set to include the list of required roles/permissions in the message ## 2.7.8 - 2018-01-02 - REVERTED: Dynamic permission_id and role_id columns according to tables name - NOTE: This Dynamic field naming was a breaking change, so we've removed it for now. BEST NOT TO USE v2.7.7 if you've changed tablenames in the config file. ## 2.7.7 - 2017-12-31 - updated `HasPermissions::getStoredPermission` to allow a collection to be returned, and to fix query when passing multiple permissions - Give and revoke multiple permissions - Dynamic permission_id and role_id columns according to tables name - Add findOrCreate function to Permission model - Improved Lumen support - Allow guard name to be null for find role by id ## 2.7.6 - 2017-11-27 - added Lumen support - updated `HasRole::assignRole` and `HasRole::syncRoles` to accept role id's in addition to role names as arguments ## 2.7.5 - 2017-10-26 - fixed `Gate::before` for custom gate callbacks ## 2.7.4 - 2017-10-26 - added cache clearing command in `up` migration for permission tables - use config_path helper for better Lumen support ## 2.7.3 - 2017-10-21 - refactor middleware to throw custom `UnauthorizedException` (which raises an HttpException with 403 response) - The 403 response is backward compatible ## 2.7.2 - 2017-10-18 - refactor `PermissionRegistrar` to use `$gate->before()` - removed `log_registration_exception` as it is no longer relevant ## 2.7.1 - 2017-10-12 - fixed a bug where `Role`s and `Permission`s got detached when soft deleting a model ## 2.7.0 - 2017-09-27 - add support for L5.3 ## 2.6.0 - 2017-09-10 - add `permission` scope ## 2.5.4 - 2017-09-07 - register the blade directives in the register method of the service provider ## 2.5.3 - 2017-09-07 - register the blade directives in the boot method of the service provider ## 2.5.2 - 2017-09-05 - let middleware use caching ## 2.5.1 - 2017-09-02 - add getRoleNames() method to return a collection of assigned roles ## 2.5.0 - 2017-08-30 - add compatibility with Laravel 5.5 ## 2.4.2 - 2017-08-11 - automatically detach roles and permissions when a user gets deleted ## 2.4.1 - 2017-08-05 - fix processing of pipe symbols in `@hasanyrole` and `@hasallroles` Blade directives ## 2.4.0 -2017-08-05 - add `PermissionMiddleware` and `RoleMiddleware` ## 2.3.2 - 2017-07-28 - allow `hasAnyPermission` to take an array of permissions ## 2.3.1 - 2017-07-27 - fix commands not using custom models ## 2.3.0 - 2017-07-25 - add `create-permission` and `create-role` commands ## 2.2.0 - 2017-07-01 - `hasanyrole` and `hasallrole` can accept multiple roles ## 2.1.6 - 2017-06-06 - fixed a bug where `hasPermissionTo` wouldn't use the right guard name ## 2.1.5 - 2017-05-17 - fixed a bug that didn't allow you to assign a role or permission when using multiple guards ## 2.1.4 - 2017-05-10 - add `model_type` to the primary key of tables that use a polymorphic relationship ## 2.1.3 - 2017-04-21 - fixed a bug where the role()/permission() relation to user models would be saved incorrectly - added users() relation on Permission and Role ## 2.1.2 - 2017-04-20 - fix a bug where the `role()`/`permission()` relation to user models would be saved incorrectly - add `users()` relation on `Permission` and `Role` ## 2.0.2 - 2017-04-13 - check for duplicates when adding new roles and permissions ## 2.0.1 - 2017-04-11 - fix the order of the `foreignKey` and `relatedKey` in the relations ## 2.0.0 - 2017-04-10 - Requires minimum Laravel 5.4 - cache expiration is now configurable and set to one day by default - roles and permissions can now be assigned to any model through the `HasRoles` trait - removed deprecated `hasPermission` method - renamed config file from `laravel-permission` to `permission`. ## 1.17.0 - 2018-08-24 - added support for Laravel 5.7 ## 1.16.0 - 2018-02-07 - added support for Laravel 5.6 ## 1.15 - 2017-12-08 - allow `hasAnyPermission` to take an array of permissions ## 1.14.1 - 2017-10-26 - fixed `Gate::before` for custom gate callbacks ## 1.14.0 - 2017-10-18 - refactor `PermissionRegistrar` to use `$gate->before()` - removed `log_registration_exception` as it is no longer relevant ## 1.13.0 - 2017-08-31 - added compatibility for Laravel 5.5 ## 1.12.0 - made foreign key name to users table configurable ## 1.11.1 - `hasPermissionTo` uses the cache to avoid extra queries when it is called multiple times ## 1.11.0 - add `getDirectPermissions`, `getPermissionsViaRoles`, `getAllPermissions` ## 1.10.0 - 2017-02-22 - add `hasAnyPermission` ## 1.9.0 - 2017-02-20 - add `log_registration_exception` in settings file - fix for ambiguous column name `id` when using the role scope ## 1.8.0 - 2017-02-09 - `hasDirectPermission` method is now public ## 1.7.0 - 2016-01-23 - added support for Laravel 5.4 ## 1.6.1 - 2016-01-19 - make exception logging more verbose ## 1.6.0 - 2016-12-27 - added `Role` scope ## 1.5.3 - 2016-12-15 - moved some things to `boot` method in SP to solve some compatibility problems with other packages ## 1.5.2 - 2016-08-26 - make compatible with L5.3 ## 1.5.1 - 2016-07-23 - fixes `givePermissionTo` and `assignRole` in Laravel 5.1 ## 1.5.0 - 2016-07-23 ** this version does not work in Laravel 5.1, please upgrade to version 1.5.1 of this package - allowed `givePermissionTo` to accept multiple permissions - allowed `assignRole` to accept multiple roles - added `syncPermissions`-method - added `syncRoles`-method - dropped support for PHP 5.5 and HHVM ## 1.4.0 - 2016-05-08 - added `hasPermissionTo` function to the `Role` model ## 1.3.4 - 2016-02-27 - `hasAnyRole` can now properly process an array ## 1.3.3 - 2016-02-24 - `hasDirectPermission` can now accept a string ## 1.3.2 - 2016-02-23 - fixed user table configuration ## 1.3.1 - 2016-01-10 - fixed bug when testing for non existing permissions ## 1.3.0 - 2015-12-25 - added compatibility for Laravel 5.2 ## 1.2.1 - 2015-12-22 - use database_path to publish migrations ## 1.2.0 - 2015-10-28 ###Added - support for custom models ## 1.1.0 - 2015-10-12 ### Added - Blade directives - `hasAllRoles()`- and `hasAnyRole()`-functions ## 1.0.2 - 2015-10-11 ### Fixed - Fix for running phpunit locally ## 1.0.1 - 2015-09-30 ### Fixed - Fixed the inconsistent naming of the `hasPermission`-method. ## 1.0.0 - 2015-09-16 ### Added - Everything, initial release ================================================ FILE: LICENSE.md ================================================ The MIT License (MIT) Copyright (c) Spatie bvba Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================
Logo for laravel-permission

Associate users with permissions and roles

[![Latest Version on Packagist](https://img.shields.io/packagist/v/spatie/laravel-permission.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-permission) [![GitHub Tests Action Status](https://img.shields.io/github/actions/workflow/status/spatie/laravel-permission/run-tests.yml?branch=main&label=Tests)](https://github.com/spatie/laravel-permission/actions?query=workflow%3ATests+branch%3Amain) [![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-permission.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-permission)
## Documentation, Installation, and Usage Instructions See the [documentation](https://spatie.be/docs/laravel-permission/) for detailed installation and usage instructions. ## What It Does This package allows you to manage user permissions and roles in a database. Once installed you can do stuff like this: ```php // Adding permissions to a user $user->givePermissionTo('edit articles'); // Adding permissions via a role $user->assignRole('writer'); $role->givePermissionTo('edit articles'); ``` Because all permissions will be registered on [Laravel's gate](https://laravel.com/docs/authorization), you can check if a user has a permission with Laravel's default `can` function: ```php $user->can('edit articles'); ``` ## Support us [](https://spatie.be/github-ad-click/laravel-permission) We invest a lot of resources into creating [best in class open source packages](https://spatie.be/open-source). You can support us by [buying one of our paid products](https://spatie.be/open-source/support-us). We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on [our contact page](https://spatie.be/about-us). We publish all received postcards on [our virtual postcard wall](https://spatie.be/open-source/postcards). ## Changelog Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently. ## Contributing Please see [CONTRIBUTING](https://github.com/spatie/.github/blob/main/CONTRIBUTING.md) for details. ### Testing ``` bash composer test ``` ### Security If you discover any security-related issues, please email [security@spatie.be](mailto:security@spatie.be) instead of using the issue tracker. ## Postcardware You're free to use this package, but if it makes it to your production environment we highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. Our address is: Spatie, Kruikstraat 22, 2018 Antwerp, Belgium. We publish all received postcards [on our company website](https://spatie.be/en/opensource/postcards). ## Credits - [Chris Brown](https://github.com/drbyte) - [Freek Van der Herten](https://github.com/freekmurze) - [All Contributors](../../contributors) This package is heavily based on [Jeffrey Way](https://twitter.com/jeffrey_way)'s awesome [Laracasts](https://laracasts.com) lessons on [permissions and roles](https://laracasts.com/series/whats-new-in-laravel-5-1/episodes/16). His original code can be found [in this repo on GitHub](https://github.com/laracasts/laravel-5-roles-and-permissions-demo). Special thanks to [Alex Vanderbist](https://github.com/AlexVanderbist) who greatly helped with `v2`, and to [Chris Brown](https://github.com/drbyte) for his longtime support helping us maintain the package. Special thanks to [Caneco](https://twitter.com/caneco) for the original logo. ## Alternatives - [Povilas Korop](https://twitter.com/@povilaskorop) did an excellent job listing the alternatives [in an article on Laravel News](https://laravel-news.com/two-best-roles-permissions-packages). In that same article, he compares laravel-permission to [Joseph Silber](https://github.com/JosephSilber)'s [Bouncer]((https://github.com/JosephSilber/bouncer)), which in our book is also an excellent package. - [santigarcor/laratrust](https://github.com/santigarcor/laratrust) implements team support - [ultraware/roles](https://github.com/ultraware/roles) (archived) takes a slightly different approach to its features. - [zizaco/entrust](https://github.com/zizaco/entrust) offers some wildcard pattern matching ## License The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ================================================ FILE: art/README.md ================================================

# Laravel Permission Art The logo was inspired by the [Spatie](https://spatie.be) brand, and the well known minimal design of Laravel packages. ## Fonts The logo is using the following fonts: - [Inter 500](https://fonts.google.com/specimen/Inter#500) - [Inter 600](https://fonts.google.com/specimen/Inter#600) ## Colors | |#hex |rgb() | |--- |--- |--- | |![100](/art/palette/100.png)|`#E8F1F4`|`rgb(232,241,244)`| |![200](/art/palette/200.png)|`#C6DDE4`|`rgb(198,221,228)`| |![300](/art/palette/300.png)|`#A3C8D4`|`rgb(163,200,212)`| |![400](/art/palette/400.png)|`#5E9EB3`|`rgb(94,158,179)` | |![500](/art/palette/500.png)|`#197593`|`rgb(25,117,147)` | |![600](/art/palette/600.png)|`#176984`|`rgb(23,105,132)` | |![700](/art/palette/700.png)|`#0F4658`|`rgb(15,70,88)` | |![800](/art/palette/800.png)|`#0B3542`|`rgb(11,53,66)` | |![900](/art/palette/900.png)|`#08232C`|`rgb(8,35,44)` | ## Requirements - A screen or a printer ## Installation - Open the file - *Right-click* on the image - Choose **"Save image as…"** option ## Maintainers **Laravel Permission** logo is designed and maintained by [Caneco](https://twitter.com/caneco). ## License All rights reserved, but with the following extra conditions: - It is **OK** to use the Laravel Permission logo in the following cases: - In marketing materials for technical events, e.g. meetups, hackathons, conferences and workshops that are related to Laravel. - In open source projects related to Laravel. - In technical articles/videos/books/papers for educational purposes. - To illustrate a commercial product. - It is **NOT OK** to use the Laravel Permission logo in the following cases without prior written consent from the copyright owners: - Using the Laravel Permission logo in a commercial product for purposes other than illustrating its integration. - Sell physical products that uses the Laravel Permission logo or its variants, e.g. t-shirts. By any means the owner reserves the right of final explanation for any use case not explicitly stated above. ================================================ FILE: composer.json ================================================ { "name": "spatie/laravel-permission", "description": "Permission handling for Laravel 12 and up", "license": "MIT", "keywords": [ "spatie", "laravel", "permission", "permissions", "roles", "acl", "rbac", "security" ], "authors": [ { "name": "Freek Van der Herten", "email": "freek@spatie.be", "homepage": "https://spatie.be", "role": "Developer" } ], "homepage": "https://github.com/spatie/laravel-permission", "require": { "php": "^8.4", "illuminate/auth": "^12.0|^13.0", "illuminate/container": "^12.0|^13.0", "illuminate/contracts": "^12.0|^13.0", "illuminate/database": "^12.0|^13.0", "spatie/laravel-package-tools": "^1.0" }, "require-dev": { "larastan/larastan": "^3.9", "laravel/passport": "^13.0", "laravel/pint": "^1.0", "orchestra/testbench": "^10.0|^11.0", "pestphp/pest": "^3.0|^4.0", "pestphp/pest-plugin-laravel": "^3.0|^4.1", "phpstan/phpstan": "^2.1" }, "minimum-stability": "dev", "prefer-stable": true, "autoload": { "psr-4": { "Spatie\\Permission\\": "src" }, "files": [ "src/helpers.php" ] }, "autoload-dev": { "psr-4": { "Spatie\\Permission\\Tests\\": "tests" } }, "config": { "sort-packages": true, "allow-plugins": { "pestphp/pest-plugin": true } }, "extra": { "branch-alias": { "dev-main": "7.x-dev", "dev-master": "7.x-dev" }, "laravel": { "providers": [ "Spatie\\Permission\\PermissionServiceProvider" ] } }, "scripts": { "test": "pest", "format": "pint", "analyse": "echo 'Checking dependencies...' && composer require --dev larastan/larastan && phpstan analyse" } } ================================================ FILE: config/permission.php ================================================ [ /* * When using the "HasPermissions" trait from this package, we need to know which * Eloquent model should be used to retrieve your permissions. Of course, it * is often just the "Permission" model but you may use whatever you like. * * The model you want to use as a Permission model needs to implement the * `Spatie\Permission\Contracts\Permission` contract. */ 'permission' => Spatie\Permission\Models\Permission::class, /* * When using the "HasRoles" trait from this package, we need to know which * Eloquent model should be used to retrieve your roles. Of course, it * is often just the "Role" model but you may use whatever you like. * * The model you want to use as a Role model needs to implement the * `Spatie\Permission\Contracts\Role` contract. */ 'role' => Spatie\Permission\Models\Role::class, ], 'table_names' => [ /* * When using the "HasRoles" trait from this package, we need to know which * table should be used to retrieve your roles. We have chosen a basic * default value but you may easily change it to any table you like. */ 'roles' => 'roles', /* * When using the "HasPermissions" trait from this package, we need to know which * table should be used to retrieve your permissions. We have chosen a basic * default value but you may easily change it to any table you like. */ 'permissions' => 'permissions', /* * When using the "HasPermissions" trait from this package, we need to know which * table should be used to retrieve your models permissions. We have chosen a * basic default value but you may easily change it to any table you like. */ 'model_has_permissions' => 'model_has_permissions', /* * When using the "HasRoles" trait from this package, we need to know which * table should be used to retrieve your models roles. We have chosen a * basic default value but you may easily change it to any table you like. */ 'model_has_roles' => 'model_has_roles', /* * When using the "HasRoles" trait from this package, we need to know which * table should be used to retrieve your roles permissions. We have chosen a * basic default value but you may easily change it to any table you like. */ 'role_has_permissions' => 'role_has_permissions', ], 'column_names' => [ /* * Change this if you want to name the related pivots other than defaults */ 'role_pivot_key' => null, // default 'role_id', 'permission_pivot_key' => null, // default 'permission_id', /* * Change this if you want to name the related model primary key other than * `model_id`. * * For example, this would be nice if your primary keys are all UUIDs. In * that case, name this `model_uuid`. */ 'model_morph_key' => 'model_id', /* * Change this if you want to use the teams feature and your related model's * foreign key is other than `team_id`. */ 'team_foreign_key' => 'team_id', ], /* * When set to true, the method for checking permissions will be registered on the gate. * Set this to false if you want to implement custom logic for checking permissions. */ 'register_permission_check_method' => true, /* * When set to true, Laravel\Octane\Events\OperationTerminated event listener will be registered * this will refresh permissions on every TickTerminated, TaskTerminated and RequestTerminated * NOTE: This should not be needed in most cases, but an Octane/Vapor combination benefited from it. */ 'register_octane_reset_listener' => false, /* * Events will fire when a role or permission is assigned/unassigned: * \Spatie\Permission\Events\RoleAttachedEvent * \Spatie\Permission\Events\RoleDetachedEvent * \Spatie\Permission\Events\PermissionAttachedEvent * \Spatie\Permission\Events\PermissionDetachedEvent * * To enable, set to true, and then create listeners to watch these events. */ 'events_enabled' => false, /* * Teams Feature. * When set to true the package implements teams using the 'team_foreign_key'. * If you want the migrations to register the 'team_foreign_key', you must * set this to true before doing the migration. * If you already did the migration then you must make a new migration to also * add 'team_foreign_key' to 'roles', 'model_has_roles', and 'model_has_permissions' * (view the latest version of this package's migration file) */ 'teams' => false, /* * The class to use to resolve the permissions team id */ 'team_resolver' => \Spatie\Permission\DefaultTeamResolver::class, /* * Passport Client Credentials Grant * When set to true the package will use Passports Client to check permissions */ 'use_passport_client_credentials' => false, /* * When set to true, the required permission names are added to exception messages. * This could be considered an information leak in some contexts, so the default * setting is false here for optimum safety. */ 'display_permission_in_exception' => false, /* * When set to true, the required role names are added to exception messages. * This could be considered an information leak in some contexts, so the default * setting is false here for optimum safety. */ 'display_role_in_exception' => false, /* * By default wildcard permission lookups are disabled. * See documentation to understand supported syntax. */ 'enable_wildcard_permission' => false, /* * The class to use for interpreting wildcard permissions. * If you need to modify delimiters, override the class and specify its name here. */ // 'wildcard_permission' => Spatie\Permission\WildcardPermission::class, /* Cache-specific settings */ 'cache' => [ /* * By default all permissions are cached for 24 hours to speed up performance. * When permissions or roles are updated the cache is flushed automatically. */ 'expiration_time' => \DateInterval::createFromDateString('24 hours'), /* * The cache key used to store all permissions. */ 'key' => 'spatie.permission.cache', /* * You may optionally indicate a specific cache driver to use for permission and * role caching using any of the `store` drivers listed in the cache.php config * file. Using 'default' here means to use the `default` set in cache.php. */ 'store' => 'default', ], ]; ================================================ FILE: database/migrations/add_teams_fields.php.stub ================================================ unsignedBigInteger($columnNames['team_foreign_key'])->nullable()->after('id'); $table->index($columnNames['team_foreign_key'], 'roles_team_foreign_key_index'); $table->dropUnique('roles_name_guard_name_unique'); $table->unique([$columnNames['team_foreign_key'], 'name', 'guard_name']); }); } if (! Schema::hasColumn($tableNames['model_has_permissions'], $columnNames['team_foreign_key'])) { Schema::table($tableNames['model_has_permissions'], function (Blueprint $table) use ($tableNames, $columnNames, $pivotPermission) { $table->unsignedBigInteger($columnNames['team_foreign_key'])->default('1'); $table->index($columnNames['team_foreign_key'], 'model_has_permissions_team_foreign_key_index'); if (DB::getDriverName() !== 'sqlite') { $table->dropForeign([$pivotPermission]); } $table->dropPrimary(); $table->primary([$columnNames['team_foreign_key'], $pivotPermission, $columnNames['model_morph_key'], 'model_type'], 'model_has_permissions_permission_model_type_primary'); if (DB::getDriverName() !== 'sqlite') { $table->foreign($pivotPermission) ->references('id') ->on($tableNames['permissions']) ->cascadeOnDelete(); } }); } if (! Schema::hasColumn($tableNames['model_has_roles'], $columnNames['team_foreign_key'])) { Schema::table($tableNames['model_has_roles'], function (Blueprint $table) use ($tableNames, $columnNames, $pivotRole) { $table->unsignedBigInteger($columnNames['team_foreign_key'])->default('1'); $table->index($columnNames['team_foreign_key'], 'model_has_roles_team_foreign_key_index'); if (DB::getDriverName() !== 'sqlite') { $table->dropForeign([$pivotRole]); } $table->dropPrimary(); $table->primary([$columnNames['team_foreign_key'], $pivotRole, $columnNames['model_morph_key'], 'model_type'], 'model_has_roles_role_model_type_primary'); if (DB::getDriverName() !== 'sqlite') { $table->foreign($pivotRole) ->references('id') ->on($tableNames['roles']) ->cascadeOnDelete(); } }); } app('cache') ->store(config('permission.cache.store') != 'default' ? config('permission.cache.store') : null) ->forget(config('permission.cache.key')); } /** * Reverse the migrations. */ public function down(): void {} }; ================================================ FILE: database/migrations/create_permission_tables.php.stub ================================================ id(); // permission id $table->string('name'); $table->string('guard_name'); $table->timestamps(); $table->unique(['name', 'guard_name']); }); /** * See `docs/prerequisites.md` for suggested lengths on 'name' and 'guard_name' if "1071 Specified key was too long" errors are encountered. */ Schema::create($tableNames['roles'], static function (Blueprint $table) use ($teams, $columnNames) { $table->id(); // role id if ($teams || config('permission.testing')) { // permission.testing is a fix for sqlite testing $table->unsignedBigInteger($columnNames['team_foreign_key'])->nullable(); $table->index($columnNames['team_foreign_key'], 'roles_team_foreign_key_index'); } $table->string('name'); $table->string('guard_name'); $table->timestamps(); if ($teams || config('permission.testing')) { $table->unique([$columnNames['team_foreign_key'], 'name', 'guard_name']); } else { $table->unique(['name', 'guard_name']); } }); Schema::create($tableNames['model_has_permissions'], static function (Blueprint $table) use ($tableNames, $columnNames, $pivotPermission, $teams) { $table->unsignedBigInteger($pivotPermission); $table->string('model_type'); $table->unsignedBigInteger($columnNames['model_morph_key']); $table->index([$columnNames['model_morph_key'], 'model_type'], 'model_has_permissions_model_id_model_type_index'); $table->foreign($pivotPermission) ->references('id') // permission id ->on($tableNames['permissions']) ->cascadeOnDelete(); if ($teams) { $table->unsignedBigInteger($columnNames['team_foreign_key']); $table->index($columnNames['team_foreign_key'], 'model_has_permissions_team_foreign_key_index'); $table->primary([$columnNames['team_foreign_key'], $pivotPermission, $columnNames['model_morph_key'], 'model_type'], 'model_has_permissions_permission_model_type_primary'); } else { $table->primary([$pivotPermission, $columnNames['model_morph_key'], 'model_type'], 'model_has_permissions_permission_model_type_primary'); } }); Schema::create($tableNames['model_has_roles'], static function (Blueprint $table) use ($tableNames, $columnNames, $pivotRole, $teams) { $table->unsignedBigInteger($pivotRole); $table->string('model_type'); $table->unsignedBigInteger($columnNames['model_morph_key']); $table->index([$columnNames['model_morph_key'], 'model_type'], 'model_has_roles_model_id_model_type_index'); $table->foreign($pivotRole) ->references('id') // role id ->on($tableNames['roles']) ->cascadeOnDelete(); if ($teams) { $table->unsignedBigInteger($columnNames['team_foreign_key']); $table->index($columnNames['team_foreign_key'], 'model_has_roles_team_foreign_key_index'); $table->primary([$columnNames['team_foreign_key'], $pivotRole, $columnNames['model_morph_key'], 'model_type'], 'model_has_roles_role_model_type_primary'); } else { $table->primary([$pivotRole, $columnNames['model_morph_key'], 'model_type'], 'model_has_roles_role_model_type_primary'); } }); Schema::create($tableNames['role_has_permissions'], static function (Blueprint $table) use ($tableNames, $pivotRole, $pivotPermission) { $table->unsignedBigInteger($pivotPermission); $table->unsignedBigInteger($pivotRole); $table->foreign($pivotPermission) ->references('id') // permission id ->on($tableNames['permissions']) ->cascadeOnDelete(); $table->foreign($pivotRole) ->references('id') // role id ->on($tableNames['roles']) ->cascadeOnDelete(); $table->primary([$pivotPermission, $pivotRole], 'role_has_permissions_permission_id_role_id_primary'); }); app('cache') ->store(config('permission.cache.store') != 'default' ? config('permission.cache.store') : null) ->forget(config('permission.cache.key')); } /** * Reverse the migrations. */ public function down(): void { $tableNames = config('permission.table_names'); throw_if(empty($tableNames), 'Error: config/permission.php not found and defaults could not be merged. Please publish the package configuration before proceeding, or drop the tables manually.'); Schema::dropIfExists($tableNames['role_has_permissions']); Schema::dropIfExists($tableNames['model_has_roles']); Schema::dropIfExists($tableNames['model_has_permissions']); Schema::dropIfExists($tableNames['roles']); Schema::dropIfExists($tableNames['permissions']); } }; ================================================ FILE: docs/_index.md ================================================ --- title: v7 slogan: Associate users with roles and permissions githubUrl: https://github.com/spatie/laravel-permission branch: main --- ================================================ FILE: docs/about-us.md ================================================ --- title: About us --- [Spatie](https://spatie.be) is a webdesign agency based in Antwerp, Belgium. Open source software is used in all projects we deliver. Laravel, Nginx, Ubuntu are just a few of the free pieces of software we use every single day. For this, we are very grateful. When we feel we have solved a problem in a way that can help other developers, we release our code as open source software [on GitHub](https://spatie.be/opensource). This package is heavily based on [Jeffrey Way](https://twitter.com/jeffrey_way)'s awesome [Laracasts](https://laracasts.com) lessons on [permissions and roles](https://laracasts.com/series/whats-new-in-laravel-5-1/episodes/16). His original code can be found [in this repo on GitHub](https://github.com/laracasts/laravel-5-roles-and-permissions-demo). And newer lessons on [mastering permissions in Laravel](https://laracasts.com/series/mastering-permissions-in-laravel) talk about other ways to implement some of these features as well. Special thanks to [Alex Vanderbist](https://github.com/AlexVanderbist) who greatly helped with `v2`, and to [Chris Brown](https://github.com/drbyte) for his longtime support helping us maintain the package. ================================================ FILE: docs/advanced-usage/_index.md ================================================ --- title: Advanced usage weight: 3 --- ================================================ FILE: docs/advanced-usage/cache.md ================================================ --- title: Cache weight: 5 --- Role and Permission data are cached to speed up performance. ## Automatic Cache Refresh Using Built-In Functions When you **use the built-in functions** for manipulating roles and permissions, the cache is automatically reset for you, and relations are automatically reloaded for the current model record: ```php // When handling permissions assigned to roles: $role->givePermissionTo('edit articles'); $role->revokePermissionTo('edit articles'); $role->syncPermissions(params); // When linking roles to permissions: $permission->assignRole('writer'); $permission->removeRole('writer'); $permission->syncRoles(params); ``` HOWEVER, if you manipulate permission/role data directly in the database instead of calling the supplied methods, then you will not see the changes reflected in the application unless you manually reset the cache. Additionally, because the Role and Permission models are Eloquent models which implement the `RefreshesPermissionCache` trait, creating and deleting Roles and Permissions will automatically clear the cache. If you have created your own models which do not extend the default models then you will need to implement the trait yourself. **NOTE: User-specific role/permission assignments are kept in-memory.** Examples: ```php // These operations on a User do not call a cache-reset, because the User-related assignments are in-memory. $user->assignRole('writer'); $user->removeRole('writer'); $user->syncRoles(params); ``` ## Manual cache reset To manually reset the cache for this package, you can run the following in your app code: ```php app()->make(\Spatie\Permission\PermissionRegistrar::class)->forgetCachedPermissions(); ``` Or you can use an Artisan command: ```bash php artisan permission:cache-reset ``` (This command is effectively an alias for `artisan cache:forget spatie.permission.cache` but respects the package config as well.) ## Octane cache reset In many cases Octane will not need additional cache resets; however, if you find that cache results are stale or crossing over between requests, you can force a cache flush upon every Octane reset cycle by editing the `/config/permission.php` and setting `register_octane_reset_listener` to true. ## Cache Configuration Settings This package allows you to customize cache-related operations via its config file. In most cases the defaults are fine; however, in a multitenancy situation you may wish to do some cache-prefix overrides when switching tenants. See below for more details. ### Cache Expiration Time The default cache `expiration_time` is `24 hours`. If you wish to alter the expiration time you may do so in the `config/permission.php` file, in the `cache` array. ### Cache Key The default cache key is `spatie.permission.cache`. We recommend not changing the cache "key" name. Usually changing it is a bad idea. More likely setting the cache `prefix` is better, as mentioned below. ### Cache Identifier / Prefix Laravel Tip: If you are leveraging a caching service such as `redis` or `memcached` and there are other sites running on your server, you could run into cache clashes between apps. To prevent other applications from accidentally using/changing your cached data, it is prudent to set your own cache `prefix` in Laravel's `/config/cache.php` to something unique for each application which shares the same caching service. Most multi-tenant "packages" take care of this for you when switching tenants. Optionally you might need to change cache boot order by writing a custom [cache boostrapper](https://github.com/spatie/laravel-permission/discussions/2310#discussioncomment-10855389). Tip: Most parts of your multitenancy app will relate to a single tenant during a given request lifecycle, so the following step will not be needed: However, in the less-common situation where your app might be switching between multiple tenants during a single request lifecycle (specifically: where changing the cache key/prefix (such as when switching between tenants) or switching the cache store), then after switching tenants or changing the cache configuration you will need to reinitialize the cache of the `PermissionRegistrar` so that the updated `CacheStore` and cache configuration are used. ```php app()->make(\Spatie\Permission\PermissionRegistrar::class)->initializeCache(); ``` ### Custom Cache Store You can configure the package to use any of the Cache Stores you've configured in Laravel's `config/cache.php`. This way you can point this package's caching to its own specified resource. In `config/permission.php` set `cache.store` to the name of any one of the `config/cache.php` stores you've defined. ## Disabling Cache Setting `'cache.store' => 'array'` in `config/permission.php` will effectively disable caching by this package between requests (it will only cache in-memory until the current request is completed processing, never persisting it). Alternatively, in development mode you can bypass ALL of Laravel's caching between visits by setting `CACHE_DRIVER=array` in `.env`. You can see an example of this in the default `phpunit.xml` file that comes with a new Laravel install. Of course, don't do this in production though! ## File cache Store This situation is not specific to this package, but is mentioned here due to the common question being asked. If you are using the `File` cache Store and run into problems clearing the cache, it is most likely because your filesystem's permissions are preventing the PHP CLI from altering the cache files because the PHP-FPM process is running as a different user. Work with your server administrator to fix filesystem ownership on your cache files. ## Database cache Store TIP: If you have `CACHE_STORE=database` set in your `.env`, remember that [you must install Laravel's cache tables via a migration before performing any cache operations](https://laravel.com/docs/cache#prerequisites-database). If you fail to install those migrations, you'll run into errors like `Call to a member function perform() on null` when the cache store attempts to purge or update the cache. This package does strategic cache resets in various places, so may trigger that error if your app's cache dependencies aren't set up. ================================================ FILE: docs/advanced-usage/custom-permission-check.md ================================================ --- title: Custom Permission Check weight: 6 --- ## Default Permission Check Functionality By default, this package registers a `Gate::before()` method call on [Laravel's gate](https://laravel.com/docs/authorization). This method is responsible for checking if the user has the required permission or not, for calls to `can()` helpers and most `model policies`. Whether a user has a permission or not is determined by checking the user's permissions stored in the database. In the permission config file, `register_permission_check_method` is set to `true`, which means this package operates using the default behavior described above. Only set this to `false` if you want to bypass the default operation and implement your own custom logic for checking permissions, as described below. ## Using Custom Permission Check Functionality However, in some cases, you might want to implement custom logic for checking if the user has a permission or not. Let's say that your application uses access tokens for authentication and when issuing the tokens, you add a custom claim containing all the permissions the user has. In this case, if you want to check whether the user has the required permission or not based on the permissions in your custom claim in the access token, then you need to implement your own logic for handling this. You could, for example, create a `Gate::before()` method call to handle this: **/app/Providers/AppServiceProvider.php** ```php use Illuminate\Support\Facades\Gate; public function boot(): void { ... Gate::before(function ($user, $ability) { return $user->hasTokenPermission($ability) ?: null; }); } ``` Here `hasTokenPermission` is a **custom method you need to implement yourself, or call some other method on your model**. ================================================ FILE: docs/advanced-usage/events.md ================================================ --- title: Events weight: 5 --- By default Events are not enabled, because not all apps need to fire events related to roles and permissions. However, you may enable events by setting the `events_enabled => true` in `config/permission.php` Note that the events can receive the role or permission details as a model ID or as an Eloquent record, or as an array or collection of ids or records. Be sure to inspect the parameter before acting on it. ## Available Events The following events are available since `v7.0.0`: ``` \Spatie\Permission\Events\RoleAttachedEvent::class \Spatie\Permission\Events\RoleDetachedEvent::class \Spatie\Permission\Events\PermissionAttachedEvent::class \Spatie\Permission\Events\PermissionDetachedEvent::class ``` Between `v6.15.0` and `v7.0.0` the events did not have "Event" as a suffix, so they were: ``` \Spatie\Permission\Events\RoleAttached::class \Spatie\Permission\Events\RoleDetached::class \Spatie\Permission\Events\PermissionAttached::class \Spatie\Permission\Events\PermissionDetached::class ``` ================================================ FILE: docs/advanced-usage/exceptions.md ================================================ --- title: Exceptions weight: 3 --- If you need to override exceptions thrown by this package, you can simply use normal [Laravel practices for handling exceptions](https://laravel.com/docs/errors#rendering-exceptions). An example is shown below for your convenience, but nothing here is specific to this package other than the name of the exception. You can find all the exceptions added by this package in the code here: [https://github.com/spatie/laravel-permission/tree/main/src/Exceptions](https://github.com/spatie/laravel-permission/tree/main/src/Exceptions) **/bootstrap/app.php** ```php ->withExceptions(function (Exceptions $exceptions) { $exceptions->render(function (\Spatie\Permission\Exceptions\UnauthorizedException $e, $request) { return response()->json([ 'responseMessage' => 'You do not have the required authorization.', 'responseStatus' => 403, ]); }); } ``` ================================================ FILE: docs/advanced-usage/extending.md ================================================ --- title: Extending weight: 4 --- ## Adding fields to your models You can add your own migrations to make changes to the role/permission tables, as you would for adding/changing fields in any other tables in your Laravel project. Following that, you can add any necessary logic for interacting with those fields into your custom/extended Models. Here is an example of adding a 'description' field to your Permissions and Roles tables: ```sh php artisan make:migration add_description_to_permissions_tables ``` And in the migration file: ```php public function up() { Schema::table('permissions', function (Blueprint $table) { $table->string('description')->nullable(); }); Schema::table('roles', function (Blueprint $table) { $table->string('description')->nullable(); }); } ``` Semi-Related article: [Adding Extra Fields To Pivot Table](https://quickadminpanel.com/blog/laravel-belongstomany-add-extra-fields-to-pivot-table/) (video) ## Adding a description to roles and permissions A common question is "how do I add a description for my roles or permissions?". By default, a 'description' field is not included in this package, to keep the model memory usage low, because not every app has a need for displayed descriptions. But you are free to add it yourself if you wish. You can use the example above. ### Multiple Language Descriptions If you need your 'description' to support multiple languages, simply use Laravel's built-in language features. You might prefer to rename the 'description' field in these migration examples from 'description' to 'description_key' for clarity. ## Extending User Models Laravel's authorization features are available in models which implement the `Illuminate\Foundation\Auth\Access\Authorizable` trait. By default Laravel does this in `\App\Models\User` by extending `Illuminate\Foundation\Auth\User`, in which the trait and `Illuminate\Contracts\Auth\Access\Authorizable` contract are declared. If you are creating your own User models and wish Authorization features to be available, you need to implement `Illuminate\Contracts\Auth\Access\Authorizable` in one of those ways as well. ## Child User Models Due to the nature of polymorphism and Eloquent's hard-coded mapping of model names in the database, setting relationships for child models that inherit permissions of the parent can be difficult (even near impossible depending on app requirements, especially when attempting to do inverse mappings). However, one thing you might consider if you need the child model to never have its own permissions/roles but to only use its parent's permissions/roles, is to [override the `getMorphClass` method on the model](https://github.com/laravel/framework/issues/17830#issuecomment-345619085). eg: This could be useful, but only if you're willing to give up the child's independence for roles/permissions: ```php public function getMorphClass() { return 'users'; } ``` ## Extending Role and Permission Models If you are extending or replacing the role/permission models, you will need to specify your new models in this package's `config/permission.php` file. First be sure that you've published the configuration file (see the Installation instructions), and edit it to update the `models.role` and `models.permission` values to point to your new models. Note the following requirements when extending/replacing the models: ### Extending If you need to EXTEND the existing `Role` or `Permission` models note that: - Your `Role` model needs to `extend` the `Spatie\Permission\Models\Role` model - Your `Permission` model needs to `extend` the `Spatie\Permission\Models\Permission` model - You need to update `config/permission.php` to specify your namespaced model eg: ```php **Note** > When using Laravel Idea plugin all directives are automatically added. You may wish to extend PhpStorm to support Blade Directives of this package. 1. In PhpStorm, open Preferences, and navigate to **Languages and Frameworks -> PHP -> Blade** (File | Settings | Languages & Frameworks | PHP | Blade) 2. Uncheck "Use default settings", then click on the `Directives` tab. 3. Add the following new directives for the laravel-permission package: **role** - has parameter = YES - Prefix: `` -- **elserole** - has parameter = YES - Prefix: `` **endrole** - has parameter = NO - Prefix: blank - Suffix: blank -- **hasrole** - has parameter = YES - Prefix: `` -- **endhasrole** - has parameter = NO - Prefix: blank - Suffix: blank -- **hasanyrole** - has parameter = YES - Prefix: `` -- **endhasanyrole** - has parameter = NO - Prefix: blank - Suffix: blank -- **hasallroles** - has parameter = YES - Prefix: `` -- **endhasallroles** - has parameter = NO - Prefix: blank - Suffix: blank -- **unlessrole** - has parameter = YES - Prefix: `` -- **endunlessrole** - has parameter = NO - Prefix: blank - Suffix: blank -- **hasexactroles** - has parameter = YES - Prefix: `` -- **endhasexactroles** - has parameter = NO - Prefix: blank - Suffix: blank ================================================ FILE: docs/advanced-usage/seeding.md ================================================ --- title: Database Seeding weight: 2 --- ## Flush cache before/after seeding You may discover that it is best to flush this package's cache **BEFORE seeding, to avoid cache conflict errors**. And if you use the `WithoutModelEvents` trait in your seeders, flush it **AFTER creating any roles/permissions as well, before assigning or granting them**. ```php // reset cached roles and permissions app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions(); ``` You can optionally flush the cache before seeding by using the `SetUp()` method of your test suite (see the Testing page in the docs). Or it can be done directly in a seeder class, as shown below. ## Database Cache Store TIP: If you have `CACHE_STORE=database` set in your `.env`, remember that [you must install Laravel's cache tables via a migration before performing any cache operations](https://laravel.com/docs/cache#prerequisites-database). If you fail to install those migrations, you'll run into errors like `Call to a member function perform() on null` when the cache store attempts to purge or update the cache. This package does strategic cache resets in various places, so may trigger that error if your app's cache dependencies aren't set up. ## Roles/Permissions Seeder Here is a sample seeder, which first clears the cache, creates permissions and then assigns permissions to roles (the order of these steps is intentional): ```php use Illuminate\Database\Seeder; use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; class RolesAndPermissionsSeeder extends Seeder { public function run(): void { // Reset cached roles and permissions app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions(); // create permissions Permission::create(['name' => 'edit articles']); Permission::create(['name' => 'delete articles']); Permission::create(['name' => 'publish articles']); Permission::create(['name' => 'unpublish articles']); // update cache to know about the newly created permissions (required if using WithoutModelEvents in seeders) app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions(); // create roles and assign created permissions // this can be done as separate statements $role = Role::create(['name' => 'writer']); $role->givePermissionTo('edit articles'); // or may be done by chaining $role = Role::create(['name' => 'moderator']) ->givePermissionTo(['publish articles', 'unpublish articles']); $role = Role::create(['name' => 'super-admin']); $role->givePermissionTo(Permission::all()); } } ``` ## User Seeding with Factories and States To use Factory States to assign roles after creating users: ```php // Factory: public function definition() {...} public function active(): static { return $this->state(fn (array $attributes) => [ 'status' => 1, ]) ->afterCreating(function (User $user) { $user->assignRole('ActiveMember'); }); } // Seeder: // To create 4 users using this 'active' state in a Seeder: User::factory(4)->active()->create(); ``` To seed multiple users and then assign each of them a role, WITHOUT using Factory States: ```php // Seeder: User::factory() ->count(50) ->create() ->each(function ($user) { $user->assignRole('Member'); }); ``` ## Speeding up seeding for large data sets When seeding large quantities of roles or permissions you may consider using Eloquent's `insert` command instead of `create`, as this bypasses all the internal checks that this package does when calling `create` (including extra queries to verify existence, test guards, etc). ```php $arrayOfPermissionNames = ['writer', 'editor']; $permissions = collect($arrayOfPermissionNames)->map(function ($permission) { return ['name' => $permission, 'guard_name' => 'web']; }); Permission::insert($permissions->toArray()); ``` Alternatively you could use `DB::insert`, as long as you also provide all the required data fields. One example of this is shown below ... but note that this example hard-codes the table names and field names, thus does not respect any customizations you may have in your permissions config file. ```php $permissionsByRole = [ 'admin' => ['restore posts', 'force delete posts'], 'editor' => ['create a post', 'update a post', 'delete a post'], 'viewer' => ['view all posts', 'view a post'] ]; $insertPermissions = fn ($role) => collect($permissionsByRole[$role]) ->map(fn ($name) => DB::table('permissions')->insertGetId(['name' => $name, 'guard_name' => 'web'])) ->toArray(); $permissionIdsByRole = [ 'admin' => $insertPermissions('admin'), 'editor' => $insertPermissions('editor'), 'viewer' => $insertPermissions('viewer') ]; foreach ($permissionIdsByRole as $role => $permissionIds) { $role = Role::whereName($role)->first(); DB::table('role_has_permissions') ->insert( collect($permissionIds)->map(fn ($id) => [ 'role_id' => $role->id, 'permission_id' => $id ])->toArray() ); } // and also add the command to flush the cache again now after doing all these inserts ``` **CAUTION**: ANY TIME YOU DIRECTLY RUN DB QUERIES you are bypassing cache-control features. So you will need to manually flush the package cache AFTER running direct DB queries, even in a seeder. ================================================ FILE: docs/advanced-usage/testing.md ================================================ --- title: Testing weight: 1 --- ## Clear Cache During Tests In your application's tests, if you are not seeding roles and permissions as part of your test `setUp()` then you may run into a chicken/egg situation where roles and permissions aren't registered with the gate (because your tests create them after that gate registration is done). Working around this is simple: In your tests simply add a `setUp()` instruction to re-register the permissions, like this: ```php protected function setUp(): void { // first include all the normal setUp operations parent::setUp(); // now de-register all the roles and permissions by clearing the permission cache $this->app->make(\Spatie\Permission\PermissionRegistrar::class)->forgetCachedPermissions(); } ``` ## Clear Cache When Using Seeders If you are using Laravel's `LazilyRefreshDatabase` trait, you most likely want to avoid seeding permissions before every test, because that would negate the use of the `LazilyRefreshDatabase` trait. To overcome this, you should wrap your seeder in an event listener for the `DatabaseRefreshed` event: ```php Event::listen(DatabaseRefreshed::class, function () { $this->artisan('db:seed', ['--class' => RoleAndPermissionSeeder::class]); $this->app->make(\Spatie\Permission\PermissionRegistrar::class)->forgetCachedPermissions(); }); ``` Note that `PermissionRegistrar::forgetCachedPermissions()` is called AFTER seeding. This is to prevent a caching issue that can occur when the database is set up after permissions have already been registered and cached. ## Bypassing Cache When Testing The caching infrastructure for this package is "always on", but when running your test suite you may wish to reduce its impact. Two things you might wish to explore include: - Change the cache driver to `array`. **Very often you will have already done this in your `phpunit.xml` configuration.** - Shorten cache lifetime to 1 second, by setting the config (not necessary if cache driver is set to `array`) in your test suite TestCase: `'permission.cache.expiration_time' = \DateInterval::createFromDateString('1 seconds')` ## Testing Using Factories Many applications do not require using factories to create fake roles/permissions for testing, because they use a Seeder to create specific roles and permissions that the application uses; thus tests are performed using the declared roles and permissions. However, if your application allows users to define their own roles and permissions you may wish to use Model Factories to generate roles and permissions as part of your test suite. When using Laravel's class-based Model Factory features you will need to `extend` this package's `Role` and/or `Permission` model into your app's namespace, add the `HasFactory` trait to it, and define a model factory for it. Then you can use that factory in your seeders like any other factory related to your application's models. ================================================ FILE: docs/advanced-usage/timestamps.md ================================================ --- title: Timestamps weight: 10 --- ## Excluding Timestamps from JSON If you want to exclude timestamps from JSON output of role/permission pivots, you can extend the Role and Permission models into your own App namespace and mark the pivot as hidden: ```php protected $hidden = ['pivot']; ``` ## Adding Timestamps to Pivots If you want to add timestamps to your pivot tables, you can do it with a few steps: - update the tables by calling `$table->timestamps();` in a migration - extend the `Permission` and `Role` models and add `->withTimestamps();` to the `BelongsToMany` relationshps for `roles()` and `permissions()` - update your `User` models (wherever you use the `HasRoles` or `HasPermissions` traits) by adding `->withTimestamps();` to the `BelongsToMany` relationships for `roles()` and `permissions()` ================================================ FILE: docs/advanced-usage/ui-options.md ================================================ --- title: UI Options weight: 11 --- ## Need a UI? The package doesn't come with any UI/screens out of the box, you should build that yourself. But: [do you really need a UI? Consider what Aaron and Joel have to say in this podcast episode](https://show.nocompromises.io/episodes/should-you-manage-roles-and-permissions-with-a-ui) If you decide you need a UI, even if it's not for creating/editing role/permission names, but just for controlling which Users have access to which roles/permissions, following are some options to get you started: - [Code With Tony - video series](https://www.youtube.com/watch?v=lGfV1ddMhHA) to create an admin panel for managing roles and permissions in Laravel 9. - [FilamentPHP plugin](https://filamentphp.com/plugins/tharinda-rodrigo-spatie-roles-permissions) to manage roles and permissions using this package. (There are a few other Filament plugins which do similarly; use whichever suits your needs best.) - If you'd like to build your own UI, and understand the underlying logic for Gates and Roles and Users, the [Laravel 6 User Login and Management With Roles](https://www.youtube.com/watch?v=7PpJsho5aak&list=PLxFwlLOncxFLazmEPiB4N0iYc3Dwst6m4) video series by Mark Twigg of Penguin Digital gives thorough coverage to the topic, the theory, and implementation of a basic Roles system, independent of this Permissions Package. - [Laravel Nova package by @vyuldashev for managing Roles and Permissions](https://github.com/vyuldashev/nova-permission) - [Laravel Nova package by @paras-malhotra for managing Roles and Permissions and permissions based authorization for Nova Resources](https://github.com/insenseanalytics/laravel-nova-permission) - [How to create a UI for managing the permissions and roles](http://www.qcode.in/easy-roles-and-permissions-in-laravel-5-4/) - [Laravel User Management for managing users, roles, permissions, departments and authorization](https://github.com/Mekaeil/LaravelUserManagement) by [Mekaeil](https://github.com/Mekaeil) - [Generating UI boilerplate using InfyOm](https://youtu.be/hlGu2pa1bdU) video tutorial by [Shailesh](https://github.com/shailesh-ladumor) - [LiveWire Base Admin Panel](https://github.com/aliqasemzadeh/bap) User management by [AliQasemzadeh](https://github.com/aliqasemzadeh) - [JetAdmin](https://github.com/aliqasemzadeh/jetadmin) JetAdmin use laravel livewire starter kit and manage permissions. [AliQasemzadeh](https://github.com/aliqasemzadeh) - [QuickPanel](https://github.com/aliqasemzadeh/quickpanel) Quick Panel (TALL Flowbite Starter Kit). [AliQasemzadeh](https://github.com/aliqasemzadeh) ================================================ FILE: docs/advanced-usage/uuid.md ================================================ --- title: UUID/ULID weight: 7 --- If you're using UUIDs (ULID, GUID, etc) for your User models or Role/Permission models there are a few considerations to note. > NOTE: THIS IS NOT A FULL LESSON ON HOW TO IMPLEMENT UUIDs IN YOUR APP. Since each UUID implementation approach is different, some of these may or may not benefit you. As always, your implementation may vary. We use "uuid" in the examples below. Adapt for ULID or GUID as needed. ## Migrations You will need to update the `create_permission_tables.php` migration after creating it with `php artisan vendor:publish`. After making your edits, be sure to run the migration! **User Models using UUIDs** If your User models are using `uuid` instead of `unsignedBigInteger` then you'll need to reflect the change in the migration provided by this package. Something like the following would be typical, for **both** `model_has_permissions` and `model_has_roles` tables: ```diff // note: this is done in two places in the default migration file, so edit both places: - $table->unsignedBigInteger($columnNames['model_morph_key']) + $table->uuid($columnNames['model_morph_key']) ``` **Roles and Permissions using UUIDS** If you also want the roles and permissions to use a UUID for their `id` value, then you'll need to change the id fields accordingly, and manually set the primary key. ```diff Schema::create($tableNames['permissions'], function (Blueprint $table) { - $table->bigIncrements('id'); // permission id + $table->uuid('uuid')->primary()->unique(); // permission id //... }); Schema::create($tableNames['roles'], function (Blueprint $table) { - $table->bigIncrements('id'); // role id + $table->uuid('uuid')->primary()->unique(); // role id //... }); Schema::create($tableNames['model_has_permissions'], function (Blueprint $table) use ($tableNames, $columnNames) { - $table->unsignedBigInteger($pivotPermission); + $table->uuid($pivotPermission); $table->string('model_type'); //... $table->foreign($pivotPermission) - ->references('id') // permission id + ->references('uuid') // permission id ->on($tableNames['permissions']) ->onDelete('cascade'); //... Schema::create($tableNames['model_has_roles'], function (Blueprint $table) use ($tableNames, $columnNames) { - $table->unsignedBigInteger($pivotRole); + $table->uuid($pivotRole); //... $table->foreign($pivotRole) - ->references('id') // role id + ->references('uuid') // role id ->on($tableNames['roles']) ->onDelete('cascade');//... Schema::create($tableNames['role_has_permissions'], function (Blueprint $table) use ($tableNames) { - $table->unsignedBigInteger($pivotPermission); - $table->unsignedBigInteger($pivotRole); + $table->uuid($pivotPermission); + $table->uuid($pivotRole); $table->foreign($pivotPermission) - ->references('id') // permission id + ->references('uuid') // permission id ->on($tableNames['permissions']) ->onDelete('cascade'); $table->foreign($pivotRole) - ->references('id') // role id + ->references('uuid') // role id ->on($tableNames['roles']) ->onDelete('cascade'); ``` ## Configuration (OPTIONAL) You might want to change the pivot table field name from `model_id` to `model_uuid`, just for semantic purposes. For this, in the `permission.php` configuration file edit `column_names.model_morph_key`: - OPTIONAL: Change to `model_uuid` instead of the default `model_id`. ```diff 'column_names' => [ /* * Change this if you want to name the related pivots other than defaults */ 'role_pivot_key' => null, //default 'role_id', 'permission_pivot_key' => null, //default 'permission_id', /* * Change this if you want to name the related model primary key other than * `model_id`. * * For example, this would be nice if your primary keys are all UUIDs. In * that case, name this `model_uuid`. */ - 'model_morph_key' => 'model_id', + 'model_morph_key' => 'model_uuid', ], ``` - If you extend the models into your app, be sure to list those models in your `permissions.php` configuration file. See the Extending section of the documentation and the Models section below. ## Models If you want all the role/permission objects to have a UUID instead of an integer, you will need to Extend the default Role and Permission models into your own namespace in order to set some specific properties. (See the Extending section of the docs, where it explains requirements of Extending, as well as the `permissions.php` configuration settings you need to update.) Examples: Create new models, which extend the Role and Permission models of this package, and add Laravel's `HasUuids` trait (available since Laravel 9): ```bash php artisan make:model Role php artisan make:model Permission ``` `App\Model\Role.php` ```php [ /* * When using the "HasPermissions" trait from this package, we need to know which * Eloquent model should be used to retrieve your permissions. Of course, it * is often just the "Permission" model but you may use whatever you like. * * The model you want to use as a Permission model needs to implement the * `Spatie\Permission\Contracts\Permission` contract. */ - 'permission' => Spatie\Permission\Models\Permission::class + 'permission' => \App\Models\Permission::class, /* * When using the "HasRoles" trait from this package, we need to know which * Eloquent model should be used to retrieve your roles. Of course, it * is often just the "Role" model but you may use whatever you like. * * The model you want to use as a Role model needs to implement the * `Spatie\Permission\Contracts\Role` contract. */ - 'role' => Spatie\Permission\Models\Role::class, + 'role' => \App\Models\Role::class, ], ``` ================================================ FILE: docs/basic-usage/_index.md ================================================ --- title: Basic Usage weight: 1 --- ================================================ FILE: docs/basic-usage/artisan.md ================================================ --- title: Artisan Commands weight: 10 --- ## Creating roles and permissions with Artisan Commands You can create a role or permission from the console with artisan commands. ```bash php artisan permission:create-role writer ``` ```bash php artisan permission:create-permission "edit articles" ``` When creating permissions/roles for specific guards you can specify the guard names as a second argument: ```bash php artisan permission:create-role writer web ``` ```bash php artisan permission:create-permission "edit articles" web ``` When creating roles you can also create and link permissions at the same time: ```bash php artisan permission:create-role writer web "create articles|edit articles" ``` When creating roles with teams enabled you can set the team id by adding the `--team-id` parameter: ```bash php artisan permission:create-role --team-id=1 writer php artisan permission:create-role writer api --team-id=1 ``` ## Displaying roles and permissions in the console There is also a `show` command to show a table of roles and permissions per guard: ```bash php artisan permission:show ``` ## Resetting the Cache When you use the built-in functions for manipulating roles and permissions, the cache is automatically reset for you, and relations are automatically reloaded for the current model record. See the Advanced-Usage/Cache section of these docs for detailed specifics. If you need to manually reset the cache for this package, you may use the following artisan command: ```bash php artisan permission:cache-reset ``` Again, it is more efficient to use the API provided by this package, instead of manually clearing the cache. ================================================ FILE: docs/basic-usage/basic-usage.md ================================================ --- title: Basic Usage weight: 1 --- ## Add The Trait First, add the `Spatie\Permission\Traits\HasRoles` trait to your `User` model(s): ```php use Illuminate\Foundation\Auth\User as Authenticatable; use Spatie\Permission\Traits\HasRoles; class User extends Authenticatable { use HasRoles; // ... } ``` ## Create A Permission This package allows for users to be associated with permissions and roles. Every role is associated with multiple permissions. A `Role` and a `Permission` are regular Eloquent models. They require a `name` and can be created like this: ```php use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; $role = Role::create(['name' => 'writer']); $permission = Permission::create(['name' => 'edit articles']); ``` ## Assign A Permission To A Role A permission can be assigned to a role using either of these methods: ```php $role->givePermissionTo($permission); $permission->assignRole($role); ``` ## Sync Permissions To A Role Multiple permissions can be synced to a role using either of these methods: ```php $role->syncPermissions($permissions); $permission->syncRoles($roles); ``` ## Remove Permission From A Role A permission can be removed from a role using either of these methods: ```php $role->revokePermissionTo($permission); $permission->removeRole($role); ``` ## Guard Name If you're using multiple guards then the `guard_name` attribute must be set as well. Read about it in the [using multiple guards](./multiple-guards) documentation. ## Get Permissions For A User The `HasRoles` trait adds Eloquent relationships to your models, which can be accessed directly or used as a base query: ```php // get a list of all permissions directly assigned to the user $permissionNames = $user->getPermissionNames(); // collection of name strings $permissions = $user->permissions; // collection of permission objects // get all permissions for the user, either directly, or from roles, or from both $permissions = $user->getDirectPermissions(); $permissions = $user->getPermissionsViaRoles(); $permissions = $user->getAllPermissions(); // get the names of the user's roles $roles = $user->getRoleNames(); // Returns a collection ``` ## Scopes The `HasRoles` trait also adds `role` and `withoutRole` scopes to your models to scope the query to certain roles or permissions: ```php $users = User::role('writer')->get(); // Returns only users with the role 'writer' $nonEditors = User::withoutRole('editor')->get(); // Returns only users without the role 'editor' ``` The `role` and `withoutRole` scopes can accept a string, a `\Spatie\Permission\Models\Role` object or an `\Illuminate\Support\Collection` object. The same trait also adds scopes to only get users that have or don't have a certain permission. ```php $users = User::permission('edit articles')->get(); // Returns only users with the permission 'edit articles' (inherited or directly) $usersWhoCannotEditArticles = User::withoutPermission('edit articles')->get(); // Returns all users without the permission 'edit articles' (inherited or directly) ``` The scope can accept a string, a `\Spatie\Permission\Models\Permission` object or an `\Illuminate\Support\Collection` object. ## Eloquent Calls Since Role and Permission models are extended from Eloquent models, basic Eloquent calls can be used as well: ```php $allUsersWithAllTheirRoles = User::with('roles')->get(); $allUsersWithAllTheirDirectPermissions = User::with('permissions')->get(); $allRolesInDatabase = Role::all()->pluck('name'); $usersWithoutAnyRoles = User::doesntHave('roles')->get(); $allRolesExceptAandB = Role::whereNotIn('name', ['role A', 'role B'])->get(); ``` ## Counting Users Having A Role One way to count all users who have a certain role is by filtering the collection of all Users with their Roles: ```php $managersCount = User::with('roles')->get()->filter( fn ($user) => $user->roles->where('name', 'Manager')->toArray() )->count(); ``` ================================================ FILE: docs/basic-usage/blade-directives.md ================================================ --- title: Blade directives weight: 7 --- ## Permissions This package lets you use Laravel's native `@can` directive to check if a user has a certain permission (whether you gave them that permission directly or if you granted it indirectly via a role): ```php @can('edit articles') // @endcan ``` or ```php @if(auth()->user()->can('edit articles') && $some_other_condition) // @endif ``` You can use `@can`, `@cannot`, `@canany`, and `@guest` to test for permission-related access. When using a permission-name associated with permissions created in this package, you can use `@can('permission-name', 'guard_name')` if you need to check against a specific guard. Example: ```php @can('edit articles', 'guard_name') // @endcan ``` You can also use `@haspermission('permission-name')` or `@haspermission('permission-name', 'guard_name')` in similar fashion. With corresponding `@endhaspermission`. There is no `@hasanypermission` directive: use `@canany` instead. ## Roles As discussed in the Best Practices section of the docs, **it is strongly recommended to always use permission directives**, instead of role directives. Additionally, if your reason for testing against Roles is for a Super-Admin, see the *Defining A Super-Admin* section of the docs. If you actually need to directly test for Roles, this package offers some Blade directives to verify whether the currently logged in user has all or any of a given list of roles. Optionally you can pass in the `guard` that the check will be performed on as a second argument. ## Blade and Roles Check for a specific role: ```php @role('writer') I am a writer! @else I am not a writer... @endrole ``` is the same as ```php @hasrole('writer') I am a writer! @else I am not a writer... @endhasrole ``` which is also the same as ```php @if(auth()->user()->hasRole('writer')) // @endif ``` Check for any role in a list: ```php @hasanyrole($collectionOfRoles) I have one or more of these roles! @else I have none of these roles... @endhasanyrole // or @hasanyrole('writer|admin') I am either a writer or an admin or both! @else I have none of these roles... @endhasanyrole ``` Check for all roles: ```php @hasallroles($collectionOfRoles) I have all of these roles! @else I do not have all of these roles... @endhasallroles // or @hasallroles('writer|admin') I am both a writer and an admin! @else I do not have all of these roles... @endhasallroles ``` Alternatively, `@unlessrole` gives the reverse for checking a singular role, like this: ```php @unlessrole('does not have this role') I do not have the role @else I do have the role @endunlessrole ``` You can also determine if a user has exactly all of a given list of roles: ```php @hasexactroles('writer|admin') I am both a writer and an admin and nothing else! @else I do not have all of these roles or have more other roles... @endhasexactroles ``` ================================================ FILE: docs/basic-usage/direct-permissions.md ================================================ --- title: Direct Permissions weight: 2 --- ## Best Practice INSTEAD OF DIRECT PERMISSIONS, it is better to assign permissions to Roles, and then assign Roles to Users. See the [Roles vs Permissions](../best-practices/roles-vs-permissions) section of the docs for a deeper explanation. HOWEVER, If you have reason to directly assign individual permissions to specific users (instead of to roles which are assigned to those users), you can do that as well: ## Direct Permissions to Users ### Giving/Revoking direct permissions A permission can be given to any user: ```php $user->givePermissionTo('edit articles'); // You can also give multiple permission at once $user->givePermissionTo('edit articles', 'delete articles'); // You may also pass an array $user->givePermissionTo(['edit articles', 'delete articles']); ``` A permission can be revoked from a user: ```php $user->revokePermissionTo('edit articles'); ``` Or revoke & add new permissions in one go: ```php $user->syncPermissions(['edit articles', 'delete articles']); ``` ## Checking Direct Permissions Like all permissions assigned via roles, you can check if a user has a permission by using Laravel's default `can` function. This will also allow you to use Super-Admin features provided by Laravel's Gate: ```php $user->can('edit articles'); ``` > NOTE: The following `hasPermissionTo`, `hasAnyPermission`, `hasAllPermissions` functions do not support Super-Admin functionality. Use `can`, `canAny` instead. You can check if a user has a permission: ```php $user->hasPermissionTo('edit articles'); ``` Or you may pass an integer representing the permission id ```php $user->hasPermissionTo('1'); $user->hasPermissionTo(Permission::find(1)->id); $user->hasPermissionTo($somePermission->id); ``` You can check if a user has Any of an array of permissions: ```php $user->hasAnyPermission(['edit articles', 'publish articles', 'unpublish articles']); ``` ...or if a user has All of an array of permissions: ```php $user->hasAllPermissions(['edit articles', 'publish articles', 'unpublish articles']); ``` You may also pass integers to lookup by permission id ```php $user->hasAnyPermission(['edit articles', 1, 5]); ``` ================================================ FILE: docs/basic-usage/enums.md ================================================ --- title: Enums weight: 4 --- ## Enum Prerequisites Internally, Enums implicitly implement `\BackedEnum`, which is how this package recognizes that you're passing an Enum. NOTE: Presently (versions 6, 7) this package does not support using `$casts` to specify enums on the `Permission` model. You can still use enums to reference things as shown below, just without declaring it in a `$casts` property. ## Code Requirements You can create your Enum object for use with Roles and/or Permissions. You will probably create separate Enums for Roles and for Permissions, although if your application needs are simple you might choose a single Enum for both. Usually the list of application Roles is much shorter than the list of Permissions, so having separate objects for them can make them easier to manage. Here is an example Enum for Roles. You would do similarly for Permissions. ```php namespace App\Enums; enum RolesEnum: string { // case NAMEINAPP = 'name-in-database'; case WRITER = 'writer'; case EDITOR = 'editor'; case USERMANAGER = 'user-manager'; // extra helper to allow for greater customization of displayed values, without disclosing the name/value data directly public function label(): string { return match ($this) { static::WRITER => 'Writers', static::EDITOR => 'Editors', static::USERMANAGER => 'User Managers', }; } } ``` ## Creating Roles/Permissions using Enums When **creating** roles/permissions, you cannot pass an Enum name directly, because Eloquent expects a string for the name. Use Laravel's `enum_value()` function for simplicity: ```php $role = app(Role::class)->findOrCreate(enum_value(RolesEnum::WRITER), 'web'); ``` Same with creating Permissions. ### Authorizing using Enums In your application code, when checking for authorization using features of this package, you can use `MyEnum::NAME` directly in most cases, without passing `->value` to convert to a string. There may occasionally be times where you will need to manually fallback to adding `->value` (eg: `MyEnum::NAME->value`) when using features that aren't aware of Enum support, such as when you need to pass `string` values instead of an `Enum` to a function that doesn't recognize Enums. Again, wrap it with `enum_value()` as a simple workaround. Examples: ```php // the following are identical because `hasPermissionTo` is aware of `BackedEnum` support: $user->hasPermissionTo(PermissionsEnum::VIEWPOSTS); $user->hasPermissionTo(PermissionsEnum::VIEWPOSTS->value); $user->hasPermissionTo(enum_value(PermissionsEnum::VIEWPOSTS)); // Blade directives: @can(enum_value(PermissionsEnum::VIEWPOSTS)) ``` ## Package methods supporting BackedEnums: The following methods of this package support passing `BackedEnum` parameters directly: ```php $user->assignRole(RolesEnum::WRITER); $user->removeRole(RolesEnum::EDITOR); $role->givePermissionTo(PermissionsEnum::EDITPOSTS); $role->revokePermissionTo(PermissionsEnum::EDITPOSTS); $user->givePermissionTo(PermissionsEnum::EDITPOSTS); $user->revokePermissionTo(PermissionsEnum::EDITPOSTS); $user->hasPermissionTo(PermissionsEnum::EDITPOSTS); $user->hasAnyPermission([PermissionsEnum::EDITPOSTS, PermissionsEnum::VIEWPOSTS]); $user->hasDirectPermission(PermissionsEnum::EDITPOSTS); $user->hasRole(RolesEnum::WRITER); $user->hasAllRoles([RolesEnum::WRITER, RolesEnum::EDITOR]); $user->hasExactRoles([RolesEnum::WRITER, RolesEnum::EDITOR, RolesEnum::MANAGER]); ``` ================================================ FILE: docs/basic-usage/middleware.md ================================================ --- title: Middleware weight: 11 --- ## Default Middleware For checking against a single permission (see Best Practices) using `can`, you can use the built-in Laravel middleware provided by `\Illuminate\Auth\Middleware\Authorize::class` like this: ```php Route::group(['middleware' => ['can:publish articles']], function () { ... }); // or with static method Route::group(['middleware' => [\Illuminate\Auth\Middleware\Authorize::using('publish articles')]], function () { ... }); ``` ## Package Middleware **See a typo? Note that since v6 the _'Middleware'_ namespace is singular. Prior to v6 it was _'Middlewares'_. Time to upgrade your implementation!** This package comes with `RoleMiddleware`, `PermissionMiddleware` and `RoleOrPermissionMiddleware` middleware. You can register their aliases for easy reference elsewhere in your app: Open `/bootstrap/app.php` and register them there: ```php ->withMiddleware(function (Middleware $middleware) { $middleware->alias([ 'role' => \Spatie\Permission\Middleware\RoleMiddleware::class, 'permission' => \Spatie\Permission\Middleware\PermissionMiddleware::class, 'role_or_permission' => \Spatie\Permission\Middleware\RoleOrPermissionMiddleware::class, ]); }) ``` ### Middleware Priority If your app is triggering *404 Not Found* responses when a *403 Not Authorized* response might be expected, it might be a middleware priority clash. Explore reordering priorities so that this package's middleware runs before Laravel's `SubstituteBindings` middleware. (See [Middleware docs](https://laravel.com/docs/master/middleware#sorting-middleware) ). If needed, you could optionally explore `$middleware->prependToGroup()` instead. See the Laravel Documentation for details. ## Using Middleware in Routes and Controllers After you have registered the aliases as shown above, you can use them in your Routes and Controllers much the same way you use any other middleware: ### Routes ```php Route::group(['middleware' => ['role:manager']], function () { ... }); Route::group(['middleware' => ['permission:publish articles']], function () { ... }); Route::group(['middleware' => ['role_or_permission:publish articles']], function () { ... }); // for a specific guard: Route::group(['middleware' => ['role:manager,api']], function () { ... }); // multiple middleware Route::group(['middleware' => ['role:manager','permission:publish articles']], function () { ... }); ``` You can specify multiple roles or permissions with a `|` (pipe) character, which is treated as `OR`: ```php Route::group(['middleware' => ['role:manager|writer']], function () { ... }); Route::group(['middleware' => ['permission:publish articles|edit articles']], function () { ... }); Route::group(['middleware' => ['role_or_permission:manager|edit articles']], function () { ... }); // for a specific guard Route::group(['middleware' => ['permission:publish articles|edit articles,api']], function () { ... }); ``` ### Controllers If your controller implements the `HasMiddleware` interface, you can register [controller middleware](https://laravel.com/docs/12.x/controllers#controller-middleware) using the `middleware()` method: ```php public static function middleware(): array { return [ // examples with aliases, pipe-separated names, guards, etc: 'role_or_permission:manager|edit articles', new Middleware('role:author', only: ['index']), new Middleware(\Spatie\Permission\Middleware\RoleMiddleware::using('manager'), except:['show']), new Middleware(\Spatie\Permission\Middleware\PermissionMiddleware::using('delete records,api'), only:['destroy']), ]; } ``` You can also use Laravel's Model Policy feature in your controller methods. See the Model Policies section of these docs. ## Middleware via Static Methods All of the middleware can also be applied by calling the static `using` method, which accepts either an array or a `|`-separated string as input. ```php Route::group(['middleware' => [\Spatie\Permission\Middleware\RoleMiddleware::using('manager')]], function () { ... }); Route::group(['middleware' => [\Spatie\Permission\Middleware\PermissionMiddleware::using('publish articles|edit articles')]], function () { ... }); Route::group(['middleware' => [\Spatie\Permission\Middleware\RoleOrPermissionMiddleware::using(['manager', 'edit articles'])]], function () { ... }); ``` ================================================ FILE: docs/basic-usage/multiple-guards.md ================================================ --- title: Using multiple guards weight: 9 --- When using the default Laravel auth configuration all of the core methods of this package will work out of the box, with no extra configuration required. However, when using multiple guards they will act like namespaces for your permissions and roles: Every guard has its own set of permissions and roles that can be assigned to its user model. ## The Downside To Multiple Guards Note that this package requires you to register a permission name (same for roles) for each guard you want to authenticate with. So, "edit-article" would have to be created multiple times for each guard your app uses. An exception will be thrown if you try to authenticate against a non-existing permission+guard combination. Same for roles. > **Tip**: If your app uses only a single guard, but it is not `web` (Laravel's default, which shows "first" in the auth config file) then change the order of your listed guards in your `config/auth.php` to list your primary guard as the default and as the first in the list of defined guards. While you're editing that file, it is best to remove any guards you don't use, too. > > OR you could use the suggestion below to force the use of a single guard: ## Forcing Use Of A Single Guard If your app structure does NOT differentiate between guards when it comes to roles/permissions, (ie: if ALL your roles/permissions are the SAME for ALL guards), you can override the `getDefaultGuardName` function by adding it to your User model, and specifying your desired `$guard_name`. Then you only need to create roles/permissions for that single `$guard_name`, not duplicating them. The example here sets it to `web`, but use whatever your application's default is: ```php protected string $guard_name = 'web'; protected function getDefaultGuardName(): string { return $this->guard_name; } ```` ## Using permissions and roles with multiple guards When creating new permissions and roles, if no guard is specified, then the **first** defined guard in `auth.guards` config array will be used. ```php // Create a manager role for users authenticating with the admin guard: $role = Role::create(['guard_name' => 'admin', 'name' => 'manager']); // Define a `publish articles` permission for the admin users belonging to the admin guard $permission = Permission::create(['guard_name' => 'admin', 'name' => 'publish articles']); // Define a *different* `publish articles` permission for the regular users belonging to the web guard $permission = Permission::create(['guard_name' => 'web', 'name' => 'publish articles']); ``` To check if a user has permission for a specific guard: ```php $user->hasPermissionTo('publish articles', 'admin'); ``` > **Note**: When determining whether a role/permission is valid on a given model, it checks against the first matching guard in this order (it does NOT check role/permission for EACH possibility, just the first match): - first the guardName() method if it exists on the model (may return a string or array); - then the `$guard_name` property if it exists on the model (may return a string or array); - then the first-defined guard/provider combination in the `auth.guards` config array that matches the loaded model's guard; - then the `auth.defaults.guard` config (which is the user's guard if they are logged in, else the default in the file). ## Assigning permissions and roles to guard users You can use the same core methods to assign permissions and roles to users; just make sure the `guard_name` on the permission or role matches the guard of the user, otherwise a `GuardDoesNotMatch` or `Role/PermissionDoesNotExist` exception will be thrown. If your User is able to consume multiple roles or permissions from different guards; make sure the User class's `$guard_name` property or `guardName()` method returns all allowed guards as an array: ```php protected $guard_name = ['web', 'admin']; ```` or ```php public function guardName() { return ['web', 'admin']; } ```` ## Using blade directives with multiple guards You can use all of the blade directives offered by this package by passing in the guard you wish to use as the second argument to the directive: ```php @role('super-admin', 'admin') I am a super-admin! @else I am not a super-admin... @endrole ``` ================================================ FILE: docs/basic-usage/new-app.md ================================================ --- title: Example App weight: 90 --- ## Creating A Demo App If you want to just try out the features of this package you can get started with the following. The examples on this page are primarily added for assistance in creating a quick demo app for troubleshooting purposes, to post the repo on github for convenient sharing to collaborate or get support. If you're new to Laravel or to any of the concepts mentioned here, you can learn more in the [Laravel documentation](https://laravel.com/docs/) and in the free videos at Laracasts such as with the [Laravel 11 in 30 days](https://laracasts.com/series/30-days-to-learn-laravel-11) or [Laravel 8 From Scratch](https://laracasts.com/series/laravel-8-from-scratch/) series. ### Initial setup: ```sh cd ~/Sites laravel new mypermissionsdemo # (No Starter Kit is needed, but you could go with Livewire or Breeze/Jetstream, with Laravel's Built-In-Auth; or use Bootstrap using laravel/ui described later, below) # (You might be asked to select a dark-mode-support choice) # (Choose your desired testing framework: Pest or PHPUnit) # (If offered, say Yes to initialize a Git repo, so that you can track your code changes) # (If offered a database selection, choose SQLite, because it is simplest for test scenarios) # (If prompted, say Yes to run default database migrations) # (If prompted, say Yes to run npm install and related commands) cd mypermissionsdemo # The following git commands are not needed if you Initialized a git repo while "laravel new" was running above: git init git add . git commit -m "Fresh Laravel Install" # These Environment steps are not needed if you already selected SQLite while "laravel new" was running above: cp -n .env.example .env sed -i '' 's/DB_CONNECTION=mysql/DB_CONNECTION=sqlite/' .env sed -i '' 's/DB_DATABASE=/#DB_DATABASE=/' .env touch database/database.sqlite # Package composer require spatie/laravel-permission php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" git add . git commit -m "Add Spatie Laravel Permissions package" php artisan migrate:fresh # Add `HasRoles` trait to User model sed -i '' $'s/use HasFactory, Notifiable;/use HasFactory, Notifiable;\\\n use \\\\Spatie\\\\Permission\\\\Traits\\\\HasRoles;/' app/Models/User.php sed -i '' $'s/use HasApiTokens, HasFactory, Notifiable;/use HasApiTokens, HasFactory, Notifiable;\\\n use \\\\Spatie\\\\Permission\\\\Traits\\\\HasRoles;/' app/Models/User.php git add . && git commit -m "Add HasRoles trait" ``` If you didn't install a Starter Kit like Livewire or Breeze or Jetstream, add Laravel's basic auth scaffolding: This Auth scaffolding will make it simpler to provide login capability for a test/demo user, and test roles/permissions with them. ```php composer require laravel/ui --dev php artisan ui bootstrap --auth # npm install && npm run build git add . && git commit -m "Setup auth scaffold" ``` ### Add some basic permissions - Add a new file, `/database/seeders/PermissionsDemoSeeder.php` such as the following (You could create it with `php artisan make:seed` and then edit the file accordingly): ```php forgetCachedPermissions(); // create permissions Permission::create(['name' => 'edit articles']); Permission::create(['name' => 'delete articles']); Permission::create(['name' => 'publish articles']); Permission::create(['name' => 'unpublish articles']); // create roles and assign existing permissions $role1 = Role::create(['name' => 'writer']); $role1->givePermissionTo('edit articles'); $role1->givePermissionTo('delete articles'); $role2 = Role::create(['name' => 'admin']); $role2->givePermissionTo('publish articles'); $role2->givePermissionTo('unpublish articles'); $role3 = Role::create(['name' => 'Super-Admin']); // gets all permissions via Gate::before rule; see AuthServiceProvider // create demo users $user = \App\Models\User::factory()->create([ 'name' => 'Example User', 'email' => 'tester@example.com', ]); $user->assignRole($role1); $user = \App\Models\User::factory()->create([ 'name' => 'Example Admin User', 'email' => 'admin@example.com', ]); $user->assignRole($role2); $user = \App\Models\User::factory()->create([ 'name' => 'Example Super-Admin User', 'email' => 'superadmin@example.com', ]); $user->assignRole($role3); } } ``` - re-migrate and seed the database: ```sh php artisan migrate:fresh --seed --seeder=PermissionsDemoSeeder ``` ### Grant Super-Admin access Super-Admins are a common feature. The following approach allows that when your Super-Admin user is logged in, all permission-checks in your app which call `can()` or `@can()` will return true. - Create a role named `Super-Admin`. (Or whatever name you wish; but use it consistently just like you must with any role name.) - Add a Gate::before check in your `AuthServiceProvider` (or `AppServiceProvider` since Laravel 11): ```diff + use Illuminate\Support\Facades\Gate; public function boot() { + // Implicitly grant "Super-Admin" role all permission checks using can() + Gate::before(function ($user, $ability) { + if ($user->hasRole('Super-Admin')) { + return true; + } + }); } ``` ### Application Code The permissions created in the seeder above imply that there will be some sort of Posts or Article features, and that various users will have various access control levels to manage/view those objects. Your app will have Models, Controllers, routes, Views, Factories, Policies, Tests, middleware, and maybe additional Seeders. You can see examples of these in the demo app at https://github.com/drbyte/spatie-permissions-demo/ ### Quick Examples If you are creating a demo app for reporting a bug or getting help with troubleshooting something, skip this section and proceed to "Sharing" below. If this is your first app with this package, you may want some quick permission examples to see it in action. If you've set up your app using the instructions above, the following examples will work in conjunction with the users and permissions created in the seeder. Three users were created: tester@example.com, admin@example.com, superadmin@example.com and the password for each is "password". `/resources/views/dashboard.php` ```diff
{{ __("You're logged in!") }}
+ @can('edit articles') + You can EDIT ARTICLES. + @endcan + @can('publish articles') + You can PUBLISH ARTICLES. + @endcan + @can('only super-admins can see this section') + Congratulations, you are a super-admin! + @endcan ``` With the above code, when you login with each respective user, you will see different messages based on that access. Here's a routes example with Breeze and Laravel 11. Edit `/routes/web.php`: ```diff -Route::middleware('auth')->group(function () { +Route::middleware('role_or_permission:publish articles')->group(function () { Route::get('/profile', [ProfileController::class, 'edit'])->name('profile.edit'); Route::patch('/profile', [ProfileController::class, 'update'])->name('profile.update'); Route::delete('/profile', [ProfileController::class, 'destroy'])->name('profile.destroy'); }); ``` With the above change, you will be unable to access the user "Profile" page unless you are logged in with "admin" or "super-admin". You could change `role_or_permission:publish_articles` to `role:writer` to make it only available to the "test" user. ## Sharing To share your app on Github for easy collaboration: - create a new public repository on Github, without any extras like readme/etc. - follow github's sample code for linking your local repo and uploading the code. It will look like this: ```sh git remote add origin git@github.com:YOURUSERNAME/REPONAME.git git push -u origin main ``` The above only needs to be done once. - then add the rest of your code by making new commits: ```sh git add . git commit -m "Explain what your commit is about here" git push origin main ``` Repeat the above process whenever you change code that you want to share. Those are the basics! ================================================ FILE: docs/basic-usage/passport.md ================================================ --- title: Passport Client Credentials Grant usage weight: 12 --- **NOTE** currently this only works for Laravel 9 and Passport 11 and newer. ## Install Passport First of all make sure to have Passport installed as described in the [Laravel documentation](https://laravel.com/docs/master/passport). ## Extend the Client model After installing the Passport package we need to extend Passports Client model. The extended Client model should look like something as shown below. ```php use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract; use Illuminate\Foundation\Auth\Access\Authorizable; use Laravel\Passport\Client as BaseClient; use Spatie\Permission\Traits\HasRoles; class Client extends BaseClient implements AuthorizableContract { use HasRoles; use Authorizable; public $guard_name = 'api'; // or public function guardName() { return 'api'; } } ``` You need to extend the Client model to make it possible to add the required traits and properties/ methods. The extended Client should either provide a `$guard_name` property or a `guardName()` method. They should return a string that matches the [configured](https://laravel.com/docs/master/passport#installation) guard name for the passport driver. To tell Passport to use this extended Client, add the rule below to the `boot` method of your `App\Providers\AuthServiceProvider` class. ```php Passport::useClientModel(\App\Models\Client::class); // Use the namespace of your extended Client. ``` ## Middleware All middleware provided by this package work with the Client. Do make sure that you only wrap your routes in the [`client`](https://laravel.com/docs/master/passport#via-middleware) middleware and not the `auth:api` middleware as well. Wrapping routes in the `auth:api` middleware currently does not work for the Client Credentials Grant. ## Config Finally, update the config file as well. Setting `use_passport_client_credentials` to `true` will make sure that the right checks are performed. ```php // config/permission.php 'use_passport_client_credentials' => true, ``` ================================================ FILE: docs/basic-usage/role-permissions.md ================================================ --- title: Using Permissions via Roles weight: 3 --- ## Assigning Roles A role can be assigned to any user: ```php $user->assignRole('writer'); // You can also assign multiple roles at once $user->assignRole('writer', 'admin'); // or as an array $user->assignRole(['writer', 'admin']); ``` A role can be removed from a user: ```php $user->removeRole('writer'); ``` Roles can also be synced: ```php // All current roles will be removed from the user and replaced by the array given $user->syncRoles(['writer', 'admin']); ``` ## Checking Roles You can determine if a user has a certain role: ```php $user->hasRole('writer'); // or at least one role from an array of roles: $user->hasRole(['editor', 'moderator']); ``` You can also determine if a user has any of a given list of roles: ```php $user->hasAnyRole(['writer', 'reader']); // or $user->hasAnyRole('writer', 'reader'); ``` You can also determine if a user has all of a given list of roles: ```php $user->hasAllRoles(Role::all()); ``` You can also determine if a user has exactly all of a given list of roles: ```php $user->hasExactRoles(Role::all()); ``` The `assignRole`, `hasRole`, `hasAnyRole`, `hasAllRoles`, `hasExactRoles` and `removeRole` functions can accept a string, a `\Spatie\Permission\Models\Role` object or an `\Illuminate\Support\Collection` object. ## Assigning Permissions to Roles A permission can be given to a role: ```php $role->givePermissionTo('edit articles'); ``` You can determine if a role has a certain permission: ```php $role->hasPermissionTo('edit articles'); ``` A permission can be revoked from a role: ```php $role->revokePermissionTo('edit articles'); ``` Or revoke & add new permissions in one go: ```php $role->syncPermissions(['edit articles', 'delete articles']); ``` The `givePermissionTo` and `revokePermissionTo` functions can accept a string or a `Spatie\Permission\Models\Permission` object. **NOTE: Permissions are inherited from roles automatically.** ## What Permissions Does A Role Have? The `permissions` property on any given role returns a collection with all the related permission objects. This collection can respond to usual Eloquent Collection operations, such as count, sort, etc. ```php // get collection $role->permissions; // return only the permission names: $role->permissions->pluck('name'); // count the number of permissions assigned to a role count($role->permissions); // or $role->permissions->count(); ``` ## Assigning Direct Permissions To A User Additionally, individual permissions can be assigned to the user too. For instance: ```php $role = Role::findByName('writer'); $role->givePermissionTo('edit articles'); $user->assignRole('writer'); $user->givePermissionTo('delete articles'); ``` In the above example, a role is given permission to edit articles and this role is assigned to a user. Now the user can edit articles and additionally delete articles. The permission of 'delete articles' is the user's direct permission because it is assigned directly to them. When we call `$user->hasDirectPermission('delete articles')` it returns `true`, but `false` for `$user->hasDirectPermission('edit articles')`. This method is useful if one builds a form for setting permissions for roles and users in an application and wants to restrict or change inherited permissions of roles of the user, i.e. allowing to change only direct permissions of the user. You can check if the user has a Specific or All or Any of a set of permissions directly assigned: ```php // Check if the user has Direct permission $user->hasDirectPermission('edit articles') // Check if the user has All direct permissions $user->hasAllDirectPermissions(['edit articles', 'delete articles']); // Check if the user has Any permission directly $user->hasAnyDirectPermission(['create articles', 'delete articles']); ``` By following the previous example, when we call `$user->hasAllDirectPermissions(['edit articles', 'delete articles'])` it returns `false`, because the user does not have `edit articles` as a direct permission. When we call `$user->hasAnyDirectPermission('edit articles')`, it returns `true` because the user has one of the provided permissions. You can examine all of these permissions: ```php // Direct permissions $user->getDirectPermissions() // Or $user->permissions; // Permissions inherited from the user's roles $user->getPermissionsViaRoles(); // All permissions which apply on the user (inherited and direct) $user->getAllPermissions(); ``` All these responses are collections of `Spatie\Permission\Models\Permission` objects. If we follow the previous example, the first response will be a collection with the `delete article` permission and the second will be a collection with the `edit article` permission and the third will contain both. ================================================ FILE: docs/basic-usage/super-admin.md ================================================ --- title: Defining a Super-Admin weight: 8 --- We strongly recommend that a Super-Admin be handled by setting a global `Gate::before` or `Gate::after` rule which checks for the desired role. Then you can implement the best-practice of primarily using permission-based controls (@can and $user->can, etc) throughout your app, without always having to check for "is this a super-admin" everywhere. **Best not to use role-checking (ie: `hasRole`) (except here in Gate/Policy rules) when you have Super Admin features like this.** ## Gate::before/Policy::before vs HasPermissionTo / HasAnyPermission / HasDirectPermission / HasAllPermissions IMPORTANT: The Gate::before is the best approach for Super-Admin functionality, and aligns well with the described "Best Practices" of using roles as a way of grouping permissions, and assigning that access to Users. Using this approach, you can/must call Laravel's standard `can()`, `canAny()`, `cannot()`, etc checks for permission authorization to get a correct Super response. ### HasPermissionTo, HasAllPermissions, HasAnyPermission, HasDirectPermission Calls to this package's internal API which bypass Laravel's Gate (such as a direct call to `->hasPermissionTo()`) will not go through the Gate, and thus will not get the Super response, unless you have actually added that specific permission to the Super-Admin "role". The only reason for giving specific permissions to a Super-Admin role is if you intend to call the `has` methods directly instead of the Gate's `can()` methods. ## `Gate::before` If you want a "Super Admin" role to respond `true` to all permissions, without needing to assign all those permissions to a role, you can use [Laravel's `Gate::before()` method](https://laravel.com/docs/master/authorization#intercepting-gate-checks). For example: `/app/Providers/AppServiceProvider`: ```php use Illuminate\Support\Facades\Gate; // ... public function boot(): void { // Implicitly grant "Super Admin" role all permissions // This works in the app by using gate-related functions like auth()->user->can() and @can() Gate::before(function ($user, $ability) { return $user->hasRole('Super Admin') ? true : null; }); } ``` NOTE: `Gate::before` rules need to return `null` rather than `false`, else it will interfere with normal policy operation. [See more.](https://laracasts.com/discuss/channels/laravel/policy-gets-never-called#reply=492526) Jeffrey Way explains the concept of a super-admin (and a model owner, and model policies) in the [Laravel 6 Authorization Filters](https://laracasts.com/series/laravel-6-from-scratch/episodes/51) video and some related lessons in that chapter. ## Policy `before()` If you aren't using `Gate::before()` as described above, you could alternatively grant super-admin control by checking the role in individual Policy classes, using the `before()` method. Here is an example from the [Laravel Documentation on Policy Filters](https://laravel.com/docs/master/authorization#policy-filters), where you can define `before()` in your Policy where needed: ```php use App\Models\User; // could be any Authorizable model /** * Perform pre-authorization checks on the model. */ public function before(User $user, string $ability): ?bool { if ($user->hasRole('Super Admin')) { return true; } return null; // see the note above in Gate::before about why null must be returned here. } ``` ## `Gate::after` Alternatively you might want to move the Super Admin check to the `Gate::after` phase instead, particularly if your Super Admin shouldn't be allowed to do things your app doesn't want "anyone" to do, such as writing more than 1 review, or bypassing unsubscribe rules, etc. The following code snippet is inspired from [Freek's blog article](https://freek.dev/1325-when-to-use-gateafter-in-laravel) where this topic is discussed further. You can also consult the [Laravel Docs on gate interceptions](https://laravel.com/docs/master/authorization#intercepting-gate-checks) ```php // somewhere in a service provider Gate::after(function ($user, $ability) { return $user->hasRole('Super Admin'); // note this returns boolean }); ``` ================================================ FILE: docs/basic-usage/teams-permissions.md ================================================ --- title: Teams permissions weight: 5 --- When enabled, teams permissions offers you flexible control for a variety of scenarios. The idea behind teams permissions is inspired by the default permission implementation of [Laratrust](https://laratrust.santigarcor.me/). ## Enabling Teams Permissions Feature NOTE: These configuration changes must be made **before** performing the migration when first installing the package. If you have already run the migration and want to upgrade your implementation, you can run the artisan console command `php artisan permission:setup-teams`, to create a new migration file named [`xxxx_xx_xx_xx_add_teams_fields.php`](https://github.com/spatie/laravel-permission/blob/main/database/migrations/add_teams_fields.php.stub) and then run `php artisan migrate` to upgrade your database tables. Teams permissions can be enabled in the permission config file: ```php // config/permission.php 'teams' => true, ``` Also, if you want to use a custom foreign key for teams you set it in the permission config file: ```php // config/permission.php 'team_foreign_key' => 'custom_team_id', ``` ## Working with Teams Permissions After implementing a solution for selecting a team on the authentication process (for example, setting the `team_id` of the currently selected team on the **session**: `session(['team_id' => $team->team_id]);` ), we can set global `team_id` from anywhere, but works better if you create a `Middleware`. Example Team Middleware: ```php namespace App\Http\Middleware; class TeamsPermission { public function handle($request, \Closure $next){ if(!empty(auth()->user())){ // session value set on login setPermissionsTeamId(session('team_id')); } // other custom ways to get team_id /*if(!empty(auth('api')->user())){ // `getTeamIdFromToken()` example of custom method for getting the set team_id setPermissionsTeamId(auth('api')->user()->getTeamIdFromToken()); }*/ return $next($request); } } ``` **YOU MUST ALSO** set [the `$middlewarePriority` array](https://laravel.com/docs/master/middleware#sorting-middleware) in `app/Http/Kernel.php` to include your custom middleware before the `SubstituteBindings` middleware, else you may get *404 Not Found* responses when a *403 Not Authorized* response might be expected. For example you can add something similar to the `boot` method of your `AppServiceProvider`: ```php use App\Http\Middleware\YourCustomMiddlewareClass; use Illuminate\Foundation\Http\Kernel; use Illuminate\Routing\Middleware\SubstituteBindings; use Illuminate\Support\ServiceProvider; class AppServiceProvider extends ServiceProvider { public function register(): void { // } public function boot(): void { /** @var Kernel $kernel */ $kernel = app()->make(Kernel::class); $kernel->addToMiddlewarePriorityBefore( YourCustomMiddlewareClass::class, SubstituteBindings::class, ); } } ``` ### Using LiveWire? You may need to register your team middleware as Persisted in Livewire. See [Livewire docs: Configuring Persistent Middleware](https://livewire.laravel.com/docs/security#configuring-persistent-middleware) ## Roles Creating When creating a role you can pass the `team_id` as an optional parameter ```php // with null team_id it creates a global role; global roles can be assigned to any team and they are unique Role::create(['name' => 'writer', 'team_id' => null]); // creates a role with team_id = 1; team roles can have the same name on different teams Role::create(['name' => 'reader', 'team_id' => 1]); // creating a role without team_id makes the role take the default global team_id Role::create(['name' => 'reviewer']); ``` ## Roles/Permissions Assignment and Removal The role/permission assignment and removal for teams are the same as without teams, but they take the global `team_id` which is set on login. ## Changing The Active Team ID While your middleware will set a user's `team_id` upon login, you may later need to set it to another team for various reasons. The two most common reasons are these: ### Switching Teams After Login If your application allows the user to switch between various teams which they belong to, you can activate the roles/permissions for that team by calling `setPermissionsTeamId($new_team_id)` and unsetting relations as described below. ### Administrating Team Details You may have created a User-Manager page where you can view the roles/permissions of users on certain teams. For managing that user in each team they belong to, you must also use `setPermissionsTeamId($new_team_id)` to cause lookups to relate to that new team, and unset prior relations as described below. ### Querying Roles/Permissions for Other Teams Whenever you switch the active `team_id` using `setPermissionsTeamId()`, you need to `unset` the user's/model's `roles` and `permissions` relations before querying what roles/permissions that user has (`$user->roles`, etc) and before calling any authorization functions (`can()`, `hasPermissionTo()`, `hasRole()`, etc). Example: ```php // set active global team_id setPermissionsTeamId($new_team_id); // $user = Auth::user(); // unset cached model relations so new team relations will get reloaded $user->unsetRelation('roles')->unsetRelation('permissions'); // Now you can check: $roles = $user->roles; $hasRole = $user->hasRole('my_role'); $user->hasPermissionTo('foo'); $user->can('bar'); // etc ``` ## Defining a Super-Admin on Teams Global roles can be assigned to different teams, and `team_id` (which is the primary key of the relationships) is always required. If you want a "Super Admin" global role for a user, when you create a new team you must assign it to your user. Example: ```php namespace App\Models; class YourTeamModel extends \Illuminate\Database\Eloquent\Model { // ... public static function boot() { parent::boot(); // here assign this team to a global user with global default role self::created(function ($model) { // temporary: get session team_id for restore at end $session_team_id = getPermissionsTeamId(); // set actual new team_id to package instance setPermissionsTeamId($model); // get the admin user and assign roles/permissions on new team model User::find('your_user_id')->assignRole('Super Admin'); // restore session team_id to package instance using temporary value stored above setPermissionsTeamId($session_team_id); }); } // ... } ``` ================================================ FILE: docs/basic-usage/wildcard-permissions.md ================================================ --- title: Wildcard permissions weight: 6 --- When enabled, wildcard permissions offers you a flexible representation for a variety of permission schemes. The wildcard permissions implementation is inspired by the default permission implementation of [Apache Shiro](https://shiro.apache.org/permissions.html). See the Shiro documentation for more examples and deeper explanation of the concepts. ## Enabling Wildcard Features Wildcard permissions can be enabled in the permission config file: ```php // config/permission.php 'enable_wildcard_permission' => true, ``` ## Wildcard Syntax A wildcard permission string is made of one or more parts separated by dots (.). ```php $permission = 'posts.create.1'; ``` The meaning of each part of the string depends on the application layer. > You can use as many parts as you like. So you are not limited to the three-tiered structure, even though this is the common use-case, representing `{resource}.{action}.{target}`. > **NOTE: You must actually create the wildcarded permissions** (eg: `posts.create.1`) before you can assign them or check for them. > **NOTE: You must create any wildcard permission patterns** (eg: `posts.create.*`) before you can assign them or check for them. ## Using Wildcards > ALERT: The `*` means "ALL". It does **not** mean "ANY". Each part can also contain wildcards (`*`). So let's say we assign the following permission to a user: ```php Permission::create(['name'=>'posts.*']); $user->givePermissionTo('posts.*'); // is the same as Permission::create(['name'=>'posts']); $user->givePermissionTo('posts'); ``` Given the example above, everyone who is assigned to this permission will be allowed every action on posts. It is not necessary to use a wildcard on the last part of the string. This is automatically assumed. ```php // will be true $user->can('posts.create'); $user->can('posts.edit'); $user->can('posts.delete'); ``` (Note that the `posts.create` and `posts.edit` and `posts.delete` permissions must also be created.) ## Meaning of the * Asterisk The `*` means "ALL". It does **not** mean "ANY". Thus `can('post.*')` will only pass if the user has been assigned `post.*` explicitly, and the `post.*` Permission has been created. ## Subparts Besides the use of parts and wildcards, subparts can also be used. Subparts are divided with commas (,). This is a powerful feature that lets you create complex permission schemes. ```php // user can only do the actions create, update and view on both resources posts and users Permission::create(['name'=>'posts,users.create,update,view']); $user->givePermissionTo('posts,users.create,update,view'); // user can do the actions create, update, view on any available resource Permission::create(['name'=>'*.create,update,view']); $user->givePermissionTo('*.create,update,view'); // user can do any action on posts with ids 1, 4 and 6 Permission::create(['name'=>'posts.*.1,4,6']); $user->givePermissionTo('posts.*.1,4,6'); ``` > Remember: the meaning of each 'part' is determined by your application! So, you are free to use each part as you like. And you can use as many parts and subparts as you want. ================================================ FILE: docs/best-practices/_index.md ================================================ --- title: Best Practices weight: 2 --- ================================================ FILE: docs/best-practices/performance.md ================================================ --- title: Performance Tips weight: 10 --- On small apps, most of the following will be moot, and unnecessary. Often we think in terms of "roles have permissions" so we lookup a Role, and call `$role->givePermissionTo()` to indicate what users with that role are allowed to do. This is perfectly fine! And yet, in some situations, particularly if your app is deleting and adding new permissions frequently, you may find that things are more performant if you lookup the permission and assign it to the role, like: `$permission->assignRole($role)`. The end result is the same, but sometimes it runs quite a lot faster. Also, because of the way this package enforces some protections for you, on large databases you may find that instead of creating permissions with: ```php Permission::create([attributes]); ``` it might be faster (more performant) to use: ```php $permission = Permission::make([attributes]); $permission->saveOrFail(); ``` As always, if you choose to bypass the provided object methods for adding/removing/syncing roles and permissions by manipulating Role and Permission objects directly in the database, **you will need to manually reset the package cache** with the PermissionRegistrar's method for that, as described in the Cache section of the docs. ================================================ FILE: docs/best-practices/roles-vs-permissions.md ================================================ --- title: Roles vs Permissions weight: 1 --- Best-Practice for thinking about Roles vs Permissions is this: **Roles** are best to only assign to **Users** in order to "**group**" people by "**sets of permissions**". **Permissions** are best assigned **to roles**. The more granular/detailed your permission-names (such as separate permissions like "view document" and "edit document"), the easier it is to control access in your application. **Users** should *rarely* be given "direct" permissions. Best if Users inherit permissions via the Roles that they're assigned to. When designed this way, all the sections of your application can check for specific permissions needed to access certain features or perform certain actions AND this way you can always **use the native Laravel `@can` and `can()` directives everywhere** in your app, which allows Laravel's Gate layer to do all the heavy lifting. Example: it's safer to have your Views test `@can('view member addresses')` or `@can('edit document')`, INSTEAD of testing for `$user->hasRole('Editor')`. It's easier to control displaying a "section" of content vs edit/delete buttons if you have "view document" and "edit document" permissions defined. And then Writer role would get both "view" and "edit" assigned to it. And then the user would get the Writer role. This also allows you to treat permission names as static (only editable by developers), and then your application (almost) never needs to know anything about role names, so you could (almost) change role names at will. Summary: - **users** have `roles` - **roles** have `permissions` - app always checks for `permissions` (as much as possible), not `roles` - **views** check permission-names - **policies** check permission-names - **model policies** check permission-names - **controller methods** check permission-names - **middleware** check permission names, or sometimes role-names - **routes** check permission-names, or maybe role-names if you need to code that way. Sometimes certain groups of `route` rules may make best sense to group them around a `role`, but still, whenever possible, there is less overhead used if you can check against a specific `permission` instead. ### FURTHER READING: [@joelclermont](https://github.com/joelclermont) at [masteringlaravel.io](https://masteringlaravel.io/daily) offers similar guidance in his post about [Treating Feature Access As Data, Not Code](https://masteringlaravel.io/daily/2025-01-09-treat-feature-access-as-data-not-code) ================================================ FILE: docs/best-practices/using-policies.md ================================================ --- title: Model Policies weight: 2 --- The best way to incorporate access control for application features is with [Laravel's Model Policies](https://laravel.com/docs/authorization#creating-policies). Using Policies allows you to simplify things by abstracting your "control" rules into one place, where your application logic can be combined with your permission rules. Jeffrey Way explains the concept simply in the [Laravel 6 Authorization Filters](https://laracasts.com/series/laravel-6-from-scratch/episodes/51) and [policies](https://laracasts.com/series/laravel-6-from-scratch/episodes/63) videos and in other related lessons in that chapter. He also mentions how to set up a super-admin, both in a model policy and globally in your application. Here's a partial example of a PostPolicy which could control access to Post model records: ```php published) { return true; } // visitors cannot view unpublished items if ($user === null) { return false; } // admin overrides published status if ($user->can('view unpublished posts')) { return true; } // authors can view their own unpublished posts return $user->id == $post->user_id; } public function create(User $user): bool { return $user->can('create posts'); } public function update(User $user, Post $post): bool { if ($user->can('edit all posts')) { return true; } if ($user->can('edit own posts')) { return $user->id == $post->user_id; } } public function delete(User $user, Post $post): bool { if ($user->can('delete any post')) { return true; } if ($user->can('delete own posts')) { return $user->id == $post->user_id; } } } ``` ================================================ FILE: docs/changelog.md ================================================ --- title: Changelog weight: 10 --- All notable changes to laravel-permission are documented [on GitHub](https://github.com/spatie/laravel-permission/blob/main/CHANGELOG.md) ================================================ FILE: docs/installation-laravel.md ================================================ --- title: Installation in Laravel weight: 4 --- ## Laravel Version Compatibility See the "Prerequisites" documentation page for compatibility details. ## Installing 1. Consult the **Prerequisites** page for important considerations regarding your **User** models! 2. This package **publishes a `config/permission.php` file**. If you already have a file by that name, you must rename or remove it. 3. You can **install the package via composer**: composer require spatie/laravel-permission 4. The Service Provider will automatically be registered; however, if you wish to manually register it, you can manually add the `Spatie\Permission\PermissionServiceProvider::class` service provider to the array in `bootstrap/providers.php`. 5. **You should publish** [the migration](https://github.com/spatie/laravel-permission/blob/main/database/migrations/create_permission_tables.php.stub) and the [`config/permission.php` config file](https://github.com/spatie/laravel-permission/blob/main/config/permission.php) with: ``` php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" ``` 6. BEFORE RUNNING MIGRATIONS - **If you are using UUIDs**, see the Advanced section of the docs on UUID steps, before you continue. It explains some changes you may want to make to the migrations and config file before continuing. It also mentions important considerations after extending this package's models for UUID capability. - **If you are going to use the TEAMS features** you must update your [`config/permission.php` config file](https://github.com/spatie/laravel-permission/blob/main/config/permission.php): - must set `'teams' => true,` - and (optional) you may set `team_foreign_key` name in the config file if you want to use a custom foreign key in your database for teams - **If you are using MySQL 8+**, look at the **Prerequisites** docs page for notes about MySQL 8+ to set/limit the index key length, and edit accordingly. If you get `ERROR: 1071 Specified key was too long` then you need to do this. - **If you are using CACHE_STORE=database**, be sure to [install Laravel's cache migration](https://laravel.com/docs/cache#prerequisites-database), else you will encounter cache errors. 7. **Clear your config cache**. This package requires access to the `permission` config settings in order to run migrations. If you've been caching configurations locally, clear your config cache with either of these commands: php artisan optimize:clear # or php artisan config:clear 8. **Run the migrations**: After the config and migration have been published and configured, you can create the tables for this package by running: php artisan migrate 9. **Add the necessary trait to your User model**: // The User model requires this trait use HasRoles; 10. Consult the **Basic Usage** section of the docs to get started using the features of this package. . ## Default config file contents You can view the default config file contents at: [https://github.com/spatie/laravel-permission/blob/main/config/permission.php](https://github.com/spatie/laravel-permission/blob/main/config/permission.php) ================================================ FILE: docs/introduction.md ================================================ --- title: Introduction weight: 1 --- This package allows you to manage user permissions and roles in a database. Once installed you can do stuff like this: ```php // Adding permissions to a user $user->givePermissionTo('edit articles'); // Adding permissions via a role $user->assignRole('writer'); $role->givePermissionTo('edit articles'); ``` If you're using multiple guards we've got you covered as well. Every guard will have its own set of permissions and roles that can be assigned to the guard's users. Read about it in the [using multiple guards](./basic-usage/multiple-guards/) section. Because all permissions will be registered on [Laravel's gate](https://laravel.com/docs/authorization), you can check if a user has a permission with Laravel's default `can` function: ```php $user->can('edit articles'); ``` and Blade directives: ```blade @can('edit articles') ... @endcan ``` ================================================ FILE: docs/prerequisites.md ================================================ --- title: Prerequisites weight: 3 --- ## Laravel Version Compatibility Laravel Version | Package Version ----------------|----------- 12, 13 | `^7.0` (PHP 8.3+) 8,9,10,11,12 | `^6.0` (PHP 8.0+) 7,8,9,10 | `^5.8` 7,8,9 | `^5.7` 7,8 | `^5.4`-`^5.6` 6,7,8 | `^5.0`-`^5.3` 6,7,8 | `^4` 5.8 | `^3` ## User Model / Contract/Interface This package uses Laravel's Gate layer to provide Authorization capabilities. The Gate/authorization layer requires that your `User` model implement the `Illuminate\Contracts\Auth\Access\Authorizable` contract. Otherwise the `can()` and `authorize()` methods will not work in your controllers, policies, templates, etc. In the `Installation` instructions you'll see that the `HasRoles` trait must be added to the User model to enable this package's features. Thus, a typical basic User model would have these basic minimum requirements: ```php use Illuminate\Foundation\Auth\User as Authenticatable; use Spatie\Permission\Traits\HasRoles; class User extends Authenticatable { use HasRoles; // ... } ``` ## Must not have a [role] or [roles] property/relation, nor a [roles()] method Your `User` model/object MUST NOT have a `role` or `roles` property (or field in the database by that name), nor a `roles()` method on it (nor a `roles` relation). Those will interfere with the properties and methods and relations added by the `HasRoles` trait provided by this package, thus causing unexpected outcomes when this package's methods are used to inspect roles and permissions. ## Must not have a [permission] or [permissions] property/relation, nor a [permissions()] method Your `User` model/object MUST NOT have a `permission` or `permissions` property (or field in the database by that name), nor a `permissions()` method on it (nor a `permissions` relation). Those will interfere with the properties and methods and relations added by the `HasPermissions` trait provided by this package (which is invoked via the `HasRoles` trait). ## Config file This package publishes a `config/permission.php` file. If you already have a file by that name, you must rename or remove it, as it will conflict with this package. You could optionally merge your own values with those required by this package, as long as the keys that this package expects are present. See the source file for more details. ## Database Schema Limitations Potential error message: "1071 Specified key was too long; max key length is 1000 bytes" MySQL 8.0+ limits index key lengths, which might be too short for some compound indexes used by this package. This package publishes a migration which combines multiple columns in a single index. With `utf8mb4` the 4-bytes-per-character requirement of `mb4` means the total length of the columns in the hybrid index can only be `25%` of that maximum index length. - MyISAM tables limit the index to 1000 characters (which is only 250 total chars in `utf8mb4`) - InnoDB tables using ROW_FORMAT of 'Redundant' or 'Compact' limit the index to 767 characters (which is only 191 total chars in `utf8mb4`) - InnoDB tables using ROW_FORMAT of 'Dynamic' or 'Compressed' have a 3072 character limit (which is 768 total chars in `utf8mb4`). Depending on your MySQL or MariaDB configuration, you may implement one of the following approaches: 1. Ideally, configure the database to use InnoDB by default, and use ROW FORMAT of 'Dynamic' by default for all new tables. (See [MySQL](https://dev.mysql.com/doc/refman/8.0/en/innodb-limits.html) and [MariaDB](https://mariadb.com/kb/en/innodb-dynamic-row-format/) docs.) 2. OR if your app doesn't require a longer default, in your AppServiceProvider you can set `Schema::defaultStringLength(125)`. [See the Laravel Docs for instructions](https://laravel.com/docs/10.x/migrations#index-lengths-mysql-mariadb). This will have Laravel set all strings to 125 characters by default. 3. OR you could edit the migration and specify a shorter length for 4 fields. Then in your app be sure to manually impose validation limits on any form fields related to these fields. In the migration file, there are 2 places where you can explicitly set the length for both the 'name' and 'guard_name' fields, on 2 tables. Suggested specific lengths are shown below: ```php $table->string('name'); // For MyISAM use string('name', 225); // (or 166 for InnoDB with Redundant/Compact row format) $table->string('guard_name'); // For MyISAM use string('guard_name', 25); ``` ## Note for apps using UUIDs/ULIDs/GUIDs This package expects the primary key of your `User` model to be an auto-incrementing `int`. If it is not, you may need to modify the `create_permission_tables` migration and/or modify the default configuration. See [https://spatie.be/docs/laravel-permission/advanced-usage/uuid](https://spatie.be/docs/laravel-permission/advanced-usage/uuid) for more information. ## Database foreign-key relationship support To enforce database integrity, this package uses foreign-key relationships with cascading deletes. This prevents data mismatch situations if database records are manipulated outside of this package. If your database engine does not support foreign-key relationships, then you will have to alter the migration files accordingly. This package does its own detaching of pivot records when deletes are called using provided package methods, so if your database does not support foreign keys then as long as you only use method calls provided by this package for managing related records, there should not be data integrity issues. ================================================ FILE: docs/questions-issues.md ================================================ --- title: Questions and issues weight: 9 --- Find yourself stuck using the package? Found a bug? Do you have general questions or suggestions for improving the package? Feel free to [create an issue on GitHub](https://github.com/spatie/laravel-permission/issues), we'll try to address it as soon as possible. If you've found a bug regarding security please mail [freek@spatie.be](mailto:freek@spatie.be) instead of using the issue tracker. ================================================ FILE: docs/support-us.md ================================================ --- title: Support us weight: 2 --- We invest a lot of resources into creating [best in class open source packages](https://spatie.be/open-source). You can support us by [buying one of our paid products](https://spatie.be/open-source/support-us). We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on [our contact page](https://spatie.be/about-us). We publish all received postcards on [our virtual postcard wall](https://spatie.be/open-source/postcards). ================================================ FILE: docs/upgrading.md ================================================ --- title: Upgrading weight: 6 --- ## Upgrade Essentials ALL upgrades of this package should follow these steps: 1. Composer. Upgrading between major versions of this package always requires the usual Composer steps: - Update your `composer.json` to specify the new major version, for example: `^6.0` - Then run `composer update spatie/laravel-permission`. 2. Migrations. Compare the `migration` file stubs in the NEW version of this package against the migrations you've already run inside your app. If necessary, create a new migration (by hand) to apply any new database changes. 3. Config file. Incorporate any changes to the permission.php config file, updating your existing file. (It may be easiest to make a backup copy of your existing file, re-publish it from this package, and then re-make your customizations to it.) 4. Models. If you have made any custom Models by extending them into your own app, compare the package's old and new models and apply any relevant updates to your custom models. 5. Custom Methods/Traits. If you have overridden any methods from this package's Traits, compare the old and new traits, and apply any relevant updates to your overridden methods. 6. Contract/Interface updates. If you have implemented this package's contracts in any models, check to see if there were any changes to method signatures. Mismatches will trigger PHP errors. 7. Apply any version-specific special updates as outlined below... 8. Review the changelog, which details all the changes: [CHANGELOG](https://github.com/spatie/laravel-permission/blob/main/CHANGELOG.md) and/or consult the [Release Notes](https://github.com/spatie/laravel-permission/releases) ## Upgrading from v6 to v7 For guidance with upgrading your extended models, your migrations, your routes, etc, see the **Upgrade Essentials** section at the top of this file. ### Requirements - PHP 8.3 or higher - Laravel 12 or higher ### Service Provider The service provider now extends `PackageServiceProvider` from `spatie/laravel-package-tools`. If you have published or extended the service provider, update your references accordingly. Lumen support has been removed. ### Event Class Renames All event classes now have an `Event` suffix: | v6 | v7 | |---|---| | `Spatie\Permission\Events\PermissionAttached` | `Spatie\Permission\Events\PermissionAttachedEvent` | | `Spatie\Permission\Events\PermissionDetached` | `Spatie\Permission\Events\PermissionDetachedEvent` | | `Spatie\Permission\Events\RoleAttached` | `Spatie\Permission\Events\RoleAttachedEvent` | | `Spatie\Permission\Events\RoleDetached` | `Spatie\Permission\Events\RoleDetachedEvent` | Update any event listeners that reference these classes. ### Command Class Renames All command classes now have a `Command` suffix: | v6 | v7 | |---|---| | `Spatie\Permission\Commands\CacheReset` | `Spatie\Permission\Commands\CacheResetCommand` | | `Spatie\Permission\Commands\CreateRole` | `Spatie\Permission\Commands\CreateRoleCommand` | | `Spatie\Permission\Commands\CreatePermission` | `Spatie\Permission\Commands\CreatePermissionCommand` | | `Spatie\Permission\Commands\Show` | `Spatie\Permission\Commands\ShowCommand` | | `Spatie\Permission\Commands\UpgradeForTeams` | `Spatie\Permission\Commands\UpgradeForTeamsCommand` | | `Spatie\Permission\Commands\AssignRole` | `Spatie\Permission\Commands\AssignRoleCommand` | The artisan command signatures remain unchanged. ### Removed Deprecated Methods - `PermissionRegistrar::clearClassPermissions()` has been removed. Use `clearPermissionsCollection()` instead. ### Type Hints Return types and parameter types have been added throughout the codebase. If you have extended any of the following classes or traits, you may need to update your method signatures: - `HasPermissions` trait: `givePermissionTo()`, `syncPermissions()`, `revokePermissionTo()` now return `static` - `HasRoles` trait: `assignRole()`, `removeRole()`, `syncRoles()` now return `static` - Exception factory methods now return `static` instead of `self` - `PermissionRegistrar::setPermissionClass()` and `setRoleClass()` now return `static` - `PermissionRegistrar::forgetCachedPermissions()` now returns `bool` - `Contracts\PermissionsTeamResolver::setPermissionsTeamId()` now has typed parameter `int|string|Model|null $id` - `Contracts\Role::hasPermissionTo()` now has typed parameter and optional `$guardName` ### Wildcard Contract The `__construct(Model $record)` method has been removed from the `Spatie\Permission\Contracts\Wildcard` interface. If you implement this contract, you can remove the constructor from the interface requirement (your concrete class should still accept a `Model` in its constructor). ## Upgrading from v5 to v6 There are a few breaking-changes when upgrading to v6, but most of them won't affect you unless you have been customizing things. For guidance with upgrading your extended models, your migrations, your routes, etc, see the **Upgrade Essentials** section at the top of this file. 1. Due to the improved ULID/UUID/GUID support, any package methods which accept a Permission or Role `id` must pass that `id` as an `integer`. If you pass it as a numeric string, the functions will attempt to look up the role/permission as a string. In such cases, you may see errors such as `There is no permission named '123' for guard 'web'.` (where `'123'` is being treated as a string because it was passed as a string instead of as an integer). This also applies to arrays of id's: if it's an array of strings we will do a lookup on the name instead of on the id. **This will mostly only affect UI pages** because an HTML Request is received as string data. **The solution is simple:** if you're passing integers to a form field, then convert them back to integers when using that field's data for calling functions to grant/assign/sync/remove/revoke permissions and roles. One way to convert an array of permissions `id`'s from strings to integers is: `collect($validated['permission'])->map(fn($val)=>(int)$val)` 2. If you have overridden the `getPermissionClass()` or `getRoleClass()` methods or have custom Models, you will need to revisit those customizations. See PR #2368 for details. eg: if you have a custom model you will need to make changes, including accessing the model using `$this->permissionClass::` syntax (eg: using `::` instead of `->`) in all the overridden methods that make use of the models. Be sure to compare your custom models with the originals to see what else may have changed. 3. Model and Contract/Interface updates. The Role and Permission Models and Contracts/Interfaces have been updated with syntax changes to method signatures. Update any models you have extended, or contracts implemented, accordingly. See PR [#2380](https://github.com/spatie/laravel-permission/pull/2380) and [#2480](https://github.com/spatie/laravel-permission/pull/2480) for some of the specifics. 4. Migrations WILL need to be upgraded. (They have been updated to anonymous-class syntax that was introduced in Laravel 8, AND some structural coding changes in the registrar class changed the way we extracted configuration settings in the migration files.) There are no changes to the package's structure since v5, so if you had not customized it from the original then replacing the contents of the file should be enough. (Usually, the only customization is if you've switched to UUIDs or customized MySQL index name lengths.) **If you get the following error, it means your migration file needs upgrading: `Error: Access to undeclared static property Spatie\Permission\PermissionRegistrar::$pivotPermission`** 5. MIDDLEWARE: 1. The `\Spatie\Permission\Middlewares\` namespace has been renamed to `\Spatie\Permission\Middleware\` (singular). Update any references to them in your `/app/Http/Kernel.php` and any routes (or imported classes in your routes files) that have the fully qualified namespace. 2. NOTE: For consistency with `PermissionMiddleware`, the `RoleOrPermissionMiddleware` has switched from only checking permissions provided by this package to using `canAny()` to check against any abilities registered by your application. This may have the effect of granting those other abilities (such as Super Admin) when using the `RoleOrPermissionMiddleware`, which previously would have failed silently. 3. In the unlikely event that you have customized the Wildcard Permissions feature by extending the `WildcardPermission` model, please note that the public interface has changed significantly and you will need to update your extended model with the new method signatures. 6. Test suites. If you have tests that manually clear the permission cache and re-register permissions, you no longer need to call `\Spatie\Permission\PermissionRegistrar::class)->registerPermissions();`. In fact, **calls to `->registerPermissions()` MUST be deleted from your tests**. (Calling `app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions();` after creating roles and permissions in migrations and factories and seeders is still okay and encouraged.) ## Upgrading from v4 to v5 Follow the instructions described in "Essentials" above. ## Upgrading from v3 to v4 Update `composer.json` as described in "Essentials" above. ## Upgrading from v2 to v3 Update `composer.json` as described in "Essentials" above. ## Upgrading from v1 to v2 There were significant database and code changes between v1 to v2. If you're upgrading from v1 to v2, there's no built-in automatic migration/conversion of your data to the new structure. You will need to carefully adapt your code and your data manually. Tip: @fabricecw prepared [a gist which may make your data migration easier](https://gist.github.com/fabricecw/58ee93dd4f99e78724d8acbb851658a4). You will also need to remove your old `laravel-permission.php` config file and publish the new one `permission.php`, and edit accordingly (setting up your custom settings again in the new file, where relevant). ================================================ FILE: ide.json ================================================ { "$schema": "https://laravel-ide.com/schema/laravel-ide-v2.json", "blade": { "directives": [ { "name": "role", "prefix": "" }, { "name": "elserole", "prefix": "" }, { "name": "endrole", "prefix": "", "suffix": "" }, { "name": "hasrole", "prefix": "" }, { "name": "endhasrole", "prefix": "", "suffix": "" }, { "name": "hasanyrole", "prefix": "" }, { "name": "endhasanyrole", "prefix": "", "suffix": "" }, { "name": "hasallroles", "prefix": "" }, { "name": "endhasallroles", "prefix": "", "suffix": "" }, { "name": "unlessrole", "prefix": "" }, { "name": "endunlessrole", "prefix": "", "suffix": "" }, { "name": "hasexactroles", "prefix": "" }, { "name": "endhasexactroles", "prefix": "", "suffix": "" } ] } } ================================================ FILE: phpstan-baseline.neon ================================================ parameters: ignoreErrors: ================================================ FILE: phpstan.neon.dist ================================================ includes: - ./vendor/larastan/larastan/extension.neon - phpstan-baseline.neon parameters: level: 5 paths: - src - config - database/migrations/create_permission_tables.php.stub - database/migrations/add_teams_fields.php.stub tmpDir: build/phpstan checkOctaneCompatibility: true ignoreErrors: - '#Unsafe usage of new static#' # wildcard permissions: - '#Call to an undefined method Illuminate\\Database\\Eloquent\\Model::getWildcardClass#' - '#Call to an undefined method Illuminate\\Database\\Eloquent\\Model::getAllPermissions#' # PermissionRegistrar accesses $roles on generic Model: - '#Access to an undefined property Illuminate\\Database\\Eloquent\\Model::\$roles#' # instanceof checks that are always false/true in specific trait contexts are intentional: - identifier: instanceof.alwaysFalse path: src/Traits/HasPermissions.php # unreachable code in trait contexts is intentional — traits are used in multiple model contexts: - '#Unreachable statement - code above always terminates#' ================================================ FILE: phpunit.xml.dist ================================================ src/ tests ================================================ FILE: pint.json ================================================ { "preset": "laravel", "rules": { "php_unit_method_casing": false } } ================================================ FILE: resources/boost/skills/laravel-permission-development/SKILL.md ================================================ --- name: laravel-permission-development description: Build and work with Spatie Laravel Permission features, including roles, permissions, middleware, policies, teams, and Blade directives. --- # Laravel Permission Development ## When to use this skill Use this skill when working with authorization, roles, permissions, access control, middleware guards, or Blade permission directives using spatie/laravel-permission. ## Core Concepts - **Users have Roles, Roles have Permissions, Apps check Permissions** (not Roles). - Direct permissions on users are an anti-pattern; assign permissions to roles instead. - Use `$user->can('permission-name')` for all authorization checks (supports Super Admin via Gate). - The `HasRoles` trait (which includes `HasPermissions`) is added to User models. ## Setup Add the `HasRoles` trait to your User model: ```php use Spatie\Permission\Traits\HasRoles; class User extends Authenticatable { use HasRoles; } ``` ## Creating Roles and Permissions ```php use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; $role = Role::create(['name' => 'writer']); $permission = Permission::create(['name' => 'edit articles']); // findOrCreate is idempotent (safe for seeders) $role = Role::findOrCreate('writer', 'web'); $permission = Permission::findOrCreate('edit articles', 'web'); ``` ## Assigning Roles and Permissions ```php // Assign roles to users $user->assignRole('writer'); $user->assignRole('writer', 'admin'); $user->assignRole(['writer', 'admin']); $user->syncRoles(['writer', 'admin']); // replaces all $user->removeRole('writer'); // Assign permissions to roles (preferred) $role->givePermissionTo('edit articles'); $role->givePermissionTo(['edit articles', 'delete articles']); $role->syncPermissions(['edit articles', 'delete articles']); $role->revokePermissionTo('edit articles'); // Reverse assignment $permission->assignRole('writer'); $permission->syncRoles(['writer', 'editor']); $permission->removeRole('writer'); ``` ## Checking Roles and Permissions ```php // Permission checks (preferred - supports Super Admin via Gate) $user->can('edit articles'); $user->canAny(['edit articles', 'delete articles']); // Direct package methods (bypass Gate, no Super Admin support) $user->hasPermissionTo('edit articles'); $user->hasAnyPermission(['edit articles', 'publish articles']); $user->hasAllPermissions(['edit articles', 'publish articles']); $user->hasDirectPermission('edit articles'); // Role checks $user->hasRole('writer'); $user->hasAnyRole(['writer', 'editor']); $user->hasAllRoles(['writer', 'editor']); $user->hasExactRoles(['writer', 'editor']); // Get assigned roles and permissions $user->getRoleNames(); // Collection of role name strings $user->getPermissionNames(); // Collection of permission name strings $user->getDirectPermissions(); // Direct permissions only $user->getPermissionsViaRoles(); // Inherited via roles $user->getAllPermissions(); // Both direct and inherited ``` ## Query Scopes ```php $users = User::role('writer')->get(); $users = User::withoutRole('writer')->get(); $users = User::permission('edit articles')->get(); $users = User::withoutPermission('edit articles')->get(); ``` ## Middleware Register middleware aliases in `bootstrap/app.php`: ```php ->withMiddleware(function (Middleware $middleware) { $middleware->alias([ 'role' => \Spatie\Permission\Middleware\RoleMiddleware::class, 'permission' => \Spatie\Permission\Middleware\PermissionMiddleware::class, 'role_or_permission' => \Spatie\Permission\Middleware\RoleOrPermissionMiddleware::class, ]); }) ``` Use in routes (pipe `|` for OR logic): ```php Route::middleware(['permission:edit articles'])->group(function () { ... }); Route::middleware(['role:manager|writer'])->group(function () { ... }); Route::middleware(['role_or_permission:manager|edit articles'])->group(function () { ... }); // With specific guard Route::middleware(['role:manager,api'])->group(function () { ... }); ``` For single permissions, Laravel's built-in `can` middleware also works: ```php Route::middleware(['can:edit articles'])->group(function () { ... }); ``` ## Blade Directives Prefer `@can` (permission-based) over `@role` (role-based): ```blade @can('edit articles') {{-- User can edit articles (supports Super Admin) --}} @endcan @canany(['edit articles', 'delete articles']) {{-- User can do at least one --}} @endcanany @role('admin') {{-- Only use for super-admin type checks --}} @endrole @hasanyrole('writer|admin') {{-- Has writer or admin --}} @endhasanyrole ``` ## Super Admin Use `Gate::before` in `AppServiceProvider::boot()`: ```php use Illuminate\Support\Facades\Gate; public function boot(): void { Gate::before(function ($user, $ability) { return $user->hasRole('Super Admin') ? true : null; }); } ``` This makes `$user->can()` and `@can` always return true for Super Admins. Must return `null` (not `false`) to allow normal checks for other users. ## Policies Use `$user->can()` inside policy methods to check permissions: ```php class PostPolicy { public function update(User $user, Post $post): bool { if ($user->can('edit all posts')) { return true; } return $user->can('edit own posts') && $user->id === $post->user_id; } } ``` ## Enums ```php enum RolesEnum: string { case WRITER = 'writer'; case EDITOR = 'editor'; } enum PermissionsEnum: string { case EDIT_POSTS = 'edit posts'; case DELETE_POSTS = 'delete posts'; } // Creation requires ->value Permission::findOrCreate(PermissionsEnum::EDIT_POSTS->value, 'web'); // Most methods accept enums directly $user->assignRole(RolesEnum::WRITER); $user->hasRole(RolesEnum::WRITER); $role->givePermissionTo(PermissionsEnum::EDIT_POSTS); $user->hasPermissionTo(PermissionsEnum::EDIT_POSTS); ``` ## Seeding Always flush the permission cache when seeding: ```php class RolesAndPermissionsSeeder extends Seeder { public function run(): void { // Reset cache app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions(); // Create permissions Permission::findOrCreate('edit articles', 'web'); Permission::findOrCreate('delete articles', 'web'); // Create roles and assign permissions Role::findOrCreate('writer', 'web') ->givePermissionTo(['edit articles']); Role::findOrCreate('admin', 'web') ->givePermissionTo(Permission::all()); } } ``` ## Teams (Multi-Tenancy) Enable in `config/permission.php` before running migrations: ```php 'teams' => true, ``` Set the active team in middleware: ```php setPermissionsTeamId($teamId); ``` When switching teams, unset cached relations: ```php $user->unsetRelation('roles')->unsetRelation('permissions'); ``` ## Events Enable in `config/permission.php`: ```php 'events_enabled' => true, ``` Available events: `RoleAttachedEvent`, `RoleDetachedEvent`, `PermissionAttachedEvent`, `PermissionDetachedEvent` in the `Spatie\Permission\Events` namespace. ## Performance - Permissions are cached automatically. The cache is flushed when roles/permissions change via package methods. - After direct DB operations, flush manually: `app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions()` - For bulk seeding, use `Permission::insert()` for speed, but flush the cache afterward. ================================================ FILE: src/Commands/AssignRoleCommand.php ================================================ argument('name'); $userId = $this->argument('userId'); $guardName = $this->argument('guard'); $userModelClass = $this->argument('userModelNamespace'); if (! $permissionRegistrar->teams && $this->option('team-id')) { $this->warn('Teams feature disabled, argument --team-id has no effect. Either enable it in permissions config file or remove --team-id parameter'); return self::SUCCESS; } // Validate that the model class exists and is instantiable if (! class_exists($userModelClass)) { $this->error("User model class [{$userModelClass}] does not exist."); return self::FAILURE; } $user = (new $userModelClass)::find($userId); if (! $user) { $this->error("User with ID {$userId} not found."); return self::FAILURE; } $teamIdAux = getPermissionsTeamId(); setPermissionsTeamId($this->option('team-id') ?: null); /** @var \Spatie\Permission\Contracts\Role $roleClass */ $roleClass = app(RoleContract::class); $role = $roleClass::findOrCreate($roleName, $guardName); $user->assignRole($role); setPermissionsTeamId($teamIdAux); $this->info("Role `{$role->name}` assigned to user ID {$userId} successfully."); return self::SUCCESS; } } ================================================ FILE: src/Commands/CacheResetCommand.php ================================================ getCacheRepository()->has($permissionRegistrar->cacheKey); if ($permissionRegistrar->forgetCachedPermissions()) { $this->info('Permission cache flushed.'); } elseif ($cacheExists) { $this->error('Unable to flush cache.'); } return self::SUCCESS; } } ================================================ FILE: src/Commands/CreatePermissionCommand.php ================================================ argument('name'), $this->argument('guard')); $this->info("Permission `{$permission->name}` ".($permission->wasRecentlyCreated ? 'created' : 'already exists')); return self::SUCCESS; } } ================================================ FILE: src/Commands/CreateRoleCommand.php ================================================ option('team-id') ?: null); if (! $permissionRegistrar->teams && $this->option('team-id')) { $this->warn('Teams feature disabled, argument --team-id has no effect. Either enable it in permissions config file or remove --team-id parameter'); return self::SUCCESS; } $role = $roleClass::findOrCreate($this->argument('name'), $this->argument('guard')); setPermissionsTeamId($teamIdAux); $teams_key = $permissionRegistrar->teamsKey; if ($permissionRegistrar->teams && $this->option('team-id') && is_null($role->$teams_key)) { $this->warn("Role `{$role->name}` already exists on the global team; argument --team-id has no effect"); } $role->givePermissionTo($this->makePermissions($this->argument('permissions'))); $this->info("Role `{$role->name}` ".($role->wasRecentlyCreated ? 'created' : 'updated')); return self::SUCCESS; } protected function makePermissions(?string $string = null): ?Collection { if (empty($string)) { return null; } $permissionClass = app(PermissionContract::class); $permissions = explode('|', $string); $models = []; foreach ($permissions as $permission) { $models[] = $permissionClass::findOrCreate(trim($permission), $this->argument('guard')); } return collect($models); } } ================================================ FILE: src/Commands/ShowCommand.php ================================================ argument('style') ?? 'default'; $guard = $this->argument('guard'); if ($guard) { $guards = Collection::make([$guard]); } else { $guards = $permissionClass::pluck('guard_name')->merge($roleClass::pluck('guard_name'))->unique(); } foreach ($guards as $guard) { $this->info("Guard: $guard"); $roles = $roleClass::whereGuardName($guard) ->with('permissions') ->when($teamsEnabled, fn ($q) => $q->orderBy($team_key)) ->orderBy('name')->get()->mapWithKeys(fn ($role) => [ $role->name.'_'.($teamsEnabled ? ($role->$team_key ?: '') : '') => [ 'permissions' => $role->permissions->pluck($permissionClass->getKeyName()), $team_key => $teamsEnabled ? $role->$team_key : null, ], ]); $permissions = $permissionClass::whereGuardName($guard)->orderBy('name')->pluck('name', $permissionClass->getKeyName()); $body = $permissions->map(fn ($permission, $id) => $roles->map( fn (array $role_data) => $role_data['permissions']->contains($id) ? ' ✔' : ' ·' )->prepend($permission) ); if ($teamsEnabled) { $teams = $roles->groupBy($team_key)->values()->map( fn ($group, $id) => new TableCell('Team ID: '.($id ?: 'NULL'), ['colspan' => $group->count()]) ); } $this->table( array_merge( isset($teams) ? $teams->prepend(new TableCell(''))->toArray() : [], $roles->keys()->map(function ($val) { $name = explode('_', $val); array_pop($name); return implode('_', $name); }) ->prepend(new TableCell(''))->toArray(), ), $body->toArray(), $style ); } return self::SUCCESS; } } ================================================ FILE: src/Commands/UpgradeForTeamsCommand.php ================================================ error('Teams feature is disabled in your permission.php file.'); $this->warn('Please enable the teams setting in your configuration.'); return self::FAILURE; } $this->line(''); $this->info('The teams feature setup is going to add a migration and a model'); $existingMigrations = $this->alreadyExistingMigrations(); if ($existingMigrations) { $this->line(''); $this->warn($this->getExistingMigrationsWarning($existingMigrations)); } $this->line(''); if (! $this->confirm('Proceed with the migration creation?', true)) { return self::SUCCESS; } $this->line(''); $this->line('Creating migration'); if ($this->createMigration()) { $this->info('Migration created successfully.'); } else { $this->error( "Couldn't create migration.\n". 'Check the write permissions within the database/migrations directory.' ); } $this->line(''); return self::SUCCESS; } protected function createMigration(): bool { try { $migrationStub = __DIR__."/../../database/migrations/{$this->migrationSuffix}.stub"; copy($migrationStub, $this->getMigrationPath()); return true; } catch (\Throwable $e) { $this->error($e->getMessage()); return false; } } protected function getExistingMigrationsWarning(array $existingMigrations): string { if (count($existingMigrations) > 1) { $base = "Setup teams migrations already exist.\nFollowing files were found: "; } else { $base = "Setup teams migration already exists.\nFollowing file was found: "; } return $base.array_reduce($existingMigrations, fn ($carry, $fileName) => $carry."\n - ".$fileName); } protected function alreadyExistingMigrations(): array { $matchingFiles = glob($this->getMigrationPath('*')); return array_map(fn ($path) => basename($path), $matchingFiles); } protected function getMigrationPath(?string $date = null): string { $date = $date ?: now()->format('Y_m_d_His'); return database_path("migrations/{$date}_{$this->migrationSuffix}"); } } ================================================ FILE: src/Contracts/Permission.php ================================================ getKey(); } $this->teamId = $id; } public function getPermissionsTeamId(): int|string|null { return $this->teamId; } } ================================================ FILE: src/Events/PermissionAttachedEvent.php ================================================ $expectedGuards->implode(', '), 'given' => $givenGuard, ])); } } ================================================ FILE: src/Exceptions/PermissionAlreadyExists.php ================================================ $permissionName, 'guard' => $guardName, ])); } } ================================================ FILE: src/Exceptions/PermissionDoesNotExist.php ================================================ $permissionName, 'guard' => $guardName, ])); } public static function withId(int|string $permissionId, ?string $guardName): static { return new static(__('There is no [permission] with ID `:id` for guard `:guard`.', [ 'id' => $permissionId, 'guard' => $guardName, ])); } } ================================================ FILE: src/Exceptions/RoleAlreadyExists.php ================================================ $roleName, 'guard' => $guardName, ])); } } ================================================ FILE: src/Exceptions/RoleDoesNotExist.php ================================================ $roleName, 'guard' => $guardName, ])); } public static function withId(int|string $roleId, ?string $guardName): static { return new static(__('There is no role with ID `:id` for guard `:guard`.', [ 'id' => $roleId, 'guard' => $guardName, ])); } } ================================================ FILE: src/Exceptions/UnauthorizedException.php ================================================ implode(', ', $roles)]); } $exception = new static(403, $message, null, []); $exception->requiredRoles = $roles; return $exception; } public static function forPermissions(array $permissions): static { $message = __('User does not have the right permissions.'); if (config('permission.display_permission_in_exception')) { $message .= ' '.__('Necessary permissions are :permissions', ['permissions' => implode(', ', $permissions)]); } $exception = new static(403, $message, null, []); $exception->requiredPermissions = $permissions; return $exception; } public static function forRolesOrPermissions(array $rolesOrPermissions): static { $message = __('User does not have any of the necessary access rights.'); if (config('permission.display_permission_in_exception') && config('permission.display_role_in_exception')) { $message .= ' '.__('Necessary roles or permissions are :values', ['values' => implode(', ', $rolesOrPermissions)]); } $exception = new static(403, $message, null, []); $exception->requiredPermissions = $rolesOrPermissions; return $exception; } public static function missingTraitHasRoles(Authorizable $user): static { return new static(403, __('Authorizable class `:class` must use Spatie\\Permission\\Traits\\HasRoles trait.', [ 'class' => $user::class, ]), null, []); } public static function notLoggedIn(): static { return new static(403, __('User is not logged in.'), null, []); } public function getRequiredRoles(): array { return $this->requiredRoles; } public function getRequiredPermissions(): array { return $this->requiredPermissions; } } ================================================ FILE: src/Exceptions/WildcardPermissionInvalidArgument.php ================================================ $permission, ])); } } ================================================ FILE: src/Guard.php ================================================ guardName(); } else { $guardName = $model->getAttributeValue('guard_name'); } } if (! isset($guardName)) { $guardName = (new ReflectionClass($class))->getDefaultProperties()['guard_name'] ?? null; } if ($guardName) { return collect($guardName); } return self::getConfigAuthGuards($class); } /** * Get the model class associated with a given provider. */ protected static function getProviderModel(string $provider): ?string { // Get the provider configuration $providerConfig = config("auth.providers.{$provider}"); // Handle LDAP provider or standard Eloquent provider if (isset($providerConfig['driver']) && $providerConfig['driver'] === 'ldap') { return $providerConfig['database']['model'] ?? null; } return $providerConfig['model'] ?? null; } /** * Get list of relevant guards for the $class model based on config(auth) settings. * * Lookup flow: * - get names of models for guards defined in auth.guards where a provider is set * - filter for provider models matching the model $class being checked * - keys() gives just the names of the matched guards * - return collection of guard names */ protected static function getConfigAuthGuards(string $class): Collection { return collect(config('auth.guards')) ->map(function ($guard) { if (! isset($guard['provider'])) { return null; } return static::getProviderModel($guard['provider']); }) ->filter(fn ($model) => $class === $model) ->keys(); } /** * Get the model associated with a given guard name. */ public static function getModelForGuard(string $guard): ?string { // Get the provider configuration for the given guard $provider = config("auth.guards.{$guard}.provider"); if (! $provider) { return null; } return static::getProviderModel($provider); } /** * Lookup a guard name relevant for the $class model and the current user. * * @param string|Model $class model class object or name */ public static function getDefaultName(string|Model $class): string { $default = config('auth.defaults.guard'); $possible_guards = static::getNames($class); // return current-detected auth.defaults.guard if it matches one of those that have been checked if ($possible_guards->contains($default)) { return $default; } return $possible_guards->first() ?: $default; } /** * Lookup a passport guard */ public static function getPassportClient(?string $guard): ?Authorizable { $guards = collect(config('auth.guards'))->where('driver', 'passport'); if (! $guards->count()) { return null; } $authGuard = Auth::guard($guards->keys()[0]); if (! method_exists($authGuard, 'client')) { return null; } $client = $authGuard->client(); if (! $guard || ! $client) { return $client; } if (self::getNames($client)->contains($guard)) { return $client; } return null; } } ================================================ FILE: src/Middleware/PermissionMiddleware.php ================================================ user(); // For machine-to-machine Passport clients if (! $user && $request->bearerToken() && config('permission.use_passport_client_credentials')) { $user = Guard::getPassportClient($guard); } if (! $user) { throw UnauthorizedException::notLoggedIn(); } if (! method_exists($user, 'hasAnyPermission')) { throw UnauthorizedException::missingTraitHasRoles($user); } $permissions = explode('|', self::parsePermissionsToString($permission)); if (! $user->canAny($permissions)) { throw UnauthorizedException::forPermissions($permissions); } return $next($request); } /** * Specify the permission and guard for the middleware. */ public static function using(array|string|BackedEnum $permission, ?string $guard = null): string { $permissionString = self::parsePermissionsToString(enum_value($permission)); $args = is_null($guard) ? $permissionString : "$permissionString,$guard"; return static::class.':'.$args; } protected static function parsePermissionsToString(array|string|BackedEnum $permission): string { $permission = enum_value($permission); if (is_array($permission)) { return implode('|', array_map(fn ($r) => enum_value($r), $permission)); } return (string) $permission; } } ================================================ FILE: src/Middleware/RoleMiddleware.php ================================================ user(); // For machine-to-machine Passport clients if (! $user && $request->bearerToken() && config('permission.use_passport_client_credentials')) { $user = Guard::getPassportClient($guard); } if (! $user) { throw UnauthorizedException::notLoggedIn(); } if (! method_exists($user, 'hasAnyRole')) { throw UnauthorizedException::missingTraitHasRoles($user); } $roles = explode('|', self::parseRolesToString($role)); if (! $user->hasAnyRole($roles)) { throw UnauthorizedException::forRoles($roles); } return $next($request); } /** * Specify the role and guard for the middleware. */ public static function using(array|string|BackedEnum $role, ?string $guard = null): string { $roleString = self::parseRolesToString($role); $args = is_null($guard) ? $roleString : "$roleString,$guard"; return static::class.':'.$args; } protected static function parseRolesToString(array|string|BackedEnum $role): string { $role = enum_value($role); if (is_array($role)) { return implode('|', array_map(fn ($r) => enum_value($r), $role)); } return (string) $role; } } ================================================ FILE: src/Middleware/RoleOrPermissionMiddleware.php ================================================ user(); // For machine-to-machine Passport clients if (! $user && $request->bearerToken() && config('permission.use_passport_client_credentials')) { $user = Guard::getPassportClient($guard); } if (! $user) { throw UnauthorizedException::notLoggedIn(); } if (! method_exists($user, 'hasAnyRole') || ! method_exists($user, 'hasAnyPermission')) { throw UnauthorizedException::missingTraitHasRoles($user); } $rolesOrPermissions = explode('|', self::parseRoleOrPermissionToString($roleOrPermission)); if (! $user->canAny($rolesOrPermissions) && ! $user->hasAnyRole($rolesOrPermissions)) { throw UnauthorizedException::forRolesOrPermissions($rolesOrPermissions); } return $next($request); } /** * Specify the role or permission and guard for the middleware. */ public static function using(array|string|BackedEnum $roleOrPermission, ?string $guard = null): string { $roleOrPermissionString = self::parseRoleOrPermissionToString($roleOrPermission); $args = is_null($guard) ? $roleOrPermissionString : "$roleOrPermissionString,$guard"; return static::class.':'.$args; } protected static function parseRoleOrPermissionToString(array|string|BackedEnum $roleOrPermission): string { $roleOrPermission = enum_value($roleOrPermission); if (is_array($roleOrPermission)) { return implode('|', array_map(fn ($r) => enum_value($r), $roleOrPermission)); } return (string) $roleOrPermission; } } ================================================ FILE: src/Models/Permission.php ================================================ $roles * @property-read \Illuminate\Database\Eloquent\Collection $users */ class Permission extends Model implements PermissionContract { use HasRoles; use RefreshesPermissionCache; protected $guarded = []; public function __construct(array $attributes = []) { $attributes['guard_name'] ??= Guard::getDefaultName(static::class); parent::__construct($attributes); $this->guarded[] = $this->primaryKey; $this->table = config('permission.table_names.permissions') ?: parent::getTable(); } /** * @return PermissionContract|Permission * * @throws PermissionAlreadyExists */ public static function create(array $attributes = []) { $attributes['guard_name'] ??= Guard::getDefaultName(static::class); $permission = static::getPermission(['name' => $attributes['name'], 'guard_name' => $attributes['guard_name']]); if ($permission) { throw PermissionAlreadyExists::create($attributes['name'], $attributes['guard_name']); } return static::query()->create($attributes); } /** * A permission can be applied to roles. */ public function roles(): BelongsToMany { $registrar = app(PermissionRegistrar::class); return $this->belongsToMany( config('permission.models.role'), config('permission.table_names.role_has_permissions'), $registrar->pivotPermission, $registrar->pivotRole ); } /** * A permission belongs to some users of the model associated with its guard. */ public function users(): BelongsToMany { return $this->morphedByMany( getModelForGuard($this->attributes['guard_name'] ?? config('auth.defaults.guard')), 'model', config('permission.table_names.model_has_permissions'), app(PermissionRegistrar::class)->pivotPermission, config('permission.column_names.model_morph_key') ); } /** * Find a permission by its name (and optionally guardName). * * @return PermissionContract|Permission * * @throws PermissionDoesNotExist */ public static function findByName(string $name, ?string $guardName = null): PermissionContract { $guardName ??= Guard::getDefaultName(static::class); $permission = static::getPermission(['name' => $name, 'guard_name' => $guardName]); if (! $permission) { throw PermissionDoesNotExist::create($name, $guardName); } return $permission; } /** * Find a permission by its id (and optionally guardName). * * @return PermissionContract|Permission * * @throws PermissionDoesNotExist */ public static function findById(int|string $id, ?string $guardName = null): PermissionContract { $guardName ??= Guard::getDefaultName(static::class); $permission = static::getPermission([(new static)->getKeyName() => $id, 'guard_name' => $guardName]); if (! $permission) { throw PermissionDoesNotExist::withId($id, $guardName); } return $permission; } /** * Find or create permission by its name (and optionally guardName). * * @return PermissionContract|Permission */ public static function findOrCreate(string $name, ?string $guardName = null): PermissionContract { $guardName ??= Guard::getDefaultName(static::class); $permission = static::getPermission(['name' => $name, 'guard_name' => $guardName]); if (! $permission) { return static::query()->create(['name' => $name, 'guard_name' => $guardName]); } return $permission; } /** * Get the current cached permissions. */ protected static function getPermissions(array $params = [], bool $onlyOne = false): Collection { return app(PermissionRegistrar::class) ->setPermissionClass(static::class) ->getPermissions($params, $onlyOne); } /** * Get the current cached first permission. * * @return PermissionContract|Permission|null */ protected static function getPermission(array $params = []): ?PermissionContract { /** @var PermissionContract|null */ return static::getPermissions($params, true)->first(); } } ================================================ FILE: src/Models/Role.php ================================================ $permissions * @property-read \Illuminate\Database\Eloquent\Collection $users */ class Role extends Model implements RoleContract { use HasPermissions; use RefreshesPermissionCache; protected $guarded = []; public function __construct(array $attributes = []) { $attributes['guard_name'] ??= Guard::getDefaultName(static::class); parent::__construct($attributes); $this->guarded[] = $this->primaryKey; $this->table = config('permission.table_names.roles') ?: parent::getTable(); } /** * @return RoleContract|Role * * @throws RoleAlreadyExists */ public static function create(array $attributes = []) { $attributes['guard_name'] ??= Guard::getDefaultName(static::class); $params = ['name' => $attributes['name'], 'guard_name' => $attributes['guard_name']]; $registrar = app(PermissionRegistrar::class); if ($registrar->teams) { $teamsKey = $registrar->teamsKey; if (array_key_exists($teamsKey, $attributes)) { $params[$teamsKey] = $attributes[$teamsKey]; } else { $attributes[$teamsKey] = getPermissionsTeamId(); } } if (static::findByParam($params)) { throw RoleAlreadyExists::create($attributes['name'], $attributes['guard_name']); } return static::query()->create($attributes); } /** * A role may be given various permissions. */ public function permissions(): BelongsToMany { $registrar = app(PermissionRegistrar::class); return $this->belongsToMany( config('permission.models.permission'), config('permission.table_names.role_has_permissions'), $registrar->pivotRole, $registrar->pivotPermission ); } /** * A role belongs to some users of the model associated with its guard. */ public function users(): BelongsToMany { return $this->morphedByMany( getModelForGuard($this->attributes['guard_name'] ?? config('auth.defaults.guard')), 'model', config('permission.table_names.model_has_roles'), app(PermissionRegistrar::class)->pivotRole, config('permission.column_names.model_morph_key') ); } /** * Find a role by its name and guard name. * * @return RoleContract|Role * * @throws RoleDoesNotExist */ public static function findByName(string $name, ?string $guardName = null): RoleContract { $guardName ??= Guard::getDefaultName(static::class); $role = static::findByParam(['name' => $name, 'guard_name' => $guardName]); if (! $role) { throw RoleDoesNotExist::named($name, $guardName); } return $role; } /** * Find a role by its id (and optionally guardName). * * @return RoleContract|Role */ public static function findById(int|string $id, ?string $guardName = null): RoleContract { $guardName ??= Guard::getDefaultName(static::class); $role = static::findByParam([(new static)->getKeyName() => $id, 'guard_name' => $guardName]); if (! $role) { throw RoleDoesNotExist::withId($id, $guardName); } return $role; } /** * Find or create role by its name (and optionally guardName). * * @return RoleContract|Role */ public static function findOrCreate(string $name, ?string $guardName = null): RoleContract { $guardName ??= Guard::getDefaultName(static::class); $attributes = ['name' => $name, 'guard_name' => $guardName]; $role = static::findByParam($attributes); if (! $role) { $registrar = app(PermissionRegistrar::class); if ($registrar->teams) { $teamsKey = $registrar->teamsKey; $attributes[$teamsKey] = getPermissionsTeamId(); } return static::query()->create($attributes); } return $role; } /** * Finds a role based on an array of parameters. * * @return RoleContract|Role|null */ protected static function findByParam(array $params = []): ?RoleContract { $query = static::query(); $registrar = app(PermissionRegistrar::class); if ($registrar->teams) { $teamsKey = $registrar->teamsKey; $query->where(fn ($q) => $q->whereNull($teamsKey) ->orWhere($teamsKey, $params[$teamsKey] ?? getPermissionsTeamId()) ); unset($params[$teamsKey]); } foreach ($params as $key => $value) { $query->where($key, $value); } return $query->first(); } /** * Determine if the role may perform the given permission. * * @param string|int|\Spatie\Permission\Contracts\Permission|BackedEnum $permission * * @throws PermissionDoesNotExist|GuardDoesNotMatch */ public function hasPermissionTo($permission, ?string $guardName = null): bool { if ($this->getWildcardClass()) { return $this->hasWildcardPermission($permission, $guardName); } $permission = $this->filterPermission($permission, $guardName); if (! $this->getGuardNames()->contains($permission->guard_name)) { throw GuardDoesNotMatch::create($permission->guard_name, $guardName ? collect([$guardName]) : $this->getGuardNames()); } return $this->loadMissing('permissions')->permissions ->contains($permission->getKeyName(), $permission->getKey()); } } ================================================ FILE: src/PermissionRegistrar.php ================================================ permissionClass = config('permission.models.permission'); $this->roleClass = config('permission.models.role'); $this->teamResolver = new (config('permission.team_resolver', DefaultTeamResolver::class)); $this->cacheManager = $cacheManager; $this->initializeCache(); } public function initializeCache(): void { $this->cacheExpirationTime = config('permission.cache.expiration_time') ?: DateInterval::createFromDateString('24 hours'); $this->teams = config('permission.teams', false); $this->teamsKey = config('permission.column_names.team_foreign_key', 'team_id'); $this->cacheKey = config('permission.cache.key'); $this->pivotRole = config('permission.column_names.role_pivot_key') ?: 'role_id'; $this->pivotPermission = config('permission.column_names.permission_pivot_key') ?: 'permission_id'; $this->cache = $this->getCacheStoreFromConfig(); } protected function getCacheStoreFromConfig(): Repository { // the 'default' fallback here is from the permission.php config file, // where 'default' means to use config(cache.default) $cacheDriver = config('permission.cache.store', 'default'); // when 'default' is specified, no action is required since we already have the default instance if ($cacheDriver === 'default') { return $this->cacheManager->store(); } // if an undefined cache store is specified, fallback to 'array' which is Laravel's closest equiv to 'none' if (! array_key_exists($cacheDriver, config('cache.stores'))) { $cacheDriver = 'array'; } return $this->cacheManager->store($cacheDriver); } public function setPermissionsTeamId(int|string|Model|null $id): void { $this->teamResolver->setPermissionsTeamId($id); } public function getPermissionsTeamId(): int|string|null { return $this->teamResolver->getPermissionsTeamId(); } /** * Register the permission check method on the gate. * We resolve the Gate fresh here, for benefit of long-running instances. */ public function registerPermissions(Gate $gate): bool { $gate->before(function (Authorizable $user, string $ability, array &$args = []) { if (is_string($args[0] ?? null) && ! class_exists($args[0])) { $guard = array_shift($args); } if (method_exists($user, 'checkPermissionTo')) { return $user->checkPermissionTo($ability, $guard ?? null) ?: null; } }); return true; } /** * Flush the cache. */ public function forgetCachedPermissions(): bool { $this->permissions = null; $this->forgetWildcardPermissionIndex(); return $this->cache->forget($this->cacheKey); } public function forgetWildcardPermissionIndex(?Model $record = null): void { if ($record) { unset($this->wildcardPermissionsIndex[$record::class][$record->getKey()]); return; } $this->wildcardPermissionsIndex = []; } public function getWildcardPermissionIndex(Model $record): array { if (isset($this->wildcardPermissionsIndex[$record::class][$record->getKey()])) { return $this->wildcardPermissionsIndex[$record::class][$record->getKey()]; } return $this->wildcardPermissionsIndex[$record::class][$record->getKey()] = app($record->getWildcardClass(), ['record' => $record])->getIndex(); } /** * Clear already-loaded permissions collection. * This is only intended to be called by the PermissionServiceProvider on boot, * so that long-running instances like Octane or Swoole don't keep old data in memory. */ public function clearPermissionsCollection(): void { $this->permissions = null; $this->wildcardPermissionsIndex = []; $this->isLoadingPermissions = false; } /** * Load permissions from cache * And turns permissions array into a \Illuminate\Database\Eloquent\Collection * * Thread-safe implementation to prevent race conditions in concurrent environments * (e.g., Laravel Octane, Swoole, parallel requests) */ private function loadPermissions(int $retries = 0): void { // First check (without lock) - fast path for already loaded permissions if ($this->permissions) { return; } // Prevent concurrent loading using a flag-based lock // This protects against cache stampede and duplicate database queries if ($this->isLoadingPermissions && $retries < 10) { // Another thread is loading, wait and retry usleep(10000); // Wait 10ms $retries++; // After wait, recursively check again if permissions were loaded $this->loadPermissions($retries); return; } // Set loading flag to prevent concurrent loads $this->isLoadingPermissions = true; try { $this->permissions = $this->cache->remember( $this->cacheKey, $this->cacheExpirationTime, fn () => $this->getSerializedPermissionsForCache() ); $this->alias = $this->permissions['alias']; $this->hydrateRolesCache(); $this->permissions = $this->getHydratedPermissionCollection(); $this->cachedRoles = $this->alias = $this->except = []; } finally { // Always release the loading flag, even if an exception occurs $this->isLoadingPermissions = false; } } /** * Get the permissions based on the passed params. */ public function getPermissions(array $params = [], bool $onlyOne = false): Collection { $this->loadPermissions(); $method = $onlyOne ? 'first' : 'filter'; $permissions = $this->permissions->$method(static function ($permission) use ($params) { return array_all($params, fn ($value, $attr) => $permission->getAttribute($attr) == $value); }); if ($onlyOne) { $permissions = new Collection($permissions ? [$permissions] : []); } return $permissions; } public function getPermissionClass(): string { return $this->permissionClass; } public function setPermissionClass(string $permissionClass): static { $this->permissionClass = $permissionClass; config()->set('permission.models.permission', $permissionClass); app()->bind(Permission::class, $permissionClass); return $this; } public function getRoleClass(): string { return $this->roleClass; } public function setRoleClass(string $roleClass): static { $this->roleClass = $roleClass; config()->set('permission.models.role', $roleClass); app()->bind(Role::class, $roleClass); return $this; } public function getCacheRepository(): Repository { return $this->cache; } public function getCacheStore(): Store { return $this->cache->getStore(); } protected function getPermissionsWithRoles(): Collection { return $this->permissionClass::select()->with('roles')->get(); } /** * Changes array keys with alias */ private function aliasedArray(array|Model $model): array { return collect(is_array($model) ? $model : $model->getAttributes())->except($this->except) ->keyBy(fn ($value, $key) => $this->alias[$key] ?? $key) ->all(); } /** * Array for cache alias */ private function aliasModelFields(Model $newKeys): void { $i = 0; $alphas = ! count($this->alias) ? range('a', 'h') : range('j', 'p'); foreach (array_keys($newKeys->getAttributes()) as $value) { if (! isset($this->alias[$value])) { $this->alias[$value] = $alphas[$i++] ?? $value; } } $this->alias = array_diff_key($this->alias, array_flip($this->except)); } /* * Make the cache smaller using an array with only required fields */ private function getSerializedPermissionsForCache(): array { $this->except = config('permission.cache.column_names_except', ['created_at', 'updated_at', 'deleted_at']); $permissions = $this->getPermissionsWithRoles() ->map(function ($permission) { if (! $this->alias) { $this->aliasModelFields($permission); } return $this->aliasedArray($permission) + $this->getSerializedRoleRelation($permission); })->all(); $roles = array_values($this->cachedRoles); $this->cachedRoles = []; return ['alias' => array_flip($this->alias)] + compact('permissions', 'roles'); } private function getSerializedRoleRelation(Model $permission): array { if (! $permission->roles->count()) { return []; } if (! isset($this->alias['roles'])) { $this->alias['roles'] = 'r'; $this->aliasModelFields($permission->roles[0]); } return [ 'r' => $permission->roles->map(function ($role) { if (! isset($this->cachedRoles[$role->getKey()])) { $this->cachedRoles[$role->getKey()] = $this->aliasedArray($role); } return $role->getKey(); })->all(), ]; } private function getHydratedPermissionCollection(): Collection { $permissionInstance = (new ($this->getPermissionClass())())->newInstance([], true); return Collection::make(array_map( fn ($item) => (clone $permissionInstance) ->setRawAttributes($this->aliasedArray(array_diff_key($item, ['r' => 0])), true) ->setRelation('roles', $this->getHydratedRoleCollection($item['r'] ?? [])), $this->permissions['permissions'] )); } private function getHydratedRoleCollection(array $roles): Collection { return Collection::make(array_values( array_intersect_key($this->cachedRoles, array_flip($roles)) )); } private function hydrateRolesCache(): void { $roleInstance = (new ($this->getRoleClass())())->newInstance([], true); array_map(function ($item) use ($roleInstance) { $role = (clone $roleInstance) ->setRawAttributes($this->aliasedArray($item), true); $this->cachedRoles[$role->getKey()] = $role; }, $this->permissions['roles']); $this->permissions['roles'] = []; } public static function isUid(mixed $value): bool { if (! is_string($value) || empty(trim($value))) { return false; } // check if is UUID/GUID $uid = preg_match('/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iD', $value) > 0; if ($uid) { return true; } // check if is ULID $ulid = strlen($value) === 26 && strspn($value, '0123456789ABCDEFGHJKMNPQRSTVWXYZabcdefghjkmnpqrstvwxyz') === 26 && $value[0] <= '7'; if ($ulid) { return true; } return false; } } ================================================ FILE: src/PermissionServiceProvider.php ================================================ name('laravel-permission') ->hasConfigFile('permission') ->hasMigrations(['create_permission_tables']) ->hasCommands([ Commands\CacheResetCommand::class, Commands\CreateRoleCommand::class, Commands\CreatePermissionCommand::class, Commands\ShowCommand::class, Commands\UpgradeForTeamsCommand::class, Commands\AssignRoleCommand::class, ]); } public function registeringPackage(): void { $this->callAfterResolving('blade.compiler', fn (BladeCompiler $bladeCompiler) => $this->registerBladeExtensions($bladeCompiler)); } public function packageBooted(): void { $this->registerMacroHelpers(); $this->registerModelBindings(); $this->registerOctaneListener(); $this->callAfterResolving(Gate::class, function (Gate $gate, Application $app) { if ($this->app['config']->get('permission.register_permission_check_method')) { $permissionLoader = $app->get(PermissionRegistrar::class); $permissionLoader->clearPermissionsCollection(); $permissionLoader->registerPermissions($gate); } }); $this->app->singleton(PermissionRegistrar::class); $this->registerAbout(); } public static function bladeMethodWrapper(string $method, mixed $role, ?string $guard = null): bool { return auth($guard)->check() && auth($guard)->user()->{$method}($role); } protected function registerBladeExtensions(BladeCompiler $bladeCompiler): void { $bladeMethodWrapper = '\\Spatie\\Permission\\PermissionServiceProvider::bladeMethodWrapper'; // permission checks $bladeCompiler->if('haspermission', fn () => $bladeMethodWrapper('checkPermissionTo', ...func_get_args())); // role checks $bladeCompiler->if('role', fn () => $bladeMethodWrapper('hasRole', ...func_get_args())); $bladeCompiler->if('hasrole', fn () => $bladeMethodWrapper('hasRole', ...func_get_args())); $bladeCompiler->if('hasanyrole', fn () => $bladeMethodWrapper('hasAnyRole', ...func_get_args())); $bladeCompiler->if('hasallroles', fn () => $bladeMethodWrapper('hasAllRoles', ...func_get_args())); $bladeCompiler->if('hasexactroles', fn () => $bladeMethodWrapper('hasExactRoles', ...func_get_args())); $bladeCompiler->directive('endunlessrole', fn () => ''); } protected function registerModelBindings(): void { $this->app->bind(PermissionContract::class, fn ($app) => $app->make($app->config['permission.models.permission'])); $this->app->bind(RoleContract::class, fn ($app) => $app->make($app->config['permission.models.role'])); } protected function registerMacroHelpers(): void { Route::macro('role', function ($roles = []) { $roles = Arr::wrap($roles); $roles = array_map(fn ($role) => enum_value($role), $roles); /** @var Route $this */ return $this->middleware('role:'.implode('|', $roles)); }); Route::macro('permission', function ($permissions = []) { $permissions = Arr::wrap($permissions); $permissions = array_map(fn ($permission) => enum_value($permission), $permissions); /** @var Route $this */ return $this->middleware('permission:'.implode('|', $permissions)); }); Route::macro('roleOrPermission', function ($rolesOrPermissions = []) { $rolesOrPermissions = Arr::wrap($rolesOrPermissions); $rolesOrPermissions = array_map(fn ($item) => enum_value($item), $rolesOrPermissions); /** @var Route $this */ return $this->middleware('role_or_permission:'.implode('|', $rolesOrPermissions)); }); } protected function registerOctaneListener(): void { if ($this->app->runningInConsole() || ! $this->app['config']->get('octane.listeners')) { return; } $dispatcher = $this->app[Dispatcher::class]; // @phpstan-ignore-next-line $dispatcher->listen(function (OperationTerminated $event) { // @phpstan-ignore-next-line $event->sandbox->make(PermissionRegistrar::class)->setPermissionsTeamId(null); }); if (! $this->app['config']->get('permission.register_octane_reset_listener')) { return; } // @phpstan-ignore-next-line $dispatcher->listen(function (OperationTerminated $event) { // @phpstan-ignore-next-line $event->sandbox->make(PermissionRegistrar::class)->clearPermissionsCollection(); }); } protected function registerAbout(): void { if (! class_exists(InstalledVersions::class) || ! class_exists(AboutCommand::class)) { return; } // array format: 'Display Text' => 'boolean-config-key name' $features = [ 'Teams' => 'teams', 'Wildcard-Permissions' => 'enable_wildcard_permission', 'Octane-Listener' => 'register_octane_reset_listener', 'Passport' => 'use_passport_client_credentials', ]; $config = $this->app['config']; AboutCommand::add('Spatie Permissions', static fn () => [ 'Features Enabled' => collect($features) ->filter(fn (string $feature, string $name): bool => $config->get("permission.{$feature}")) ->keys() ->whenEmpty(fn (Collection $collection) => $collection->push('Default')) ->join(', '), 'Version' => InstalledVersions::getPrettyVersion('spatie/laravel-permission'), ]); } } ================================================ FILE: src/Traits/HasPermissions.php ================================================ isForceDeleting()) { return; } $teams = app(PermissionRegistrar::class)->teams; app(PermissionRegistrar::class)->teams = false; if (! $model instanceof Permission) { $model->permissions()->detach(); } if ($model instanceof Role) { $model->users()->detach(); } app(PermissionRegistrar::class)->teams = $teams; }); } public function getPermissionClass(): string { if (! $this->permissionClass) { $this->permissionClass = app(PermissionRegistrar::class)->getPermissionClass(); } return $this->permissionClass; } public function getWildcardClass(): string { if (! is_null($this->wildcardClass)) { return $this->wildcardClass; } $this->wildcardClass = ''; if (config('permission.enable_wildcard_permission')) { $this->wildcardClass = config('permission.wildcard_permission', WildcardPermission::class); if (! is_subclass_of($this->wildcardClass, Wildcard::class)) { throw WildcardPermissionNotImplementsContract::create(); } } return $this->wildcardClass; } /** * A model may have multiple direct permissions. */ public function permissions(): BelongsToMany { $relation = $this->morphToMany( config('permission.models.permission'), 'model', config('permission.table_names.model_has_permissions'), config('permission.column_names.model_morph_key'), app(PermissionRegistrar::class)->pivotPermission ); if (! app(PermissionRegistrar::class)->teams) { return $relation; } $teamsKey = app(PermissionRegistrar::class)->teamsKey; $relation->withPivot($teamsKey); return $relation->wherePivot($teamsKey, getPermissionsTeamId()); } /** * Scope the model query to certain permissions only. * * @param string|int|array|Permission|Collection|BackedEnum $permissions */ public function scopePermission(Builder $query, $permissions, bool $without = false): Builder { $permissions = $this->convertToPermissionModels($permissions); $permissionKey = (new ($this->getPermissionClass())())->getKeyName(); $roleKey = (new ($this instanceof Role ? static::class : $this->getRoleClass())())->getKeyName(); $rolesWithPermissions = $this instanceof Role ? [] : array_unique( array_reduce($permissions, fn ($result, $permission) => array_merge($result, $permission->roles->all()), []) ); return $query->where(fn (Builder $query) => $query ->{! $without ? 'whereHas' : 'whereDoesntHave'}('permissions', fn (Builder $subQuery) => $subQuery ->whereIn(config('permission.table_names.permissions').".$permissionKey", array_column($permissions, $permissionKey)) ) ->when(count($rolesWithPermissions), fn ($whenQuery) => $whenQuery ->{! $without ? 'orWhereHas' : 'whereDoesntHave'}('roles', fn (Builder $subQuery) => $subQuery ->whereIn(config('permission.table_names.roles').".$roleKey", array_column($rolesWithPermissions, $roleKey)) ) ) ); } /** * Scope the model query to only those without certain permissions, * whether indirectly by role or by direct permission. * * @param string|int|array|Permission|Collection|BackedEnum $permissions */ public function scopeWithoutPermission(Builder $query, $permissions): Builder { return $this->scopePermission($query, $permissions, true); } /** * @param string|int|array|Permission|Collection|BackedEnum $permissions * * @throws PermissionDoesNotExist */ protected function convertToPermissionModels($permissions): array { if ($permissions instanceof Collection) { $permissions = $permissions->all(); } return array_map(function ($permission) { if ($permission instanceof Permission) { return $permission; } $permission = enum_value($permission); $method = is_int($permission) || PermissionRegistrar::isUid($permission) ? 'findById' : 'findByName'; return $this->getPermissionClass()::{$method}($permission, $this->getDefaultGuardName()); }, Arr::wrap($permissions)); } /** * Find a permission. * * @param string|int|Permission|BackedEnum $permission * * @throws PermissionDoesNotExist */ public function filterPermission($permission, ?string $guardName = null): Permission { $permission = enum_value($permission); if (is_int($permission) || PermissionRegistrar::isUid($permission)) { $permission = $this->getPermissionClass()::findById( $permission, $guardName ?? $this->getDefaultGuardName() ); } if (is_string($permission)) { $permission = $this->getPermissionClass()::findByName( $permission, $guardName ?? $this->getDefaultGuardName() ); } if (! $permission instanceof Permission) { throw new PermissionDoesNotExist; } return $permission; } /** * Determine if the model may perform the given permission. * * @param string|int|Permission|BackedEnum $permission * * @throws PermissionDoesNotExist */ public function hasPermissionTo($permission, ?string $guardName = null): bool { if ($this->getWildcardClass()) { return $this->hasWildcardPermission($permission, $guardName); } $permission = $this->filterPermission($permission, $guardName); return $this->hasDirectPermission($permission) || $this->hasPermissionViaRole($permission); } /** * Validates a wildcard permission against all permissions of a user. * * @param string|int|Permission|BackedEnum $permission */ protected function hasWildcardPermission($permission, ?string $guardName = null): bool { $guardName = $guardName ?? $this->getDefaultGuardName(); $permission = enum_value($permission); if (is_int($permission) || PermissionRegistrar::isUid($permission)) { $permission = $this->getPermissionClass()::findById($permission, $guardName); } if ($permission instanceof Permission) { $guardName = $permission->guard_name ?? $guardName; $permission = $permission->name; } if (! is_string($permission)) { throw WildcardPermissionInvalidArgument::create(); } return app($this->getWildcardClass(), ['record' => $this])->implies( $permission, $guardName, app(PermissionRegistrar::class)->getWildcardPermissionIndex($this), ); } /** * An alias to hasPermissionTo(), but avoids throwing an exception. * * @param string|int|Permission|BackedEnum $permission */ public function checkPermissionTo($permission, ?string $guardName = null): bool { try { return $this->hasPermissionTo($permission, $guardName); } catch (PermissionDoesNotExist $e) { return false; } } /** * Determine if the model has any of the given permissions. * * @param string|int|array|Permission|Collection|BackedEnum ...$permissions */ public function hasAnyPermission(...$permissions): bool { $permissions = collect($permissions)->flatten(); foreach ($permissions as $permission) { if ($this->checkPermissionTo($permission)) { return true; } } return false; } /** * Determine if the model has all of the given permissions. * * @param string|int|array|Permission|Collection|BackedEnum ...$permissions */ public function hasAllPermissions(...$permissions): bool { $permissions = collect($permissions)->flatten(); foreach ($permissions as $permission) { if (! $this->checkPermissionTo($permission)) { return false; } } return true; } /** * Determine if the model has, via roles, the given permission. */ protected function hasPermissionViaRole(Permission $permission): bool { if ($this instanceof Role) { return false; } return $this->hasRole($permission->roles); } /** * Determine if the model has the given permission. * * @param string|int|Permission|BackedEnum $permission * * @throws PermissionDoesNotExist */ public function hasDirectPermission($permission): bool { $permission = $this->filterPermission($permission); return $this->loadMissing('permissions')->permissions ->contains($permission->getKeyName(), $permission->getKey()); } /** * Return all the permissions the model has via roles. */ public function getPermissionsViaRoles(): Collection { if ($this instanceof Role || $this instanceof Permission) { return collect(); } return $this->loadMissing('roles', 'roles.permissions') ->roles->flatMap(fn ($role) => $role->permissions) ->sort()->values(); } /** * Return all the permissions the model has, both directly and via roles. */ public function getAllPermissions(): Collection { /** @var Collection $permissions */ $permissions = $this->permissions; if (! $this instanceof Permission) { $permissions = $permissions->merge($this->getPermissionsViaRoles()); } return $permissions->sort()->values(); } /** * Returns array of permissions ids * * @param string|int|array|Permission|Collection|BackedEnum $permissions */ private function collectPermissions(...$permissions): array { return collect($permissions) ->flatten() ->reduce(function ($array, $permission) { if ($permission === null || $permission === '') { return $array; } $permission = $this->getStoredPermission($permission); if (! $permission instanceof Permission) { return $array; } if (! in_array($permission->getKey(), $array)) { $this->ensureModelSharesGuard($permission); $array[] = $permission->getKey(); } return $array; }, []); } /** * Grant the given permission(s) to a role. * * @param string|int|array|Permission|Collection|BackedEnum $permissions * @return $this */ public function givePermissionTo(...$permissions): static { $permissions = $this->collectPermissions($permissions); $model = $this->getModel(); $teamPivot = app(PermissionRegistrar::class)->teams && ! $this instanceof Role ? [app(PermissionRegistrar::class)->teamsKey => getPermissionsTeamId()] : []; if ($model->exists) { $currentPermissions = $this->permissions->map(fn ($permission) => $permission->getKey())->toArray(); $this->permissions()->attach(array_diff($permissions, $currentPermissions), $teamPivot); $model->unsetRelation('permissions'); } else { $class = $model::class; $saved = false; $class::saved( function ($object) use ($permissions, $model, $teamPivot, &$saved) { if ($saved || $model->getKey() != $object->getKey()) { return; } $model->permissions()->attach($permissions, $teamPivot); $model->unsetRelation('permissions'); $saved = true; } ); } if ($this instanceof Role) { $this->forgetCachedPermissions(); } if (config('permission.events_enabled')) { event(new PermissionAttachedEvent($this->getModel(), $permissions)); } $this->forgetWildcardPermissionIndex(); return $this; } public function forgetWildcardPermissionIndex(): void { app(PermissionRegistrar::class)->forgetWildcardPermissionIndex( $this instanceof Role ? null : $this, ); } /** * Remove all current permissions and set the given ones. * * @param string|int|array|Permission|Collection|BackedEnum $permissions * @return $this */ public function syncPermissions(...$permissions): static { if ($this->getModel()->exists) { $this->collectPermissions($permissions); $this->permissions()->detach(); $this->setRelation('permissions', collect()); } return $this->givePermissionTo($permissions); } /** * Revoke the given permission(s). * * @param Permission|Permission[]|string|string[]|BackedEnum $permission * @return $this */ public function revokePermissionTo($permission): static { $storedPermission = $this->getStoredPermission($permission); $this->permissions()->detach($storedPermission); if ($this instanceof Role) { $this->forgetCachedPermissions(); } if (config('permission.events_enabled')) { event(new PermissionDetachedEvent($this->getModel(), $storedPermission)); } $this->forgetWildcardPermissionIndex(); $this->unsetRelation('permissions'); return $this; } public function getPermissionNames(): Collection { return $this->permissions->pluck('name'); } /** * @param string|int|array|Permission|Collection|BackedEnum $permissions * @return Permission|Permission[]|Collection */ protected function getStoredPermission($permissions) { $permissions = enum_value($permissions); if (is_int($permissions) || PermissionRegistrar::isUid($permissions)) { return $this->getPermissionClass()::findById($permissions, $this->getDefaultGuardName()); } if (is_string($permissions)) { return $this->getPermissionClass()::findByName($permissions, $this->getDefaultGuardName()); } if (is_array($permissions)) { $permissions = array_map(fn ($permission) => $permission instanceof Permission ? $permission->name : enum_value($permission), $permissions); return $this->getPermissionClass()::whereIn('name', $permissions) ->whereIn('guard_name', $this->getGuardNames()) ->get(); } return $permissions; } /** * @param Permission|Role $roleOrPermission * * @throws GuardDoesNotMatch */ protected function ensureModelSharesGuard($roleOrPermission): void { if (! $this->getGuardNames()->contains($roleOrPermission->guard_name)) { throw GuardDoesNotMatch::create($roleOrPermission->guard_name, $this->getGuardNames()); } } protected function getGuardNames(): Collection { return Guard::getNames($this); } protected function getDefaultGuardName(): string { return Guard::getDefaultName($this); } /** * Forget the cached permissions. */ public function forgetCachedPermissions(): void { app(PermissionRegistrar::class)->forgetCachedPermissions(); } /** * Check if the model has All of the requested Direct permissions. * * @param string|int|array|Permission|Collection|BackedEnum ...$permissions */ public function hasAllDirectPermissions(...$permissions): bool { $permissions = collect($permissions)->flatten(); foreach ($permissions as $permission) { if (! $this->hasDirectPermission($permission)) { return false; } } return true; } /** * Check if the model has Any of the requested Direct permissions. * * @param string|int|array|Permission|Collection|BackedEnum ...$permissions */ public function hasAnyDirectPermission(...$permissions): bool { $permissions = collect($permissions)->flatten(); foreach ($permissions as $permission) { if ($this->hasDirectPermission($permission)) { return true; } } return false; } } ================================================ FILE: src/Traits/HasRoles.php ================================================ isForceDeleting()) { return; } $teams = app(PermissionRegistrar::class)->teams; app(PermissionRegistrar::class)->teams = false; $model->roles()->detach(); if ($model instanceof Permission) { $model->users()->detach(); } app(PermissionRegistrar::class)->teams = $teams; }); } public function getRoleClass(): string { if (! $this->roleClass) { $this->roleClass = app(PermissionRegistrar::class)->getRoleClass(); } return $this->roleClass; } /** * A model may have multiple roles. */ public function roles(): BelongsToMany { $relation = $this->morphToMany( config('permission.models.role'), 'model', config('permission.table_names.model_has_roles'), config('permission.column_names.model_morph_key'), app(PermissionRegistrar::class)->pivotRole ); if (! app(PermissionRegistrar::class)->teams) { return $relation; } $teamsKey = app(PermissionRegistrar::class)->teamsKey; $relation->withPivot($teamsKey); $teamField = config('permission.table_names.roles').'.'.$teamsKey; return $relation->wherePivot($teamsKey, getPermissionsTeamId()) ->where(fn ($q) => $q->whereNull($teamField)->orWhere($teamField, getPermissionsTeamId())); } /** * Scope the model query to certain roles only. * * @param string|int|array|Role|Collection|BackedEnum $roles */ public function scopeRole(Builder $query, $roles, ?string $guard = null, bool $without = false): Builder { if ($roles instanceof Collection) { $roles = $roles->all(); } $roles = array_map(function ($role) use ($guard) { if ($role instanceof Role) { return $role; } $role = enum_value($role); $method = is_int($role) || PermissionRegistrar::isUid($role) ? 'findById' : 'findByName'; return $this->getRoleClass()::{$method}($role, $guard ?: $this->getDefaultGuardName()); }, Arr::wrap($roles)); $key = (new ($this->getRoleClass())())->getKeyName(); return $query->{! $without ? 'whereHas' : 'whereDoesntHave'}('roles', fn (Builder $subQuery) => $subQuery ->whereIn(config('permission.table_names.roles').".$key", array_column($roles, $key)) ); } /** * Scope the model query to only those without certain roles. * * @param string|int|array|Role|Collection|BackedEnum $roles */ public function scopeWithoutRole(Builder $query, $roles, ?string $guard = null): Builder { return $this->scopeRole($query, $roles, $guard, true); } /** * Returns array of role ids * * @param string|int|array|Role|Collection|BackedEnum $roles */ private function collectRoles(...$roles): array { return collect($roles) ->flatten() ->reduce(function ($array, $role) { if ($role === null || $role === '') { return $array; } $role = $this->getStoredRole($role); if (! in_array($role->getKey(), $array)) { $this->ensureModelSharesGuard($role); $array[] = $role->getKey(); } return $array; }, []); } /** * Assign the given role to the model. * * @param string|int|array|Role|Collection|BackedEnum ...$roles * @return $this */ public function assignRole(...$roles): static { $roles = $this->collectRoles($roles); $model = $this->getModel(); $teamPivot = app(PermissionRegistrar::class)->teams && ! $this instanceof Permission ? [app(PermissionRegistrar::class)->teamsKey => getPermissionsTeamId()] : []; if ($model->exists) { if (app(PermissionRegistrar::class)->teams) { // explicit reload in case team has been changed since last load $this->load('roles'); } $currentRoles = $this->roles->map(fn ($role) => $role->getKey())->toArray(); $this->roles()->attach(array_diff($roles, $currentRoles), $teamPivot); $model->unsetRelation('roles'); } else { $class = $model::class; $saved = false; $class::saved( function ($object) use ($roles, $model, $teamPivot, &$saved) { if ($saved || $model->getKey() != $object->getKey()) { return; } $model->roles()->attach($roles, $teamPivot); $model->unsetRelation('roles'); $saved = true; } ); } if ($this instanceof Permission) { $this->forgetCachedPermissions(); } $this->forgetWildcardPermissionIndex(); if (config('permission.events_enabled')) { event(new RoleAttachedEvent($this->getModel(), $roles)); } return $this; } /** * Revoke the given role from the model. * * @param string|int|array|Role|Collection|BackedEnum ...$role * @return $this */ public function removeRole(...$role): static { $roles = $this->collectRoles($role); $this->roles()->detach($roles); $this->unsetRelation('roles'); if ($this instanceof Permission) { $this->forgetCachedPermissions(); } $this->forgetWildcardPermissionIndex(); if (config('permission.events_enabled')) { event(new RoleDetachedEvent($this->getModel(), $roles)); } return $this; } /** * Remove all current roles and set the given ones. * * @param string|int|array|Role|Collection|BackedEnum ...$roles * @return $this */ public function syncRoles(...$roles): static { if ($this->getModel()->exists) { $this->collectRoles($roles); if (config('permission.events_enabled')) { $currentRoles = $this->roles()->get(); if ($currentRoles->isNotEmpty()) { $this->removeRole($currentRoles); } } else { $this->roles()->detach(); $this->setRelation('roles', collect()); } } return $this->assignRole($roles); } /** * Determine if the model has (one of) the given role(s). * * @param string|int|array|Role|Collection|BackedEnum $roles */ public function hasRole($roles, ?string $guard = null): bool { $this->loadMissing('roles'); if (is_string($roles) && str_contains($roles, '|')) { $roles = $this->convertPipeToArray($roles); } if ($roles instanceof BackedEnum) { $roles = $roles->value; return $this->roles ->when($guard, fn ($q) => $q->where('guard_name', $guard)) ->pluck('name') ->contains(fn ($name) => enum_value($name) == $roles); } if (is_int($roles) || PermissionRegistrar::isUid($roles)) { $key = (new ($this->getRoleClass())())->getKeyName(); return $guard ? $this->roles->where('guard_name', $guard)->contains($key, $roles) : $this->roles->contains($key, $roles); } if (is_string($roles)) { return $guard ? $this->roles->where('guard_name', $guard)->contains('name', $roles) : $this->roles->contains('name', $roles); } if ($roles instanceof Role) { return $this->roles->contains($roles->getKeyName(), $roles->getKey()); } if (is_array($roles)) { foreach ($roles as $role) { if ($this->hasRole($role, $guard)) { return true; } } return false; } if ($roles instanceof Collection) { return $roles->intersect($guard ? $this->roles->where('guard_name', $guard) : $this->roles)->isNotEmpty(); } throw new TypeError('Unsupported type for $roles parameter to hasRole().'); } /** * Determine if the model has any of the given role(s). * * Alias to hasRole() but without Guard controls * * @param string|int|array|Role|Collection|BackedEnum $roles */ public function hasAnyRole(...$roles): bool { return $this->hasRole($roles); } /** * Determine if the model has all of the given role(s). * * @param string|array|Role|Collection|BackedEnum $roles */ public function hasAllRoles($roles, ?string $guard = null): bool { $this->loadMissing('roles'); $roles = enum_value($roles); if (is_string($roles) && str_contains($roles, '|')) { $roles = $this->convertPipeToArray($roles); } if (is_string($roles)) { return $this->hasRole($roles, $guard); } if ($roles instanceof Role) { return $this->roles->contains($roles->getKeyName(), $roles->getKey()); } $roles = collect()->make($roles)->map(fn ($role) => $role instanceof Role ? $role->name : enum_value($role)); $roleNames = $guard ? $this->roles->where('guard_name', $guard)->pluck('name') : $this->getRoleNames(); $roleNames = $roleNames->transform(fn ($roleName) => enum_value($roleName)); return $roles->intersect($roleNames) == $roles; } /** * Determine if the model has exactly all of the given role(s). * * @param string|array|Role|Collection|BackedEnum $roles */ public function hasExactRoles($roles, ?string $guard = null): bool { $this->loadMissing('roles'); if (is_string($roles) && str_contains($roles, '|')) { $roles = $this->convertPipeToArray($roles); } if (is_string($roles)) { $roles = [$roles]; } if ($roles instanceof Role) { $roles = [$roles->name]; } $roles = collect()->make($roles)->map(fn ($role) => $role instanceof Role ? $role->name : $role ); return $this->roles->count() == $roles->count() && $this->hasAllRoles($roles, $guard); } /** * Return all permissions directly coupled to the model. */ public function getDirectPermissions(): Collection { return $this->permissions; } public function getRoleNames(): Collection { $this->loadMissing('roles'); return $this->roles->pluck('name'); } protected function getStoredRole($role): Role { $role = enum_value($role); if (is_int($role) || PermissionRegistrar::isUid($role)) { return $this->getRoleClass()::findById($role, $this->getDefaultGuardName()); } if (is_string($role)) { return $this->getRoleClass()::findByName($role, $this->getDefaultGuardName()); } return $role; } protected function convertPipeToArray(string $pipeString): array { $pipeString = trim($pipeString); if (strlen($pipeString) <= 2) { return [str_replace('|', '', $pipeString)]; } $quoteCharacter = substr($pipeString, 0, 1); $endCharacter = substr($quoteCharacter, -1, 1); if ($quoteCharacter !== $endCharacter) { return explode('|', $pipeString); } if (! in_array($quoteCharacter, ["'", '"'])) { return explode('|', $pipeString); } return explode('|', trim($pipeString, $quoteCharacter)); } } ================================================ FILE: src/Traits/RefreshesPermissionCache.php ================================================ forgetCachedPermissions(); }); static::deleted(function () { app(PermissionRegistrar::class)->forgetCachedPermissions(); }); } } ================================================ FILE: src/WildcardPermission.php ================================================ record->getAllPermissions() as $permission) { $index[$permission->guard_name] = $this->buildIndex( $index[$permission->guard_name] ?? [], explode(static::PART_DELIMITER, $permission->name), $permission->name, ); } return $index; } protected function buildIndex(array $index, array $parts, string $permission): array { if (empty($parts)) { $index[''] = true; return $index; } $part = array_shift($parts); if (blank($part)) { throw WildcardPermissionNotProperlyFormatted::create($permission); } if (! Str::contains($part, static::SUBPART_DELIMITER)) { $index[$part] = $this->buildIndex( $index[$part] ?? [], $parts, $permission, ); } $subParts = explode(static::SUBPART_DELIMITER, $part); foreach ($subParts as $subPart) { if (blank($subPart)) { throw WildcardPermissionNotProperlyFormatted::create($permission); } $index[$subPart] = $this->buildIndex( $index[$subPart] ?? [], $parts, $permission, ); } return $index; } public function implies(string $permission, string $guardName, array $index): bool { if (! array_key_exists($guardName, $index)) { return false; } $permission = explode(static::PART_DELIMITER, $permission); return $this->checkIndex($permission, $index[$guardName]); } protected function checkIndex(array $permission, array $index): bool { if (array_key_exists(strval(null), $index)) { return true; } if (empty($permission)) { return false; } $firstPermission = array_shift($permission); if ( array_key_exists($firstPermission, $index) && $this->checkIndex($permission, $index[$firstPermission]) ) { return true; } if (array_key_exists(static::WILDCARD_TOKEN, $index)) { return $this->checkIndex($permission, $index[static::WILDCARD_TOKEN]); } return false; } } ================================================ FILE: src/helpers.php ================================================ setPermissionsTeamId($id); } } if (! function_exists('getPermissionsTeamId')) { function getPermissionsTeamId(): int|string|null { return app(PermissionRegistrar::class)->getPermissionsTeamId(); } } ================================================ FILE: tests/Commands/CommandTest.php ================================================ 'new-role']); expect(Role::where('name', 'new-role')->get())->toHaveCount(1); expect(Role::where('name', 'new-role')->first()->permissions)->toHaveCount(0); }); it('can create a role with a specific guard', function () { Artisan::call('permission:create-role', [ 'name' => 'new-role', 'guard' => 'api', ]); expect(Role::where('name', 'new-role')->where('guard_name', 'api')->get())->toHaveCount(1); }); it('can create a permission', function () { Artisan::call('permission:create-permission', ['name' => 'new-permission']); expect(Permission::where('name', 'new-permission')->get())->toHaveCount(1); }); it('can create a permission with a specific guard', function () { Artisan::call('permission:create-permission', [ 'name' => 'new-permission', 'guard' => 'api', ]); expect(Permission::where('name', 'new-permission')->where('guard_name', 'api')->get())->toHaveCount(1); }); it('can create a role and permissions at same time', function () { Artisan::call('permission:create-role', [ 'name' => 'new-role', 'permissions' => 'first permission | second permission', ]); $role = Role::where('name', 'new-role')->first(); expect($role->hasPermissionTo('first permission'))->toBeTrue(); expect($role->hasPermissionTo('second permission'))->toBeTrue(); }); it('can create a role without duplication', function () { Artisan::call('permission:create-role', ['name' => 'new-role']); Artisan::call('permission:create-role', ['name' => 'new-role']); expect(Role::where('name', 'new-role')->get())->toHaveCount(1); expect(Role::where('name', 'new-role')->first()->permissions)->toHaveCount(0); }); it('can create a permission without duplication', function () { Artisan::call('permission:create-permission', ['name' => 'new-permission']); Artisan::call('permission:create-permission', ['name' => 'new-permission']); expect(Permission::where('name', 'new-permission')->get())->toHaveCount(1); }); it('can show permission tables', function () { Role::where('name', 'testRole2')->delete(); Role::create(['name' => 'testRole_2']); Artisan::call('permission:show'); $output = Artisan::output(); expect(strpos($output, 'Guard: web'))->not->toBeFalse(); expect(strpos($output, 'Guard: admin'))->not->toBeFalse(); expect($output)->toMatch('/\|\s+\|\s+testRole\s+\|\s+testRole_2\s+\|/'); expect($output)->toMatch('/\|\s+edit-articles\s+\|\s+·\s+\|\s+·\s+\|/'); Role::findByName('testRole')->givePermissionTo('edit-articles'); $this->reloadPermissions(); Artisan::call('permission:show'); $output = Artisan::output(); expect($output)->toMatch('/\|\s+edit-articles\s+\|\s+✔\s+\|\s+·\s+\|/'); }); it('can show permissions for guard', function () { Artisan::call('permission:show', ['guard' => 'web']); $output = Artisan::output(); expect(strpos($output, 'Guard: web'))->not->toBeFalse(); expect(strpos($output, 'Guard: admin'))->toBeFalse(); }); it('can setup teams upgrade', function () { config()->set('permission.teams', true); $this->artisan('permission:setup-teams') ->expectsQuestion('Proceed with the migration creation?', 'yes') ->assertExitCode(0); $matchingFiles = glob(database_path('migrations/*_add_teams_fields.php')); expect(count($matchingFiles) > 0)->toBeTrue(); $AddTeamsFields = require $matchingFiles[count($matchingFiles) - 1]; $AddTeamsFields->up(); $AddTeamsFields->up(); // test upgrade teams migration fresh Role::create(['name' => 'new-role', 'team_test_id' => 1]); $role = Role::where('name', 'new-role')->first(); expect($role)->not->toBeNull(); expect((int) $role->team_test_id)->toBe(1); // remove migration foreach ($matchingFiles as $file) { unlink($file); } }); it('can show roles by teams', function () { config()->set('permission.teams', true); app(\Spatie\Permission\PermissionRegistrar::class)->initializeCache(); Role::where('name', 'testRole2')->delete(); Role::create(['name' => 'testRole_2']); Role::create(['name' => 'testRole_Team', 'team_test_id' => 1]); Role::create(['name' => 'testRole_Team', 'team_test_id' => 2]); // same name different team Artisan::call('permission:show'); $output = Artisan::output(); expect($output)->toMatch('/\|\s+\|\s+Team ID: NULL\s+\|\s+Team ID: 1\s+\|\s+Team ID: 2\s+\|/'); expect($output)->toMatch('/\|\s+\|\s+testRole\s+\|\s+testRole_2\s+\|\s+testRole_Team\s+\|\s+testRole_Team\s+\|/'); }); it('can respond to about command with default', function () { if (! class_exists(InstalledVersions::class) || ! class_exists(AboutCommand::class)) { $this->markTestSkipped(); } if (! method_exists(AboutCommand::class, 'flushState')) { $this->markTestSkipped(); } app(\Spatie\Permission\PermissionRegistrar::class)->initializeCache(); Artisan::call('about'); $output = str_replace("\r\n", "\n", Artisan::output()); $pattern = '/Spatie Permissions[ .\n]*Features Enabled[ .]*Default[ .\n]*Version/'; expect($output)->toMatch($pattern); }); it('can respond to about command with teams', function () { if (! class_exists(InstalledVersions::class) || ! class_exists(AboutCommand::class)) { $this->markTestSkipped(); } if (! method_exists(AboutCommand::class, 'flushState')) { $this->markTestSkipped(); } app(\Spatie\Permission\PermissionRegistrar::class)->initializeCache(); config()->set('permission.teams', true); Artisan::call('about'); $output = str_replace("\r\n", "\n", Artisan::output()); $pattern = '/Spatie Permissions[ .\n]*Features Enabled[ .]*Teams[ .\n]*Version/'; expect($output)->toMatch($pattern); }); it('can assign role to user', function () { $user = User::first(); Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => User::class, ]); $output = Artisan::output(); expect($output)->toContain('Role `testRole` assigned to user ID '.$user->id.' successfully.'); expect(Role::where('name', 'testRole')->get())->toHaveCount(1); expect($user->roles)->toHaveCount(1); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fails to assign role when user not found', function () { Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => 99999, 'guard' => 'web', 'userModelNamespace' => User::class, ]); $output = Artisan::output(); expect($output)->toContain('User with ID 99999 not found.'); }); it('fails to assign role when namespace invalid', function () { $user = User::first(); $userModelClass = 'App\Models\NonExistentUser'; Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => $userModelClass, ]); $output = Artisan::output(); expect($output)->toContain("User model class [{$userModelClass}] does not exist."); }); it('warns when assigning role with team id but teams disabled', function () { $user = User::first(); Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'userModelNamespace' => User::class, '--team-id' => 1, ]); $output = Artisan::output(); expect($output)->toContain('Teams feature disabled'); }); ================================================ FILE: tests/Commands/TeamCommandTest.php ================================================ $this->setUpTeams()); it('can assign role to user with team id', function () { $user = User::first(); Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => User::class, '--team-id' => 1, ]); $output = Artisan::output(); expect($output)->toContain('Role `testRole` assigned to user ID '.$user->id.' successfully.'); setPermissionsTeamId(1); $user->unsetRelation('roles'); expect($user->hasRole('testRole'))->toBeTrue(); }); it('can assign role to user on different teams', function () { $user = User::first(); Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => User::class, '--team-id' => 1, ]); Artisan::call('permission:assign-role', [ 'name' => 'testRole2', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => User::class, '--team-id' => 2, ]); setPermissionsTeamId(1); $user->unsetRelation('roles'); expect($user->hasRole('testRole'))->toBeTrue(); expect($user->hasRole('testRole2'))->toBeFalse(); setPermissionsTeamId(2); $user->unsetRelation('roles'); expect($user->hasRole('testRole2'))->toBeTrue(); expect($user->hasRole('testRole'))->toBeFalse(); }); it('restores previous team id after assigning role', function () { $user = User::first(); setPermissionsTeamId(5); Artisan::call('permission:assign-role', [ 'name' => 'testRole', 'userId' => $user->id, 'guard' => 'web', 'userModelNamespace' => User::class, '--team-id' => 1, ]); expect(getPermissionsTeamId())->toEqual(5); }); ================================================ FILE: tests/Integration/BladeTest.php ================================================ with($parameters)); } beforeEach(function () { $roleModel = app(Role::class); $roleModel->create(['name' => 'member']); $roleModel->create(['name' => 'writer']); $roleModel->create(['name' => 'intern']); $roleModel->create(['name' => 'super-admin', 'guard_name' => 'admin']); $roleModel->create(['name' => 'moderator', 'guard_name' => 'admin']); $this->getWriter = function () { $this->testUser->assignRole('writer'); return $this->testUser; }; $this->getMember = function () { $this->testUser->assignRole('member'); return $this->testUser; }; $this->getSuperAdmin = function () { $this->testAdmin->assignRole('super-admin'); return $this->testAdmin; }; }); it('evaluates all blade directives as false when there is nobody logged in', function () { $permission = 'edit-articles'; $role = 'writer'; $roles = [$role]; $elserole = 'na'; $elsepermission = 'na'; expect(renderView('can', ['permission' => $permission]))->toEqual('does not have permission'); expect(renderView('haspermission', compact('permission', 'elsepermission')))->toEqual('does not have permission'); expect(renderView('role', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasRole', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasAllRoles', compact('roles')))->toEqual('does not have all of the given roles'); expect(renderView('hasAllRoles', ['roles' => implode('|', $roles)]))->toEqual('does not have all of the given roles'); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does not have any of the given roles'); expect(renderView('hasAnyRole', ['roles' => implode('|', $roles)]))->toEqual('does not have any of the given roles'); }); it('evaluates all blade directives as false when somebody without roles or permissions is logged in', function () { $permission = 'edit-articles'; $role = 'writer'; $roles = 'writer'; $elserole = 'na'; $elsepermission = 'na'; auth()->setUser($this->testUser); expect(renderView('can', compact('permission')))->toEqual('does not have permission'); expect(renderView('haspermission', compact('permission', 'elsepermission')))->toEqual('does not have permission'); expect(renderView('role', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasRole', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasAllRoles', compact('roles')))->toEqual('does not have all of the given roles'); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does not have any of the given roles'); }); it('evaluates all blade directives as false when somebody with another guard is logged in', function () { $permission = 'edit-articles'; $role = 'writer'; $roles = 'writer'; $elserole = 'na'; $elsepermission = 'na'; auth('admin')->setUser($this->testAdmin); expect(renderView('can', compact('permission')))->toEqual('does not have permission'); expect(renderView('haspermission', compact('permission', 'elsepermission')))->toEqual('does not have permission'); expect(renderView('role', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasRole', compact('role', 'elserole')))->toEqual('does not have role'); expect(renderView('hasAllRoles', compact('roles')))->toEqual('does not have all of the given roles'); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does not have any of the given roles'); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does not have any of the given roles'); }); it('accepts a guard name in the can directive', function () { $user = ($this->getWriter)(); $user->givePermissionTo('edit-articles'); auth()->setUser($user); $permission = 'edit-articles'; $guard = 'web'; expect(renderView('can', compact('permission', 'guard')))->toEqual('has permission'); $guard = 'admin'; expect(renderView('can', compact('permission', 'guard')))->toEqual('does not have permission'); auth()->logout(); // log in as the Admin with the permission-via-role $this->testAdmin->givePermissionTo($this->testAdminPermission); $user = $this->testAdmin; auth()->setUser($user); $permission = 'edit-articles'; $guard = 'web'; expect(renderView('can', compact('permission', 'guard')))->toEqual('does not have permission'); $permission = 'admin-permission'; $guard = 'admin'; expect($this->testAdmin->checkPermissionTo($permission, $guard))->toBeTrue(); expect(renderView('can', compact('permission', 'guard')))->toEqual('has permission'); }); it('evaluates the can directive as true when the logged in user has the permission', function () { $user = ($this->getWriter)(); $user->givePermissionTo('edit-articles'); auth()->setUser($user); expect(renderView('can', ['permission' => 'edit-articles']))->toEqual('has permission'); }); it('evaluates the haspermission directive as true when the logged in user has the permission', function () { $user = ($this->getWriter)(); $permission = 'edit-articles'; $user->givePermissionTo('edit-articles'); auth()->setUser($user); expect(renderView('haspermission', compact('permission')))->toEqual('has permission'); $guard = 'admin'; $elsepermission = 'na'; expect(renderView('haspermission', compact('permission', 'elsepermission', 'guard')))->toEqual('does not have permission'); $this->testAdminRole->givePermissionTo($this->testAdminPermission); $this->testAdmin->assignRole($this->testAdminRole); auth('admin')->setUser($this->testAdmin); $guard = 'admin'; $permission = 'admin-permission'; expect(renderView('haspermission', compact('permission', 'guard', 'elsepermission')))->toEqual('has permission'); }); it('evaluates the role directive as true when the logged in user has the role', function () { auth()->setUser(($this->getWriter)()); expect(renderView('role', ['role' => 'writer', 'elserole' => 'na']))->toEqual('has role'); }); it('evaluates the elserole directive as true when the logged in user has the role', function () { auth()->setUser(($this->getMember)()); expect(renderView('role', ['role' => 'writer', 'elserole' => 'member']))->toEqual('has else role'); }); it('evaluates the role directive as true when the logged in user has the role for the given guard', function () { auth('admin')->setUser(($this->getSuperAdmin)()); expect(renderView('guardRole', ['role' => 'super-admin', 'guard' => 'admin']))->toEqual('has role for guard'); }); it('evaluates the hasrole directive as true when the logged in user has the role', function () { auth()->setUser(($this->getWriter)()); expect(renderView('hasRole', ['role' => 'writer']))->toEqual('has role'); }); it('evaluates the hasrole directive as true when the logged in user has the role for the given guard', function () { auth('admin')->setUser(($this->getSuperAdmin)()); expect(renderView('guardHasRole', ['role' => 'super-admin', 'guard' => 'admin']))->toEqual('has role'); }); it('evaluates the unlessrole directive as true when the logged in user does not have the role', function () { auth()->setUser(($this->getWriter)()); expect(renderView('unlessrole', ['role' => 'another']))->toEqual('does not have role'); }); it('evaluates the unlessrole directive as true when the logged in user does not have the role for the given guard', function () { auth('admin')->setUser(($this->getSuperAdmin)()); expect(renderView('guardunlessrole', ['role' => 'another', 'guard' => 'admin']))->toEqual('does not have role'); expect(renderView('guardunlessrole', ['role' => 'super-admin', 'guard' => 'web']))->toEqual('does not have role'); }); it('evaluates the hasanyrole directive as false when the logged in user does not have any of the required roles', function () { $roles = ['writer', 'intern']; auth()->setUser(($this->getMember)()); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does not have any of the given roles'); expect(renderView('hasAnyRole', ['roles' => implode('|', $roles)]))->toEqual('does not have any of the given roles'); }); it('evaluates the hasanyrole directive as true when the logged in user does have some of the required roles', function () { $roles = ['member', 'writer', 'intern']; auth()->setUser(($this->getMember)()); expect(renderView('hasAnyRole', compact('roles')))->toEqual('does have some of the roles'); expect(renderView('hasAnyRole', ['roles' => implode('|', $roles)]))->toEqual('does have some of the roles'); }); it('evaluates the hasanyrole directive as true when the logged in user does have some of the required roles for the given guard', function () { $roles = ['super-admin', 'moderator']; $guard = 'admin'; auth('admin')->setUser(($this->getSuperAdmin)()); expect(renderView('guardHasAnyRole', compact('roles', 'guard')))->toEqual('does have some of the roles'); }); it('evaluates the hasanyrole directive as true when the logged in user does have some of the required roles in pipe', function () { $guard = 'admin'; auth('admin')->setUser(($this->getSuperAdmin)()); expect(renderView('guardHasAnyRolePipe', compact('guard')))->toEqual('does have some of the roles'); }); it('evaluates the hasanyrole directive as false when the logged in user doesnt have some of the required roles in pipe', function () { $guard = ''; auth('admin')->setUser(($this->getMember)()); expect(renderView('guardHasAnyRolePipe', compact('guard')))->toEqual('does not have any of the given roles'); }); it('evaluates the hasallroles directive as false when the logged in user does not have all required roles', function () { $roles = ['member', 'writer']; auth()->setUser(($this->getMember)()); expect(renderView('hasAllRoles', compact('roles')))->toEqual('does not have all of the given roles'); expect(renderView('hasAllRoles', ['roles' => implode('|', $roles)]))->toEqual('does not have all of the given roles'); }); it('evaluates the hasallroles directive as true when the logged in user does have all required roles', function () { $roles = ['member', 'writer']; $user = ($this->getMember)(); $user->assignRole('writer'); auth()->setUser($user); expect(renderView('hasAllRoles', compact('roles')))->toEqual('does have all of the given roles'); expect(renderView('hasAllRoles', ['roles' => implode('|', $roles)]))->toEqual('does have all of the given roles'); }); it('evaluates the hasallroles directive as true when the logged in user does have all required roles for the given guard', function () { $roles = ['super-admin', 'moderator']; $guard = 'admin'; $admin = ($this->getSuperAdmin)(); $admin->assignRole('moderator'); auth('admin')->setUser($admin); expect(renderView('guardHasAllRoles', compact('roles', 'guard')))->toEqual('does have all of the given roles'); }); it('evaluates the hasallroles directive as true when the logged in user does have all required roles in pipe', function () { $guard = 'admin'; $admin = ($this->getSuperAdmin)(); $admin->assignRole('moderator'); auth('admin')->setUser($admin); expect(renderView('guardHasAllRolesPipe', compact('guard')))->toEqual('does have all of the given roles'); }); it('evaluates the hasallroles directive as false when the logged in user doesnt have all required roles in pipe', function () { $guard = ''; $user = ($this->getMember)(); $user->assignRole('writer'); auth()->setUser($user); expect(renderView('guardHasAllRolesPipe', compact('guard')))->toEqual('does not have all of the given roles'); }); it('evaluates the hasallroles directive as true when the logged in user does have all required roles in array', function () { $guard = 'admin'; $admin = ($this->getSuperAdmin)(); $admin->assignRole('moderator'); auth('admin')->setUser($admin); expect(renderView('guardHasAllRolesArray', compact('guard')))->toEqual('does have all of the given roles'); }); it('evaluates the hasallroles directive as false when the logged in user doesnt have all required roles in array', function () { $guard = ''; $user = ($this->getMember)(); $user->assignRole('writer'); auth()->setUser($user); expect(renderView('guardHasAllRolesArray', compact('guard')))->toEqual('does not have all of the given roles'); }); ================================================ FILE: tests/Integration/CacheTest.php ================================================ registrar = app(PermissionRegistrar::class); $this->registrar->forgetCachedPermissions(); DB::connection()->enableQueryLog(); $this->cache_init_count = 0; $this->cache_load_count = 0; $this->cache_run_count = 2; // roles lookup, permissions lookup $cacheStore = $this->registrar->getCacheStore(); switch (true) { case $cacheStore instanceof DatabaseStore: $this->cache_init_count = 1; $this->cache_load_count = 1; // no break default: } }); function resetQueryCount(): void { DB::flushQueryLog(); } function assertQueryCount(int $expected): void { expect(DB::getQueryLog())->toHaveCount($expected); } it('can cache the permissions', function () { resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('flushes the cache when creating a permission', function () { app(Permission::class)->create(['name' => 'new']); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('flushes the cache when updating a permission', function () { $permission = app(Permission::class)->create(['name' => 'new']); $permission->name = 'other name'; $permission->save(); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('flushes the cache when creating a role', function () { app(Role::class)->create(['name' => 'new']); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('flushes the cache when updating a role', function () { $role = app(Role::class)->create(['name' => 'new']); $role->name = 'other name'; $role->save(); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('should not flush the cache when removing a permission from a user', function () { $this->testUser->givePermissionTo('edit-articles'); $this->registrar->getPermissions(); $this->testUser->revokePermissionTo('edit-articles'); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount(0); }); it('should not flush the cache when removing a role from a user', function () { $this->testUser->assignRole('testRole'); $this->registrar->getPermissions(); $this->testUser->removeRole('testRole'); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount(0); }); it('flushes the cache when removing a role from a permission', function () { $this->testUserPermission->assignRole('testRole'); $this->registrar->getPermissions(); $this->testUserPermission->removeRole('testRole'); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('flushes the cache when assigning a permission to a role', function () { $this->testUserRole->givePermissionTo('edit-articles'); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('should not flush the cache on user creation', function () { $this->registrar->getPermissions(); User::create(['email' => 'new']); resetQueryCount(); $this->registrar->getPermissions(); // should all be in memory, so no init/load required assertQueryCount(0); }); it('flushes the cache when giving a permission to a role', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); it('uses the cache for has permission to', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news', 'Edit News']); $this->testUser->assignRole('testRole'); $this->testUser->loadMissing('roles', 'permissions'); resetQueryCount(); expect($this->testUser->hasPermissionTo('edit-articles'))->toBeTrue(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); resetQueryCount(); expect($this->testUser->hasPermissionTo('edit-news'))->toBeTrue(); assertQueryCount(0); resetQueryCount(); expect($this->testUser->hasPermissionTo('edit-articles'))->toBeTrue(); assertQueryCount(0); resetQueryCount(); expect($this->testUser->hasPermissionTo('Edit News'))->toBeTrue(); assertQueryCount(0); }); it('differentiates the cache by guard name', function () { expect(function () { $this->testUserRole->givePermissionTo(['edit-articles', 'web']); $this->testUser->assignRole('testRole'); $this->testUser->loadMissing('roles', 'permissions'); resetQueryCount(); expect($this->testUser->hasPermissionTo('edit-articles', 'web'))->toBeTrue(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); resetQueryCount(); expect($this->testUser->hasPermissionTo('edit-articles', 'admin'))->toBeFalse(); assertQueryCount(1); // 1 for first lookup of this permission with this guard })->toThrow(PermissionDoesNotExist::class); }); it('uses the cache for get all permissions', function () { $this->testUserRole->givePermissionTo($expected = ['edit-articles', 'edit-news']); $this->testUser->assignRole('testRole'); $this->testUser->loadMissing('roles.permissions', 'permissions'); resetQueryCount(); $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); resetQueryCount(); $actual = $this->testUser->getAllPermissions()->pluck('name')->sort()->values(); expect($actual)->toEqual(collect($expected)); assertQueryCount(0); }); it('should not over hydrate roles for get all permissions', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news']); $permissions = $this->registrar->getPermissions(); $roles = $permissions->flatMap->roles; // Should have same object reference expect($roles[1])->toBe($roles[0]); }); it('can reset the cache with artisan command', function () { Artisan::call('permission:create-permission', ['name' => 'new-permission']); expect(\Spatie\Permission\Models\Permission::where('name', 'new-permission')->get())->toHaveCount(1); resetQueryCount(); // retrieve permissions, and assert that the cache had to be loaded $this->registrar->getPermissions(); assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); // reset the cache Artisan::call('permission:cache-reset'); resetQueryCount(); $this->registrar->getPermissions(); // assert that the cache had to be reloaded assertQueryCount($this->cache_init_count + $this->cache_load_count + $this->cache_run_count); }); ================================================ FILE: tests/Integration/CustomGateTest.php ================================================ set('permission.register_permission_check_method', false); app()->forgetInstance(Gate::class); }); it('doesnt register the method for checking permissions on the gate', function () { $this->testUser->givePermissionTo('edit-articles'); expect(app(Gate::class)->abilities())->toBeEmpty(); expect($this->testUser->can('edit-articles'))->toBeFalse(); }); it('can authorize using custom method for checking permissions', function () { app(Gate::class)->define('edit-articles', function () { return true; }); expect(app(Gate::class)->abilities())->toHaveKey('edit-articles'); expect($this->testUser->can('edit-articles'))->toBeTrue(); }); ================================================ FILE: tests/Integration/GateTest.php ================================================ testUser->can('edit-articles'))->toBeFalse(); }); it('allows other gate before callbacks to run if a user does not have a permission', function () { expect($this->testUser->can('edit-articles'))->toBeFalse(); app(Gate::class)->before(function () { // this Gate-before intercept overrides everything to true ... like a typical Super-Admin might use return true; }); expect($this->testUser->can('edit-articles'))->toBeTrue(); }); it('allows gate after callback to grant denied privileges', function () { expect($this->testUser->can('edit-articles'))->toBeFalse(); app(Gate::class)->after(function ($user, $ability, $result) { return true; }); expect($this->testUser->can('edit-articles'))->toBeTrue(); }); it('can determine if a user has a direct permission', function () { $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->can('edit-articles'))->toBeTrue(); expect($this->testUser->can('non-existing-permission'))->toBeFalse(); expect($this->testUser->can('admin-permission'))->toBeFalse(); }); it('can determine if a user has a direct permission using enums', function () { $enum = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $permission = app(Permission::class)->findOrCreate($enum->value, 'web'); expect($this->testUser->can($enum->value))->toBeFalse(); expect($this->testUser->canAny([$enum->value, 'some other permission']))->toBeFalse(); $this->testUser->givePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeTrue(); expect($this->testUser->can($enum->value))->toBeTrue(); expect($this->testUser->canAny([$enum->value, 'some other permission']))->toBeTrue(); }); it('can determine if a user has a permission through roles', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); expect($this->testUser->can('edit-articles'))->toBeTrue(); expect($this->testUser->can('non-existing-permission'))->toBeFalse(); expect($this->testUser->can('admin-permission'))->toBeFalse(); }); it('can determine if a user with a different guard has a permission when using roles', function () { $this->testAdminRole->givePermissionTo($this->testAdminPermission); $this->testAdmin->assignRole($this->testAdminRole); expect($this->testAdmin->hasPermissionTo($this->testAdminPermission))->toBeTrue(); expect($this->testAdmin->can('admin-permission'))->toBeTrue(); expect($this->testAdmin->can('non-existing-permission'))->toBeFalse(); expect($this->testAdmin->can('edit-articles'))->toBeFalse(); }); ================================================ FILE: tests/Integration/MultipleGuardsTest.php ================================================ set('auth.guards', [ 'web' => ['driver' => 'session', 'provider' => 'users'], 'api' => ['driver' => 'token', 'provider' => 'users'], 'jwt' => ['driver' => 'token', 'provider' => 'users'], 'abc' => ['driver' => 'abc'], 'admin' => ['driver' => 'session', 'provider' => 'admins'], ]); Route::middleware('auth:api')->get('/check-api-guard-permission', function (Request $request) { return ['status' => $request->user()->checkPermissionTo('use_api_guard')]; }); }); it('can give a permission to a model that is used by multiple guards', function () { $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_this', 'guard_name' => 'web', ])); $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ])); expect($this->testUser->checkPermissionTo('do_this', 'web'))->toBeTrue(); expect($this->testUser->checkPermissionTo('do_that', 'api'))->toBeTrue(); expect($this->testUser->checkPermissionTo('do_that', 'web'))->toBeFalse(); }); it('the gate can grant permission to a user by passing a guard name', function () { $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_this', 'guard_name' => 'web', ])); $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ])); expect($this->testUser->can('do_this', 'web'))->toBeTrue(); expect($this->testUser->can('do_that', 'api'))->toBeTrue(); expect($this->testUser->can('do_that', 'web'))->toBeFalse(); expect($this->testUser->cannot('do_that', 'web'))->toBeTrue(); expect($this->testUser->canAny(['do_this', 'do_that'], 'web'))->toBeTrue(); $this->testAdminRole->givePermissionTo($this->testAdminPermission); $this->testAdmin->assignRole($this->testAdminRole); expect($this->testAdmin->hasPermissionTo($this->testAdminPermission))->toBeTrue(); expect($this->testAdmin->can('admin-permission'))->toBeTrue(); expect($this->testAdmin->can('admin-permission', 'admin'))->toBeTrue(); expect($this->testAdmin->cannot('admin-permission', 'web'))->toBeTrue(); expect($this->testAdmin->cannot('non-existing-permission'))->toBeTrue(); expect($this->testAdmin->cannot('non-existing-permission', 'web'))->toBeTrue(); expect($this->testAdmin->cannot('non-existing-permission', 'admin'))->toBeTrue(); expect($this->testAdmin->cannot(['admin-permission', 'non-existing-permission'], 'web'))->toBeTrue(); expect($this->testAdmin->can('edit-articles', 'web'))->toBeFalse(); expect($this->testAdmin->can('edit-articles', 'admin'))->toBeFalse(); expect($this->testUser->cannot('edit-articles', 'admin'))->toBeTrue(); expect($this->testUser->cannot('admin-permission', 'admin'))->toBeTrue(); expect($this->testUser->cannot('admin-permission', 'web'))->toBeTrue(); }); it('can honour guardName function on model for overriding guard name property', function () { $user = Manager::create(['email' => 'manager@test.com']); $user->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_jwt', 'guard_name' => 'jwt', ])); // Manager test user has the guardName override method, which returns 'jwt' expect($user->checkPermissionTo('do_jwt', 'jwt'))->toBeTrue(); expect($user->hasPermissionTo('do_jwt', 'jwt'))->toBeTrue(); // Manager test user has the $guard_name property set to 'web' expect($user->checkPermissionTo('do_jwt', 'web'))->toBeFalse(); }); ================================================ FILE: tests/Integration/PermissionRegistrarTest.php ================================================ getProperty('permissions'); $reflectedProperty->setAccessible(true); app(PermissionRegistrar::class)->getPermissions(); expect($reflectedProperty->getValue(app(PermissionRegistrar::class)))->not->toBeNull(); app(PermissionRegistrar::class)->clearPermissionsCollection(); expect($reflectedProperty->getValue(app(PermissionRegistrar::class)))->toBeNull(); }); it('can check uids', function () { $uids = [ // UUIDs '00000000-0000-0000-0000-000000000000', '9be37b52-e1fa-4e86-b65f-cbfcbedde838', 'fc458041-fb21-4eea-a04b-b55c87a7224a', '78144b52-a889-11ed-afa1-0242ac120002', '78144f4e-a889-11ed-afa1-0242ac120002', // GUIDs '4b8590bb-90a2-4f38-8dc9-70e663a5b0e5', 'A98C5A1E-A742-4808-96FA-6F409E799937', '1f01164a-98e9-4246-93ec-7941aefb1da6', '91b73d20-89e6-46b0-b39b-632706cc3ed7', '0df4a5b8-7c2e-484f-ad1d-787d1b83aacc', // ULIDs '01GRVB3DREB63KNN4G2QVV99DF', '01GRVB3DRECY317SJCJ6DMTFCA', '01GRVB3DREGGPBXNH1M24GX1DS', '01GRVB3DRESRM2K9AVQSW1JCKA', '01GRVB3DRES5CQ31PB24MP4CSV', ]; $not_uids = [ '9be37b52-e1fa', '9be37b52-e1fa-4e86', '9be37b52-e1fa-4e86-b65f', '01GRVB3DREB63KNN4G2', 'TEST STRING', '00-00-00-00-00-00', '91GRVB3DRES5CQ31PB24MP4CSV', ]; foreach ($uids as $uid) { expect(PermissionRegistrar::isUid($uid))->toBeTrue(); } foreach ($not_uids as $not_uid) { expect(PermissionRegistrar::isUid($not_uid))->toBeFalse(); } }); it('can get permission class', function () { expect(app(PermissionRegistrar::class)->getPermissionClass())->toBe(SpatiePermission::class); expect(get_class(app(PermissionContract::class)))->toBe(SpatiePermission::class); }); it('can change permission class', function () { expect(config('permission.models.permission'))->toBe(SpatiePermission::class); expect(app(PermissionRegistrar::class)->getPermissionClass())->toBe(SpatiePermission::class); expect(get_class(app(PermissionContract::class)))->toBe(SpatiePermission::class); app(PermissionRegistrar::class)->setPermissionClass(TestPermission::class); expect(config('permission.models.permission'))->toBe(TestPermission::class); expect(app(PermissionRegistrar::class)->getPermissionClass())->toBe(TestPermission::class); expect(get_class(app(PermissionContract::class)))->toBe(TestPermission::class); }); it('can get role class', function () { expect(app(PermissionRegistrar::class)->getRoleClass())->toBe(SpatieRole::class); expect(get_class(app(RoleContract::class)))->toBe(SpatieRole::class); }); it('can change role class', function () { expect(config('permission.models.role'))->toBe(SpatieRole::class); expect(app(PermissionRegistrar::class)->getRoleClass())->toBe(SpatieRole::class); expect(get_class(app(RoleContract::class)))->toBe(SpatieRole::class); app(PermissionRegistrar::class)->setRoleClass(TestRole::class); expect(config('permission.models.role'))->toBe(TestRole::class); expect(app(PermissionRegistrar::class)->getRoleClass())->toBe(TestRole::class); expect(get_class(app(RoleContract::class)))->toBe(TestRole::class); }); it('can change team id', function () { $team_id = '00000000-0000-0000-0000-000000000000'; app(PermissionRegistrar::class)->setPermissionsTeamId($team_id); expect(app(PermissionRegistrar::class)->getPermissionsTeamId())->toBe($team_id); }); ================================================ FILE: tests/Integration/PolicyTest.php ================================================ 'special admin content']); $record2 = Content::create(['content' => 'viewable', 'user_id' => $this->testUser->id]); app(Gate::class)->policy(Content::class, ContentPolicy::class); expect($this->testUser->can('view', $record1))->toBeFalse(); expect($this->testUser->can('update', $record1))->toBeFalse(); expect($this->testUser->can('update', $record2))->toBeTrue(); // test that the Admin cannot yet view 'special admin content', because doesn't have Role yet expect($this->testAdmin->can('update', $record1))->toBeFalse(); $this->testAdmin->assignRole($this->testAdminRole); // test that the Admin can view 'special admin content' expect($this->testAdmin->can('update', $record1))->toBeTrue(); expect($this->testAdmin->can('update', $record2))->toBeTrue(); }); ================================================ FILE: tests/Integration/RouteTest.php ================================================ getRouter(); $router->get('role-test', $this->getRouteResponse()) ->name('role.test') ->role('superadmin'); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['role:superadmin']); }); it('test permission function', function () { $router = $this->getRouter(); $router->get('permission-test', $this->getRouteResponse()) ->name('permission.test') ->permission(['edit articles', 'save articles']); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['permission:edit articles|save articles']); }); it('test role and permission function together', function () { $router = $this->getRouter(); $router->get('role-permission-test', $this->getRouteResponse()) ->name('role-permission.test') ->role('superadmin|admin') ->permission('create user|edit user'); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual([ 'role:superadmin|admin', 'permission:create user|edit user', ]); }); it('test role function with backed enum', function () { $router = $this->getRouter(); $router->get('role-test.enum', $this->getRouteResponse()) ->name('role.test.enum') ->role(TestRolePermissionsEnum::UserManager); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['role:'.TestRolePermissionsEnum::UserManager->value]); }); it('test permission function with backed enum', function () { $router = $this->getRouter(); $router->get('permission-test.enum', $this->getRouteResponse()) ->name('permission.test.enum') ->permission(TestRolePermissionsEnum::Writer); $expected = ['permission:'.TestRolePermissionsEnum::Writer->value]; expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual($expected); }); it('test role and permission function together with backed enum', function () { $router = $this->getRouter(); $router->get('roles-permissions-test.enum', $this->getRouteResponse()) ->name('roles-permissions.test.enum') ->role([TestRolePermissionsEnum::UserManager, TestRolePermissionsEnum::Admin]) ->permission([TestRolePermissionsEnum::Writer, TestRolePermissionsEnum::Editor]); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual([ 'role:'.TestRolePermissionsEnum::UserManager->value.'|'.TestRolePermissionsEnum::Admin->value, 'permission:'.TestRolePermissionsEnum::Writer->value.'|'.TestRolePermissionsEnum::Editor->value, ]); }); it('test role or permission function', function () { $router = $this->getRouter(); $router->get('role-or-permission-test', $this->getRouteResponse()) ->name('role-or-permission.test') ->roleOrPermission('admin|edit articles'); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['role_or_permission:admin|edit articles']); }); it('test role or permission function with array', function () { $router = $this->getRouter(); $router->get('role-or-permission-array-test', $this->getRouteResponse()) ->name('role-or-permission-array.test') ->roleOrPermission(['admin', 'edit articles']); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['role_or_permission:admin|edit articles']); }); it('test role or permission function with backed enum', function () { $router = $this->getRouter(); $router->get('role-or-permission-test.enum', $this->getRouteResponse()) ->name('role-or-permission.test.enum') ->roleOrPermission(TestRolePermissionsEnum::UserManager); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['role_or_permission:'.TestRolePermissionsEnum::UserManager->value]); }); it('test role or permission function with backed enum array', function () { $router = $this->getRouter(); $router->get('role-or-permission-array-test.enum', $this->getRouteResponse()) ->name('role-or-permission-array.test.enum') ->roleOrPermission([TestRolePermissionsEnum::UserManager, TestRolePermissionsEnum::EditArticles]); // @phpstan-ignore-line expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual( ['role_or_permission:'.TestRolePermissionsEnum::UserManager->value.'|'.TestRolePermissionsEnum::EditArticles->value] // @phpstan-ignore-line ); }); ================================================ FILE: tests/Integration/WildcardRouteTest.php ================================================ set('permission.enable_wildcard_permission', true); $router = $this->getRouter(); $router->get('permission-test', $this->getRouteResponse()) ->name('permission.test') ->permission(['articles.edit', 'articles.save']); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual(['permission:articles.edit|articles.save']); }); it('test role and permission function together', function () { app('config')->set('permission.enable_wildcard_permission', true); $router = $this->getRouter(); $router->get('role-permission-test', $this->getRouteResponse()) ->name('role-permission.test') ->role('superadmin|admin') ->permission('user.create|user.edit'); expect($this->getLastRouteMiddlewareFromRouter($router))->toEqual([ 'role:superadmin|admin', 'permission:user.create|user.edit', ]); }); ================================================ FILE: tests/Middleware/PermissionMiddlewareTest.php ================================================ setUpPassport(); $this->permissionMiddleware = new PermissionMiddleware; }); it('a guest cannot access a route protected by the permission middleware', function () { expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles'))->toEqual(403); }); it('a user cannot access a route protected by the permission middleware of a different guard', function () { // These permissions are created fresh here in reverse order of guard being applied, so they are not "found first" in the db lookup when matching app(Permission::class)->create(['name' => 'admin-permission2', 'guard_name' => 'web']); $p1 = app(Permission::class)->create(['name' => 'admin-permission2', 'guard_name' => 'admin']); app(Permission::class)->create(['name' => 'edit-articles2', 'guard_name' => 'admin']); $p2 = app(Permission::class)->create(['name' => 'edit-articles2', 'guard_name' => 'web']); Auth::guard('admin')->login($this->testAdmin); $this->testAdmin->givePermissionTo($p1); expect($this->runMiddleware($this->permissionMiddleware, 'admin-permission2', 'admin'))->toEqual(200); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles2', 'admin'))->toEqual(403); Auth::login($this->testUser); $this->testUser->givePermissionTo($p2); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles2', 'web'))->toEqual(200); expect($this->runMiddleware($this->permissionMiddleware, 'admin-permission2', 'web'))->toEqual(403); }); it('a client cannot access a route protected by the permission middleware of a different guard', function () { // These permissions are created fresh here in reverse order of guard being applied, so they are not "found first" in the db lookup when matching app(Permission::class)->create(['name' => 'admin-permission2', 'guard_name' => 'web']); $p1 = app(Permission::class)->create(['name' => 'admin-permission2', 'guard_name' => 'api']); Passport::actingAsClient($this->testClient, ['*']); $this->testClient->givePermissionTo($p1); expect($this->runMiddleware($this->permissionMiddleware, 'admin-permission2', 'api', true))->toEqual(200); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles2', 'web', true))->toEqual(403); }); it('a super admin user can access a route protected by permission middleware', function () { Auth::login($this->testUser); Gate::before(function ($user, $ability) { return $user->getKey() === $this->testUser->getKey() ? true : null; }); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles'))->toEqual(200); }); it('a user can access a route protected by permission middleware if have this permission', function () { Auth::login($this->testUser); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles'))->toEqual(200); }); it('a client can access a route protected by permission middleware if have this permission', function () { Passport::actingAsClient($this->testClient, ['*'], 'api'); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-posts', null, true))->toEqual(200); }); it('a user can access a route protected by this permission middleware if have one of the permissions', function () { Auth::login($this->testUser); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-news|edit-articles'))->toEqual(200); expect($this->runMiddleware($this->permissionMiddleware, ['edit-news', 'edit-articles']))->toEqual(200); }); it('a client can access a route protected by this permission middleware if have one of the permissions', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-news|edit-posts', null, true))->toEqual(200); expect($this->runMiddleware($this->permissionMiddleware, ['edit-news', 'edit-posts'], null, true))->toEqual(200); }); it('a user cannot access a route protected by the permission middleware if have not has roles trait', function () { $userWithoutHasRoles = UserWithoutHasRoles::create(['email' => 'test_not_has_roles@user.com']); Auth::login($userWithoutHasRoles); expect($this->runMiddleware($this->permissionMiddleware, 'edit-news'))->toEqual(403); }); it('a user cannot access a route protected by the permission middleware if have a different permission', function () { Auth::login($this->testUser); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-news'))->toEqual(403); }); it('a client cannot access a route protected by the permission middleware if have a different permission', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-news', null, true))->toEqual(403); }); it('a user cannot access a route protected by permission middleware if have not permissions', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles|edit-news'))->toEqual(403); }); it('a client cannot access a route protected by permission middleware if have not permissions', function () { Passport::actingAsClient($this->testClient, ['*']); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles|edit-posts', null, true))->toEqual(403); }); it('a user can access a route protected by permission middleware if has permission via role', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles'))->toEqual(403); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles'))->toEqual(200); }); it('a client can access a route protected by permission middleware if has permission via role', function () { Passport::actingAsClient($this->testClient, ['*']); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles', null, true))->toEqual(403); $this->testClientRole->givePermissionTo('edit-posts'); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-posts', null, true))->toEqual(200); }); it('the required permissions can be fetched from the exception', function () { Auth::login($this->testUser); $message = null; $requiredPermissions = []; try { $this->permissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-permission'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); $requiredPermissions = $e->getRequiredPermissions(); } expect($message)->toEqual('User does not have the right permissions.'); expect($requiredPermissions)->toEqual(['some-permission']); }); it('the required permissions can be displayed in the exception', function () { Auth::login($this->testUser); Config::set(['permission.display_permission_in_exception' => true]); $message = null; try { $this->permissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-permission'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); } expect($message)->toEndWith('Necessary permissions are some-permission'); }); it('use not existing custom guard in permission', function () { $class = null; try { $this->permissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'edit-articles', 'xxx'); } catch (InvalidArgumentException $e) { $class = get_class($e); } expect($class)->toEqual(InvalidArgumentException::class); }); it('user can not access permission with guard admin while login using default guard', function () { Auth::login($this->testUser); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-articles', 'admin'))->toEqual(403); }); it('client can not access permission with guard admin while login using default guard', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->permissionMiddleware, 'edit-posts', 'admin', true))->toEqual(403); }); it('user can access permission with guard admin while login using admin guard', function () { Auth::guard('admin')->login($this->testAdmin); $this->testAdmin->givePermissionTo('admin-permission'); expect($this->runMiddleware($this->permissionMiddleware, 'admin-permission', 'admin'))->toEqual(200); }); it('the middleware can be created with static using method', function () { expect(PermissionMiddleware::using('edit-articles')) ->toBe('Spatie\Permission\Middleware\PermissionMiddleware:edit-articles'); expect(PermissionMiddleware::using('edit-articles', 'my-guard')) ->toEqual('Spatie\Permission\Middleware\PermissionMiddleware:edit-articles,my-guard'); expect(PermissionMiddleware::using(['edit-articles', 'edit-news'])) ->toEqual('Spatie\Permission\Middleware\PermissionMiddleware:edit-articles|edit-news'); }); it('the middleware can handle enum based permissions with static using method', function () { expect(PermissionMiddleware::using(TestModels\TestRolePermissionsEnum::ViewArticles)) ->toBe('Spatie\Permission\Middleware\PermissionMiddleware:view articles'); expect(PermissionMiddleware::using(TestModels\TestRolePermissionsEnum::ViewArticles, 'my-guard')) ->toEqual('Spatie\Permission\Middleware\PermissionMiddleware:view articles,my-guard'); expect(PermissionMiddleware::using([TestModels\TestRolePermissionsEnum::ViewArticles, TestModels\TestRolePermissionsEnum::EditArticles])) ->toEqual('Spatie\Permission\Middleware\PermissionMiddleware:view articles|edit articles'); }); it('the middleware can handle enum based permissions with handle method', function () { app(Permission::class)->create(['name' => TestModels\TestRolePermissionsEnum::ViewArticles->value]); app(Permission::class)->create(['name' => TestModels\TestRolePermissionsEnum::EditArticles->value]); Auth::login($this->testUser); $this->testUser->givePermissionTo(TestModels\TestRolePermissionsEnum::ViewArticles); expect($this->runMiddleware($this->permissionMiddleware, TestModels\TestRolePermissionsEnum::ViewArticles)) ->toEqual(200); $this->testUser->givePermissionTo(TestModels\TestRolePermissionsEnum::EditArticles); expect($this->runMiddleware($this->permissionMiddleware, [TestModels\TestRolePermissionsEnum::ViewArticles, TestModels\TestRolePermissionsEnum::EditArticles])) ->toEqual(200); }); ================================================ FILE: tests/Middleware/RoleMiddlewareTest.php ================================================ setUpPassport(); $this->roleMiddleware = new RoleMiddleware; }); it('a guest cannot access a route protected by rolemiddleware', function () { expect($this->runMiddleware($this->roleMiddleware, 'testRole'))->toEqual(403); }); it('a user cannot access a route protected by role middleware of another guard', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleMiddleware, 'testAdminRole'))->toEqual(403); }); it('a client cannot access a route protected by role middleware of another guard', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->roleMiddleware, 'testAdminRole', null, true))->toEqual(403); }); it('a user can access a route protected by role middleware if have this role', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleMiddleware, 'testRole'))->toEqual(200); }); it('a client can access a route protected by role middleware if have this role', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->roleMiddleware, 'clientRole', null, true))->toEqual(200); }); it('a user can access a route protected by this role middleware if have one of the roles', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleMiddleware, 'testRole|testRole2'))->toEqual(200); expect($this->runMiddleware($this->roleMiddleware, ['testRole2', 'testRole']))->toEqual(200); }); it('a client can access a route protected by this role middleware if have one of the roles', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->roleMiddleware, 'clientRole|testRole2', null, true))->toEqual(200); expect($this->runMiddleware($this->roleMiddleware, ['testRole2', 'clientRole'], null, true))->toEqual(200); }); it('a user cannot access a route protected by the role middleware if have not has roles trait', function () { $userWithoutHasRoles = UserWithoutHasRoles::create(['email' => 'test_not_has_roles@user.com']); Auth::login($userWithoutHasRoles); expect($this->runMiddleware($this->roleMiddleware, 'testRole'))->toEqual(403); }); it('a user cannot access a route protected by the role middleware if have a different role', function () { Auth::login($this->testUser); $this->testUser->assignRole(['testRole']); expect($this->runMiddleware($this->roleMiddleware, 'testRole2'))->toEqual(403); }); it('a client cannot access a route protected by the role middleware if have a different role', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole(['clientRole']); expect($this->runMiddleware($this->roleMiddleware, 'clientRole2', null, true))->toEqual(403); }); it('a user cannot access a route protected by role middleware if have not roles', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->roleMiddleware, 'testRole|testRole2'))->toEqual(403); }); it('a client cannot access a route protected by role middleware if have not roles', function () { Passport::actingAsClient($this->testClient, ['*']); expect($this->runMiddleware($this->roleMiddleware, 'testRole|testRole2', null, true))->toEqual(403); }); it('a user cannot access a route protected by role middleware if role is undefined', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->roleMiddleware, ''))->toEqual(403); }); it('a client cannot access a route protected by role middleware if role is undefined', function () { Passport::actingAsClient($this->testClient, ['*']); expect($this->runMiddleware($this->roleMiddleware, '', null, true))->toEqual(403); }); it('the required roles can be fetched from the exception', function () { Auth::login($this->testUser); $message = null; $requiredRoles = []; try { $this->roleMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-role'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); $requiredRoles = $e->getRequiredRoles(); } expect($message)->toEqual('User does not have the right roles.'); expect($requiredRoles)->toEqual(['some-role']); }); it('the required roles can be displayed in the exception', function () { Auth::login($this->testUser); Config::set(['permission.display_role_in_exception' => true]); $message = null; try { $this->roleMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-role'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); } expect($message)->toEndWith('Necessary roles are some-role'); }); it('use not existing custom guard in role', function () { $class = null; try { $this->roleMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'testRole', 'xxx'); } catch (InvalidArgumentException $e) { $class = get_class($e); } expect($class)->toEqual(InvalidArgumentException::class); }); it('user can not access role with guard admin while login using default guard', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleMiddleware, 'testRole', 'admin'))->toEqual(403); }); it('client can not access role with guard admin while login using default guard', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->roleMiddleware, 'clientRole', 'admin', true))->toEqual(403); }); it('user can access role with guard admin while login using admin guard', function () { Auth::guard('admin')->login($this->testAdmin); $this->testAdmin->assignRole('testAdminRole'); expect($this->runMiddleware($this->roleMiddleware, 'testAdminRole', 'admin'))->toEqual(200); }); it('the middleware can be created with static using method', function () { expect(RoleMiddleware::using('testAdminRole')) ->toBe('Spatie\Permission\Middleware\RoleMiddleware:testAdminRole'); expect(RoleMiddleware::using('testAdminRole', 'my-guard')) ->toEqual('Spatie\Permission\Middleware\RoleMiddleware:testAdminRole,my-guard'); expect(RoleMiddleware::using(['testAdminRole', 'anotherRole'])) ->toEqual('Spatie\Permission\Middleware\RoleMiddleware:testAdminRole|anotherRole'); }); it('the middleware can handle enum based roles with static using method', function () { expect(RoleMiddleware::using(TestModels\TestRolePermissionsEnum::Writer)) ->toBe('Spatie\Permission\Middleware\RoleMiddleware:writer'); expect(RoleMiddleware::using(TestModels\TestRolePermissionsEnum::Writer, 'my-guard')) ->toEqual('Spatie\Permission\Middleware\RoleMiddleware:writer,my-guard'); expect(RoleMiddleware::using([TestModels\TestRolePermissionsEnum::Writer, TestModels\TestRolePermissionsEnum::Editor])) ->toEqual('Spatie\Permission\Middleware\RoleMiddleware:writer|editor'); }); it('the middleware can handle enum based roles with handle method', function () { app(Role::class)->create(['name' => TestModels\TestRolePermissionsEnum::Writer->value]); app(Role::class)->create(['name' => TestModels\TestRolePermissionsEnum::Editor->value]); Auth::login($this->testUser); $this->testUser->assignRole(TestModels\TestRolePermissionsEnum::Writer); expect($this->runMiddleware($this->roleMiddleware, TestModels\TestRolePermissionsEnum::Writer)) ->toEqual(200); $this->testUser->assignRole(TestModels\TestRolePermissionsEnum::Editor); expect($this->runMiddleware($this->roleMiddleware, [TestModels\TestRolePermissionsEnum::Writer, TestModels\TestRolePermissionsEnum::Editor])) ->toEqual(200); }); ================================================ FILE: tests/Middleware/RoleOrPermissionMiddlewareTest.php ================================================ setUpPassport(); $this->roleOrPermissionMiddleware = new RoleOrPermissionMiddleware; }); it('a guest cannot access a route protected by the role or permission middleware', function () { expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole'))->toEqual(403); }); it('a user can access a route protected by permission or role middleware if has this permission or role', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-news|edit-articles'))->toEqual(200); $this->testUser->removeRole('testRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-articles'))->toEqual(200); $this->testUser->revokePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-articles'))->toEqual(200); expect($this->runMiddleware($this->roleOrPermissionMiddleware, ['testRole', 'edit-articles']))->toEqual(200); }); it('a client can access a route protected by permission or role middleware if has this permission or role', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'clientRole|edit-news|edit-posts', null, true))->toEqual(200); $this->testClient->removeRole('clientRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'clientRole|edit-posts', null, true))->toEqual(200); $this->testClient->revokePermissionTo('edit-posts'); $this->testClient->assignRole('clientRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'clientRole|edit-posts', null, true))->toEqual(200); expect($this->runMiddleware($this->roleOrPermissionMiddleware, ['clientRole', 'edit-posts'], null, true))->toEqual(200); }); it('a super admin user can access a route protected by permission or role middleware', function () { Auth::login($this->testUser); Gate::before(function ($user, $ability) { return $user->getKey() === $this->testUser->getKey() ? true : null; }); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-articles'))->toEqual(200); }); it('a user can not access a route protected by permission or role middleware if have not has roles trait', function () { $userWithoutHasRoles = UserWithoutHasRoles::create(['email' => 'test_not_has_roles@user.com']); Auth::login($userWithoutHasRoles); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-articles'))->toEqual(403); }); it('a user can not access a route protected by permission or role middleware if have not this permission and role', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|edit-articles'))->toEqual(403); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'missingRole|missingPermission'))->toEqual(403); }); it('a client can not access a route protected by permission or role middleware if have not this permission and role', function () { Passport::actingAsClient($this->testClient, ['*']); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'clientRole|edit-posts', null, true))->toEqual(403); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'missingRole|missingPermission', null, true))->toEqual(403); }); it('use not existing custom guard in role or permission', function () { $class = null; try { $this->roleOrPermissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'testRole', 'xxx'); } catch (InvalidArgumentException $e) { $class = get_class($e); } expect($class)->toEqual(InvalidArgumentException::class); }); it('user can not access permission or role with guard admin while login using default guard', function () { Auth::login($this->testUser); $this->testUser->assignRole('testRole'); $this->testUser->givePermissionTo('edit-articles'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'edit-articles|testRole', 'admin'))->toEqual(403); }); it('client can not access permission or role with guard admin while login using default guard', function () { Passport::actingAsClient($this->testClient, ['*']); $this->testClient->assignRole('clientRole'); $this->testClient->givePermissionTo('edit-posts'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'edit-posts|clientRole', 'admin', true))->toEqual(403); }); it('user can access permission or role with guard admin while login using admin guard', function () { Auth::guard('admin')->login($this->testAdmin); $this->testAdmin->assignRole('testAdminRole'); $this->testAdmin->givePermissionTo('admin-permission'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'admin-permission|testAdminRole', 'admin'))->toEqual(200); }); it('the required permissions or roles can be fetched from the exception', function () { Auth::login($this->testUser); $message = null; $requiredRolesOrPermissions = []; try { $this->roleOrPermissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-permission|some-role'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); $requiredRolesOrPermissions = $e->getRequiredPermissions(); } expect($message)->toEqual('User does not have any of the necessary access rights.'); expect($requiredRolesOrPermissions)->toEqual(['some-permission', 'some-role']); }); it('the required permissions or roles can be displayed in the exception', function () { Auth::login($this->testUser); Config::set(['permission.display_permission_in_exception' => true]); Config::set(['permission.display_role_in_exception' => true]); $message = null; try { $this->roleOrPermissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'some-permission|some-role'); } catch (UnauthorizedException $e) { $message = $e->getMessage(); } expect($message)->toEndWith('Necessary roles or permissions are some-permission, some-role'); }); it('the middleware can be created with static using method', function () { expect(RoleOrPermissionMiddleware::using('edit-articles')) ->toBe('Spatie\Permission\Middleware\RoleOrPermissionMiddleware:edit-articles'); expect(RoleOrPermissionMiddleware::using('edit-articles', 'my-guard')) ->toEqual('Spatie\Permission\Middleware\RoleOrPermissionMiddleware:edit-articles,my-guard'); expect(RoleOrPermissionMiddleware::using(['edit-articles', 'testAdminRole'])) ->toEqual('Spatie\Permission\Middleware\RoleOrPermissionMiddleware:edit-articles|testAdminRole'); }); ================================================ FILE: tests/Middleware/WildcardMiddlewareTest.php ================================================ roleMiddleware = new RoleMiddleware; $this->permissionMiddleware = new PermissionMiddleware; $this->roleOrPermissionMiddleware = new RoleOrPermissionMiddleware; app('config')->set('permission.enable_wildcard_permission', true); }); it('does not allow a guest to access a route protected by the permission middleware', function () { expect($this->runMiddleware($this->permissionMiddleware, 'articles.edit'))->toBe(403); }); it('allows a user to access a route protected by permission middleware if they have this permission', function () { Auth::login($this->testUser); Permission::create(['name' => 'articles']); $this->testUser->givePermissionTo('articles'); expect($this->runMiddleware($this->permissionMiddleware, 'articles.edit'))->toBe(200); }); it('allows a user to access a route protected by this permission middleware if they have one of the permissions', function () { Auth::login($this->testUser); Permission::create(['name' => 'articles.*.test']); $this->testUser->givePermissionTo('articles.*.test'); expect($this->runMiddleware($this->permissionMiddleware, 'news.edit|articles.create.test'))->toBe(200); expect($this->runMiddleware($this->permissionMiddleware, ['news.edit', 'articles.create.test']))->toBe(200); }); it('does not allow a user to access a route protected by the permission middleware if they have a different permission', function () { Auth::login($this->testUser); Permission::create(['name' => 'articles.*']); $this->testUser->givePermissionTo('articles.*'); expect($this->runMiddleware($this->permissionMiddleware, 'news.edit'))->toBe(403); }); it('does not allow a user to access a route protected by permission middleware if they have no permissions', function () { Auth::login($this->testUser); expect($this->runMiddleware($this->permissionMiddleware, 'articles.edit|news.edit'))->toBe(403); }); it('allows a user to access a route protected by permission or role middleware if they have this permission or role', function () { Auth::login($this->testUser); Permission::create(['name' => 'articles.*']); $this->testUser->assignRole('testRole'); $this->testUser->givePermissionTo('articles.*'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|news.edit|articles.create'))->toBe(200); $this->testUser->removeRole('testRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|articles.edit'))->toBe(200); $this->testUser->revokePermissionTo('articles.*'); $this->testUser->assignRole('testRole'); expect($this->runMiddleware($this->roleOrPermissionMiddleware, 'testRole|articles.edit'))->toBe(200); expect($this->runMiddleware($this->roleOrPermissionMiddleware, ['testRole', 'articles.edit']))->toBe(200); }); it('can fetch the required permissions from the exception', function () { Auth::login($this->testUser); $requiredPermissions = []; try { $this->permissionMiddleware->handle(new Request, function () { return (new Response)->setContent(''); }, 'permission.some'); } catch (UnauthorizedException $e) { $requiredPermissions = $e->getRequiredPermissions(); } expect($requiredPermissions)->toBe(['permission.some']); }); ================================================ FILE: tests/Models/PermissionTest.php ================================================ testUser->givePermissionTo($this->testUserPermission); $permission = app(Permission::class)::with('users') ->where($this->testUserPermission->getKeyName(), $this->testUserPermission->getKey()) ->first(); expect($this->testUserPermission->getKey())->toEqual($permission->getKey()); expect($permission->users)->toHaveCount(1); expect($this->testUser->id)->toEqual($permission->users[0]->id); }); it('throws an exception when the permission already exists', function () { app(Permission::class)->create(['name' => 'test-permission']); expect(fn () => app(Permission::class)->create(['name' => 'test-permission'])) ->toThrow(PermissionAlreadyExists::class); }); it('belongs to a guard', function () { $permission = app(Permission::class)->create(['name' => 'can-edit', 'guard_name' => 'admin']); expect($permission->guard_name)->toEqual('admin'); }); it('belongs to the default guard by default', function () { expect($this->testUserPermission->guard_name)->toEqual( $this->app['config']->get('auth.defaults.guard') ); }); it('has user models of the right class', function () { $this->testAdmin->givePermissionTo($this->testAdminPermission); $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUserPermission->users)->toHaveCount(1); expect($this->testUserPermission->users->first()->is($this->testUser))->toBeTrue(); expect($this->testUserPermission->users->first())->toBeInstanceOf(User::class); }); it('is retrievable by id', function () { $permission_by_id = app(Permission::class)->findById($this->testUserPermission->id); expect($permission_by_id->id)->toEqual($this->testUserPermission->id); }); it('can delete hydrated permissions', function () { $this->reloadPermissions(); $permission = app(Permission::class)->findByName($this->testUserPermission->name); $permission->delete(); expect(app(Permission::class)->where($this->testUserPermission->getKeyName(), $this->testUserPermission->getKey())->get())->toHaveCount(0); }); it('does not treat string "0" as empty when giving permission', function () { app(Permission::class)->create(['name' => '0']); $this->testUser->givePermissionTo('0'); expect($this->testUser->hasPermissionTo('0'))->toBeTrue(); }); ================================================ FILE: tests/Models/RoleTest.php ================================================ 'other-permission']); Permission::create(['name' => 'wrong-guard-permission', 'guard_name' => 'admin']); }); it('get user models using with', function () { $this->testUser->assignRole($this->testUserRole); $role = app(Role::class)::with('users') ->where($this->testUserRole->getKeyName(), $this->testUserRole->getKey())->first(); expect($role->getKey())->toEqual($this->testUserRole->getKey()); expect($role->users)->toHaveCount(1); expect($role->users[0]->id)->toEqual($this->testUser->id); }); it('has user models of the right class', function () { $this->testAdmin->assignRole($this->testAdminRole); $this->testUser->assignRole($this->testUserRole); expect($this->testUserRole->users)->toHaveCount(1); expect($this->testUserRole->users->first()->is($this->testUser))->toBeTrue(); expect($this->testUserRole->users->first())->toBeInstanceOf(User::class); expect($this->testAdminRole->users)->toHaveCount(1); expect($this->testAdminRole->users->first()->is($this->testAdmin))->toBeTrue(); expect($this->testAdminRole->users->first())->toBeInstanceOf(Admin::class); }); it('throws an exception when the role already exists', function () { app(Role::class)->create(['name' => 'test-role']); expect(fn () => app(Role::class)->create(['name' => 'test-role'])) ->toThrow(RoleAlreadyExists::class); }); it('can be given a permission', function () { $this->testUserRole->givePermissionTo('edit-articles'); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('throws an exception when given a permission that does not exist', function () { expect(fn () => $this->testUserRole->givePermissionTo('create-evil-empire')) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when given a permission that belongs to another guard', function () { expect(fn () => $this->testUserRole->givePermissionTo('admin-permission')) ->toThrow(PermissionDoesNotExist::class); expect(fn () => $this->testUserRole->givePermissionTo($this->testAdminPermission)) ->toThrow(GuardDoesNotMatch::class); }); it('can be given multiple permissions using an array', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeTrue(); expect($this->testUserRole->hasPermissionTo('edit-news'))->toBeTrue(); }); it('can be given multiple permissions using multiple arguments', function () { $this->testUserRole->givePermissionTo('edit-articles', 'edit-news'); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeTrue(); expect($this->testUserRole->hasPermissionTo('edit-news'))->toBeTrue(); }); it('can sync permissions', function () { $this->testUserRole->givePermissionTo('edit-articles'); $this->testUserRole->syncPermissions('edit-news'); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeFalse(); expect($this->testUserRole->hasPermissionTo('edit-news'))->toBeTrue(); }); it('throws an exception when syncing permissions that do not exist', function () { $this->testUserRole->givePermissionTo('edit-articles'); expect(fn () => $this->testUserRole->syncPermissions('permission-does-not-exist')) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when syncing permissions that belong to a different guard', function () { $this->testUserRole->givePermissionTo('edit-articles'); expect(fn () => $this->testUserRole->syncPermissions('admin-permission')) ->toThrow(PermissionDoesNotExist::class); expect(fn () => $this->testUserRole->syncPermissions($this->testAdminPermission)) ->toThrow(GuardDoesNotMatch::class); }); it('will remove all permissions when passing an empty array to sync permissions', function () { $this->testUserRole->givePermissionTo('edit-articles'); $this->testUserRole->givePermissionTo('edit-news'); $this->testUserRole->syncPermissions([]); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeFalse(); expect($this->testUserRole->hasPermissionTo('edit-news'))->toBeFalse(); }); test('sync permission error does not detach permissions', function () { $this->testUserRole->givePermissionTo('edit-news'); expect(fn () => $this->testUserRole->syncPermissions('edit-articles', 'permission-that-does-not-exist')) ->toThrow(PermissionDoesNotExist::class); expect($this->testUserRole->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('can revoke a permission', function () { $this->testUserRole->givePermissionTo('edit-articles'); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeTrue(); $this->testUserRole->revokePermissionTo('edit-articles'); $this->testUserRole = $this->testUserRole->fresh(); expect($this->testUserRole->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('can be given a permission using objects', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); expect($this->testUserRole->hasPermissionTo($this->testUserPermission))->toBeTrue(); }); it('returns false if it does not have the permission', function () { expect($this->testUserRole->hasPermissionTo('other-permission'))->toBeFalse(); }); it('throws an exception if the permission does not exist', function () { expect(fn () => $this->testUserRole->hasPermissionTo('doesnt-exist')) ->toThrow(PermissionDoesNotExist::class); }); it('returns false if it does not have a permission object', function () { $permission = app(Permission::class)->findByName('other-permission'); expect($this->testUserRole->hasPermissionTo($permission))->toBeFalse(); }); it('creates permission object with findOrCreate if it does not have a permission object', function () { $permission = app(Permission::class)->findOrCreate('another-permission'); expect($this->testUserRole->hasPermissionTo($permission))->toBeFalse(); $this->testUserRole->givePermissionTo($permission); $this->testUserRole = $this->testUserRole->fresh(); expect($this->testUserRole->hasPermissionTo('another-permission'))->toBeTrue(); }); it('creates a role with findOrCreate if the named role does not exist', function () { expect(fn () => app(Role::class)->findByName('non-existing-role')) ->toThrow(RoleDoesNotExist::class); $role2 = app(Role::class)->findOrCreate('yet-another-role'); expect($role2)->toBeInstanceOf(app(Role::class)::class); }); it('throws an exception when a permission of the wrong guard is passed in', function () { $permission = app(Permission::class)->findByName('wrong-guard-permission', 'admin'); expect(fn () => $this->testUserRole->hasPermissionTo($permission)) ->toThrow(GuardDoesNotMatch::class); }); it('belongs to a guard', function () { $role = app(Role::class)->create(['name' => 'admin', 'guard_name' => 'admin']); expect($role->guard_name)->toEqual('admin'); }); it('belongs to the default guard by default', function () { expect($this->testUserRole->guard_name)->toEqual( $this->app['config']->get('auth.defaults.guard') ); }); it('can change role class on runtime', function () { $role = app(Role::class)->create(['name' => 'test-role-old']); expect($role)->not->toBeInstanceOf(RuntimeRole::class); $role->givePermissionTo('edit-articles'); app('config')->set('permission.models.role', RuntimeRole::class); app()->bind(Role::class, RuntimeRole::class); app(PermissionRegistrar::class)->setRoleClass(RuntimeRole::class); $permission = app(Permission::class)->findByName('edit-articles'); expect($permission->roles[0])->toBeInstanceOf(RuntimeRole::class); expect($permission->roles[0]->name)->toBe('test-role-old'); $role = app(Role::class)->create(['name' => 'test-role']); expect($role)->toBeInstanceOf(RuntimeRole::class); $this->testUser->assignRole('test-role'); expect($this->testUser->hasRole('test-role'))->toBeTrue(); expect($this->testUser->roles[0])->toBeInstanceOf(RuntimeRole::class); expect($this->testUser->roles[0]->name)->toBe('test-role'); }); it('does not treat string "0" as empty when assigning role', function () { app(Role::class)->create(['name' => '0']); $this->testUser->assignRole('0'); expect($this->testUser->hasRole('0'))->toBeTrue(); }); ================================================ FILE: tests/Models/RoleWithNestingTest.php ================================================ setUpRoleNesting(); $this->parent_roles = [ 'has_no_children' => Role::create(['name' => 'has_no_children']), 'has_1_child' => Role::create(['name' => 'has_1_child']), 'has_3_children' => Role::create(['name' => 'has_3_children']), ]; $this->child_roles = [ 'has_no_parents' => Role::create(['name' => 'has_no_parents']), 'has_1_parent' => Role::create(['name' => 'has_1_parent']), 'has_2_parents' => Role::create(['name' => 'has_2_parents']), 'third_child' => Role::create(['name' => 'third_child']), ]; $this->parent_roles['has_1_child']->children()->attach($this->child_roles['has_2_parents']); $this->parent_roles['has_3_children']->children()->attach([ $this->child_roles['has_2_parents']->getKey(), $this->child_roles['has_1_parent']->getKey(), $this->child_roles['third_child']->getKey(), ]); }); it('returns correct withCount of nested roles', function (string $role_group, string $index, string $relation, int $expectedCount) { $role = $this->$role_group[$index]; $count_field_name = sprintf('%s_count', $relation); $actualCount = (int) Role::withCount($relation)->find($role->getKey())->$count_field_name; expect($actualCount)->toBe($expectedCount, sprintf('%s expects %d %s, %d found', $role->name, $expectedCount, $relation, $actualCount)); })->with([ ['parent_roles', 'has_no_children', 'children', 0], ['parent_roles', 'has_1_child', 'children', 1], ['parent_roles', 'has_3_children', 'children', 3], ['child_roles', 'has_no_parents', 'parents', 0], ['child_roles', 'has_1_parent', 'parents', 1], ['child_roles', 'has_2_parents', 'parents', 2], ]); ================================================ FILE: tests/Models/WildcardRoleTest.php ================================================ set('permission.enable_wildcard_permission', true); Permission::create(['name' => 'other-permission']); Permission::create(['name' => 'wrong-guard-permission', 'guard_name' => 'admin']); }); it('can be given a permission', function () { Permission::create(['name' => 'posts.*']); $this->testUserRole->givePermissionTo('posts.*'); expect($this->testUserRole->hasPermissionTo('posts.create'))->toBeTrue(); }); it('can be given multiple permissions using an array', function () { Permission::create(['name' => 'posts.*']); Permission::create(['name' => 'news.*']); $this->testUserRole->givePermissionTo(['posts.*', 'news.*']); expect($this->testUserRole->hasPermissionTo('posts.create'))->toBeTrue(); expect($this->testUserRole->hasPermissionTo('news.create'))->toBeTrue(); }); it('can be given multiple permissions using multiple arguments', function () { Permission::create(['name' => 'posts.*']); Permission::create(['name' => 'news.*']); $this->testUserRole->givePermissionTo('posts.*', 'news.*'); expect($this->testUserRole->hasPermissionTo('posts.edit.123'))->toBeTrue(); expect($this->testUserRole->hasPermissionTo('news.view.1'))->toBeTrue(); }); it('can be given a permission using objects', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); expect($this->testUserRole->hasPermissionTo($this->testUserPermission))->toBeTrue(); }); it('returns false if it does not have the permission', function () { expect($this->testUserRole->hasPermissionTo('other-permission'))->toBeFalse(); }); it('returns false if permission does not exist', function () { expect($this->testUserRole->hasPermissionTo('doesnt-exist'))->toBeFalse(); }); it('returns false if it does not have a permission object', function () { $permission = app(Permission::class)->findByName('other-permission'); expect($this->testUserRole->hasPermissionTo($permission))->toBeFalse(); }); it('creates permission object with findOrCreate if it does not have a permission object', function () { $permission = app(Permission::class)->findOrCreate('another-permission'); expect($this->testUserRole->hasPermissionTo($permission))->toBeFalse(); $this->testUserRole->givePermissionTo($permission); $this->testUserRole = $this->testUserRole->fresh(); expect($this->testUserRole->hasPermissionTo('another-permission'))->toBeTrue(); }); it('returns false when a permission of the wrong guard is passed in', function () { $permission = app(Permission::class)->findByName('wrong-guard-permission', 'admin'); expect($this->testUserRole->hasPermissionTo($permission))->toBeFalse(); }); ================================================ FILE: tests/Pest.php ================================================ in(__DIR__); ================================================ FILE: tests/TestSupport/ContentPolicy.php ================================================ hasRole('testAdminRole', 'admin') ?: null; } public function view($user, $content) { return $user->id === $content->user_id; } public function update($user, $modelRecord): bool { return $user->id === $modelRecord->user_id || $user->can('edit-articles'); } } ================================================ FILE: tests/TestSupport/TestCase.php ================================================ prepareMigration(); } // Note: this also flushes the cache from within the migration $this->setUpDatabase($this->app); $this->setUpBaseTestPermissions($this->app); $this->setUpRoutes(); } protected function tearDown(): void { parent::tearDown(); if (method_exists(AboutCommand::class, 'flushState')) { AboutCommand::flushState(); } } /** * @param \Illuminate\Foundation\Application $app */ protected function getPackageProviders($app): array { return [ PermissionServiceProvider::class, PassportServiceProvider::class, ]; } /** * Set up the environment. * * @param \Illuminate\Foundation\Application $app */ protected function getEnvironmentSetUp($app) { Model::preventLazyLoading(); $app['config']->set('permission.register_permission_check_method', true); $app['config']->set('permission.teams', false); $app['config']->set('permission.testing', true); // fix sqlite $app['config']->set('permission.column_names.model_morph_key', 'model_test_id'); $app['config']->set('permission.column_names.team_foreign_key', 'team_test_id'); $app['config']->set('database.default', 'sqlite'); $app['config']->set('database.connections.sqlite', [ 'driver' => 'sqlite', 'database' => ':memory:', 'prefix' => '', ]); $app['config']->set('permission.column_names.role_pivot_key', 'role_test_id'); $app['config']->set('permission.column_names.permission_pivot_key', 'permission_test_id'); $app['config']->set('view.paths', [__DIR__.'/resources/views']); // ensure api guard exists, since we use it for testing multi-guard support $app['config']->set('auth.guards.api', ['driver' => 'session', 'provider' => 'users']); // Set-up admin guard $app['config']->set('auth.guards.admin', ['driver' => 'session', 'provider' => 'admins']); $app['config']->set('auth.providers.admins', ['driver' => 'eloquent', 'model' => Admin::class]); // Use test User model for users provider $app['config']->set('auth.providers.users.model', User::class); $app['config']->set('cache.prefix', 'spatie_tests---'); $app['config']->set('cache.default', getenv('CACHE_DRIVER') ?: 'array'); // FOR MANUAL TESTING OF ALTERNATE CACHE STORES: // $app['config']->set('cache.default', 'array'); // Laravel supports: array, database, file // requires extensions: memcached, redis, dynamodb, octane } /** * Set up the database. * * @param \Illuminate\Foundation\Application $app */ protected function setUpDatabase($app) { $schema = $app['db']->connection()->getSchemaBuilder(); $schema->create('users', function (Blueprint $table) { $table->increments('id'); $table->string('email'); $table->softDeletes(); }); $schema->create('admins', function (Blueprint $table) { $table->increments('id'); $table->string('email'); }); $schema->create('content', function (Blueprint $table) { $table->increments('id'); $table->string('content'); $table->foreignId('user_id')->nullable()->constrained()->nullOnDelete(); $table->timestamps(); }); if (Cache::getStore() instanceof \Illuminate\Cache\DatabaseStore || $app[PermissionRegistrar::class]->getCacheStore() instanceof \Illuminate\Cache\DatabaseStore) { $this->createCacheTable(); } self::$migration->up(); $this->testUser = User::create(['email' => 'test@user.com']); $this->testAdmin = Admin::create(['email' => 'admin@user.com']); } /** * Set up initial roles and permissions used in many tests * * @param \Illuminate\Foundation\Application $app */ protected function setUpBaseTestPermissions($app): void { $this->testUserRole = $app[Role::class]->create(['name' => 'testRole']); $app[Role::class]->create(['name' => 'testRole2']); $this->testAdminRole = $app[Role::class]->create(['name' => 'testAdminRole', 'guard_name' => 'admin']); $this->testUserPermission = $app[Permission::class]->create(['name' => 'edit-articles']); $app[Permission::class]->create(['name' => 'edit-news']); $app[Permission::class]->create(['name' => 'edit-blog']); $this->testAdminPermission = $app[Permission::class]->create([ 'name' => 'admin-permission', 'guard_name' => 'admin', ]); $app[Permission::class]->create(['name' => 'Edit News']); } public function setUpPassport(): void { $app = $this->app; $app['config']->set('permission.use_passport_client_credentials', true); $app['config']->set('auth.guards.api', ['driver' => 'passport', 'provider' => 'users']); // mimic passport:install (must load migrations using our own call to loadMigrationsFrom() else rollbacks won't occur, and migrations will be left in skeleton directory // $this->artisan('passport:keys'); $this->loadMigrationsFrom(__DIR__.'/../../vendor/laravel/passport/database/migrations/'); $provider = in_array('users', array_keys(config('auth.providers'))) ? 'users' : null; $this->artisan('passport:client', ['--personal' => true, '--name' => config('app.name').' Personal Access Client', '--provider' => $provider]); $this->artisan('passport:client', ['--password' => true, '--name' => config('app.name').' Password Grant Client', '--provider' => $provider]); $this->testClient = Client::create(['name' => 'Test', 'redirect_uris' => ['https://example.com'], 'grant_types' => [], 'revoked' => 0]); $this->testClientRole = $app[Role::class]->create(['name' => 'clientRole', 'guard_name' => 'api']); $this->testClientPermission = $app[Permission::class]->create(['name' => 'edit-posts', 'guard_name' => 'api']); } private function prepareMigration(): void { $migration = str_replace( [ '$table->id(); // permission id', '$table->id(); // role id', 'references(\'id\') // permission id', 'references(\'id\') // role id', 'unsignedBigInteger($pivotRole)', 'unsignedBigInteger($pivotPermission)', ], [ '$table->uuid(\'permission_test_id\');', '$table->uuid(\'role_test_id\');', 'references(\'permission_test_id\')', 'references(\'role_test_id\')', 'uuid($pivotRole)->nullable(false)', 'uuid($pivotPermission)->nullable(false)', ], file_get_contents(__DIR__.'/../../database/migrations/create_permission_tables.php.stub') ); file_put_contents(__DIR__.'/CreatePermissionCustomTables.php', $migration); self::$migration = require __DIR__.'/../../database/migrations/create_permission_tables.php.stub'; self::$customMigration = require __DIR__.'/CreatePermissionCustomTables.php'; } public function setUpTeams(): void { self::$migration->down(); config()->set('permission.teams', true); self::$migration->up(); app(PermissionRegistrar::class)->initializeCache(); $this->setUpBaseTestPermissions($this->app); setPermissionsTeamId(1); } public function setUpCustomModels(): void { self::$migration->down(); $registrar = app(PermissionRegistrar::class); $registrar->setPermissionClass(\Spatie\Permission\Tests\TestSupport\TestModels\Permission::class); $registrar->setRoleClass(\Spatie\Permission\Tests\TestSupport\TestModels\Role::class); self::$customMigration->up(); $schema = $this->app['db']->connection()->getSchemaBuilder(); $schema->table(config('permission.table_names.roles'), function (Blueprint $table) { $table->softDeletes(); }); $schema->table(config('permission.table_names.permissions'), function (Blueprint $table) { $table->softDeletes(); }); $registrar->initializeCache(); $this->setUpBaseTestPermissions($this->app); } public function setUpRoleNesting(): void { $this->setUpCustomModels(); $tableRoles = config('permission.table_names.roles'); $this->app['db']->connection()->getSchemaBuilder()->create(TestRole::HIERARCHY_TABLE, function ($table) use ($tableRoles) { $table->id(); $table->uuid('parent_id'); $table->uuid('child_id'); $table->foreign('parent_id')->references('role_test_id')->on($tableRoles); $table->foreign('child_id')->references('role_test_id')->on($tableRoles); }); } protected function reloadPermissions(): void { app(PermissionRegistrar::class)->forgetCachedPermissions(); } public function createCacheTable(): void { Schema::create('cache', function ($table) { $table->string('key')->unique(); $table->text('value'); $table->integer('expiration'); }); } /** * Create routes to test authentication with guards. */ public function setUpRoutes(): void { Route::middleware('auth:api')->get('/check-api-guard-permission', function (Request $request) { return [ 'status' => $request->user()->hasPermissionTo('do_that'), ]; }); } // //// TEST HELPERS public function runMiddleware($middleware, $permission, $guard = null, bool $client = false) { $request = new Request; if ($client) { $request->headers->set('Authorization', 'Bearer '.str()->random(30)); } try { return $middleware->handle($request, function () { return (new Response)->setContent(''); }, $permission, $guard)->status(); } catch (UnauthorizedException $e) { return $e->getStatusCode(); } } public function getLastRouteMiddlewareFromRouter($router) { return last($router->getRoutes()->get())->middleware(); } public function getRouter() { return app('router'); } public function getRouteResponse() { return function () { return (new Response)->setContent(''); }; } protected function getLaravelVersion(): float { return (float) app()->version(); } } ================================================ FILE: tests/TestSupport/TestHelper.php ================================================ handle(new Request, function () { return (new Response)->setContent(''); }, $parameter)->status(); } catch (HttpException $e) { return $e->getStatusCode(); } } } ================================================ FILE: tests/TestSupport/TestModels/Admin.php ================================================ {$model->getKeyName()})) { $model->{$model->getKeyName()} = Str::uuid()->toString(); } }); } public function getIncrementing(): bool { return false; } public function getKeyType(): string { return 'string'; } } ================================================ FILE: tests/TestSupport/TestModels/Role.php ================================================ attributes['name']; if (str_contains($name, 'casted_enum')) { return TestRolePermissionsEnum::from($name); } return $name; } public function parents(): BelongsToMany { return $this->belongsToMany( static::class, static::HIERARCHY_TABLE, 'child_id', 'parent_id'); } public function children(): BelongsToMany { return $this->belongsToMany( static::class, static::HIERARCHY_TABLE, 'parent_id', 'child_id'); } protected static function boot() { parent::boot(); static::creating(static function ($model) { if (empty($model->{$model->getKeyName()})) { $model->{$model->getKeyName()} = Str::uuid()->toString(); } }); } public function getIncrementing(): bool { return false; } public function getKeyType(): string { return 'string'; } } ================================================ FILE: tests/TestSupport/TestModels/RuntimeRole.php ================================================ 'Writers', self::Editor => 'Editors', self::UserManager => 'User Managers', self::Admin => 'Admins', self::ViewArticles => 'View Articles', self::EditArticles => 'Edit Articles', default => Str::words($this->value), }; } } ================================================ FILE: tests/TestSupport/TestModels/User.php ================================================ testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); }); it('can assign a permission to a user with a non default guard', function () { $testUserPermission = app(Permission::class)->create([ 'name' => 'edit-articles', 'guard_name' => 'api', ]); $this->testUser->givePermissionTo($testUserPermission); expect($this->testUser->hasPermissionTo($testUserPermission))->toBeTrue(); }); it('throws an exception when assigning a permission that does not exist', function () { expect(fn () => $this->testUser->givePermissionTo('permission-does-not-exist')) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when assigning a permission to a user from a different guard', function () { expect(fn () => $this->testUser->givePermissionTo($this->testAdminPermission)) ->toThrow(GuardDoesNotMatch::class); expect(fn () => $this->testUser->givePermissionTo('admin-permission')) ->toThrow(PermissionDoesNotExist::class); }); it('can revoke a permission from a user', function () { $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeFalse(); }); it('can assign and remove a permission using enums', function () { $enum = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $permission = app(Permission::class)->findOrCreate($enum->value, 'web'); $this->testUser->givePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeTrue(); expect($this->testUser->hasAnyPermission($enum))->toBeTrue(); expect($this->testUser->hasDirectPermission($enum))->toBeTrue(); $this->testUser->revokePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeFalse(); expect($this->testUser->hasAnyPermission($enum))->toBeFalse(); expect($this->testUser->hasDirectPermission($enum))->toBeFalse(); }); it('can scope users using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::EditArticles; $permission1 = app(Permission::class)->findOrCreate($enum1->value, 'web'); $permission2 = app(Permission::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo([$enum1, $enum2]); $this->testUserRole->givePermissionTo($enum2); $user2->assignRole('testRole'); $scopedUsers1 = User::permission($enum2)->get(); $scopedUsers2 = User::permission([$enum1])->get(); $scopedUsers3 = User::withoutPermission([$enum1])->get(); $scopedUsers4 = User::withoutPermission([$enum2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); expect($scopedUsers4->count())->toEqual(1); }); it('can scope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using a int', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo([1, 2]); $this->testUserRole->givePermissionTo(1); $user2->assignRole('testRole'); $scopedUsers1 = User::permission(1)->get(); $scopedUsers2 = User::permission([2])->get(); $scopedUsers3 = User::withoutPermission([2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(['edit-articles', 'edit-news'])->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission(['edit-news'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using a collection', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(collect(['edit-articles', 'edit-news']))->get(); $scopedUsers2 = User::permission(collect(['edit-news']))->get(); $scopedUsers3 = User::withoutPermission(collect(['edit-news']))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user1->givePermissionTo($this->testUserPermission->name); $scopedUsers1 = User::permission($this->testUserPermission)->get(); $scopedUsers2 = User::permission([$this->testUserPermission])->get(); $scopedUsers3 = User::permission(collect([$this->testUserPermission]))->get(); $scopedUsers4 = User::withoutPermission(collect([$this->testUserPermission]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); expect($scopedUsers4->count())->toEqual(0); }); it('can scope users without direct permissions only role', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $this->testUserRole->givePermissionTo('edit-articles'); $user1->assignRole('testRole'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::withoutPermission('edit-articles')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users with only direct permission', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-news']); $user2->givePermissionTo(['edit-articles', 'edit-news']); $scopedUsers1 = User::permission('edit-news')->get(); $scopedUsers2 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('throws an exception when calling hasPermissionTo with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(new \stdClass)) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasPermissionTo with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(null)) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(new \stdClass)) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(null)) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a non existing permission', function () { expect(fn () => User::permission('not defined permission')->get()) ->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('not defined permission')->get()) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a permission from another guard', function () { expect(fn () => User::permission('testAdminPermission')->get()) ->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('testAdminPermission')->get()) ->toThrow(PermissionDoesNotExist::class); }); it('doesnt detach permissions when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->givePermissionTo(['edit-news']); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasPermissionTo('edit-news'))->toBeTrue(); }); it('can give and revoke multiple permissions', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models array', function () { $models = [app(Permission::class)::where('name', 'edit-articles')->first(), app(Permission::class)::where('name', 'edit-news')->first()]; $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models collection', function () { $models = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can determine that the user does not have a permission', function () { expect($this->testUser->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('throws an exception when the permission does not exist', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist')) ->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when the permission does not exist for this guard', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist', 'web')) ->toThrow(PermissionDoesNotExist::class); }); it('can reject a user that does not have any permissions at all', function () { $user = new User; expect($user->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('can determine that the user has any of the permissions directly', function () { expect($this->testUser->hasAnyPermission('edit-articles'))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission('edit-articles', 'edit-news'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has any of the permissions directly using an array', function () { expect($this->testUser->hasAnyPermission(['edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission(['edit-news', 'edit-articles']))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission(['edit-articles', 'edit-news']))->toBeTrue(); }); it('can determine that the user has any of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has all of the permissions directly', function () { $this->testUser->givePermissionTo('edit-articles', 'edit-news'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeFalse(); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can determine that the user has all of the permissions directly using an array', function () { expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions(['edit-news', 'edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); }); it('can determine that the user has all of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles', 'edit-news'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); }); it('can determine that user has direct permission', function () { $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->getDirectPermissions()->pluck('name'))->toEqual(collect(['edit-articles'])); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); $this->testUser->assignRole('testRole'); $this->testUserRole->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); }); it('can list all the permissions via roles of user', function () { $roleModel = app(Role::class); $roleModel->findByName('testRole2')->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getPermissionsViaRoles()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can list all the coupled permissions both directly and via roles', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->getAllPermissions()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can sync multiple permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->syncPermissions('edit-articles', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('can avoid sync duplicated permissions', function () { $this->testUser->syncPermissions('edit-articles', 'edit-blog', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); }); it('can avoid detach on permission that does not exist sync', function () { $this->testUser->syncPermissions('edit-articles'); expect(fn () => $this->testUser->syncPermissions('permission-does-not-exist')) ->toThrow(PermissionDoesNotExist::class); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->checkPermissionTo('permission-does-not-exist'))->toBeFalse(); }); it('can sync multiple permissions by id', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission ignores null inputs', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $ids->push(null); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission error does not detach permissions', function () { $this->testUser->givePermissionTo('edit-news'); expect(fn () => $this->testUser->syncPermissions('edit-articles', 'permission-that-does-not-exist')) ->toThrow(PermissionDoesNotExist::class); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not remove already associated permissions when assigning new permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not throw an exception when assigning a permission that is already assigned', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-news'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('can sync permissions to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-articles'); $user->save(); $user->save(); // test save same model twice expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); $user->syncPermissions('edit-articles'); expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new permissions', function () { $permission2 = app(Permission::class)->where('name', ['edit-news'])->first(); DB::enableQueryLog(); $this->testUser->syncPermissions($this->testUserPermission, $permission2); DB::disableQueryLog(); $necessaryQueriesCount = 2; expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling givePermissionTo before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->givePermissionTo('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->givePermissionTo('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling syncPermissions before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->syncPermissions('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('can retrieve permission names', function () { $this->testUser->givePermissionTo('edit-news', 'edit-articles'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can check many direct permissions', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAllDirectPermissions(['edit-news', 'edit-articles']))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news', 'edit-blog']))->toBeFalse(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can check if there is any of the direct permissions given', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAnyDirectPermission(['edit-news', 'edit-blog']))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-news', 'edit-blog'))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can check permission based on logged in user guard', function () { $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ])); $response = $this->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => true, ]); }); it('can reject permission based on logged in user guard', function () { $unassignedPermission = app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ]); $assignedPermission = app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'web', ]); $this->testUser->givePermissionTo($assignedPermission); $response = $this->withExceptionHandling() ->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => false, ]); }); it('fires an event when a permission is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertDispatched(PermissionAttachedEvent::class, function ($event) use ($ids) { return $event->model instanceof User && $event->model->hasPermissionTo('edit-news') && $event->model->hasPermissionTo('edit-articles') && $ids === $event->permissionsOrIds; }); }); it('does not fire an event when events are not enabled', function () { Event::fake(); app('config')->set('permission.events_enabled', false); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertNotDispatched(PermissionAttachedEvent::class); }); it('fires an event when a permission is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $permissions = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUser->givePermissionTo($permissions); $this->testUser->revokePermissionTo($permissions); Event::assertDispatched(PermissionDetachedEvent::class, function ($event) use ($permissions) { return $event->model instanceof User && ! $event->model->hasPermissionTo('edit-news') && ! $event->model->hasPermissionTo('edit-articles') && $event->permissionsOrIds === $permissions; }); }); it('can be given a permission on role when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testRole = app(Role::class)->with('permissions')->get()->first(); $testRole->givePermissionTo('edit-articles'); expect($testRole->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('can be given a permission on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $testUser = User::with('permissions')->get()->first(); $testUser->givePermissionTo('edit-articles'); expect($testUser->hasPermissionTo('edit-articles'))->toBeTrue(); }); ================================================ FILE: tests/Traits/HasPermissionsWithCustomModelsTest.php ================================================ setUpCustomModels(); $this->resetDatabaseQuery = config('cache.default') === 'database' ? 1 : 0; }); // ---- Tests inherited from HasPermissionsTest ---- it('can assign a permission to a user', function () { $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); }); it('can assign a permission to a user with a non default guard', function () { $testUserPermission = app(PermissionContract::class)->create([ 'name' => 'edit-articles', 'guard_name' => 'api', ]); $this->testUser->givePermissionTo($testUserPermission); expect($this->testUser->hasPermissionTo($testUserPermission))->toBeTrue(); }); it('throws an exception when assigning a permission that does not exist', function () { expect(fn () => $this->testUser->givePermissionTo('permission-does-not-exist'))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when assigning a permission to a user from a different guard', function () { expect(fn () => $this->testUser->givePermissionTo($this->testAdminPermission))->toThrow(GuardDoesNotMatch::class); expect(fn () => $this->testUser->givePermissionTo('admin-permission'))->toThrow(PermissionDoesNotExist::class); }); it('can revoke a permission from a user', function () { $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeFalse(); }); it('can assign and remove a permission using enums', function () { $enum = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $permission = app(PermissionContract::class)->findOrCreate($enum->value, 'web'); $this->testUser->givePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeTrue(); expect($this->testUser->hasAnyPermission($enum))->toBeTrue(); expect($this->testUser->hasDirectPermission($enum))->toBeTrue(); $this->testUser->revokePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeFalse(); expect($this->testUser->hasAnyPermission($enum))->toBeFalse(); expect($this->testUser->hasDirectPermission($enum))->toBeFalse(); }); it('can scope users using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::EditArticles; $permission1 = app(PermissionContract::class)->findOrCreate($enum1->value, 'web'); $permission2 = app(PermissionContract::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo([$enum1, $enum2]); $this->testUserRole->givePermissionTo($enum2); $user2->assignRole('testRole'); $scopedUsers1 = User::permission($enum2)->get(); $scopedUsers2 = User::permission([$enum1])->get(); $scopedUsers3 = User::withoutPermission([$enum1])->get(); $scopedUsers4 = User::withoutPermission([$enum2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); expect($scopedUsers4->count())->toEqual(1); }); it('can scope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(['edit-articles', 'edit-news'])->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission(['edit-news'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using a collection', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(collect(['edit-articles', 'edit-news']))->get(); $scopedUsers2 = User::permission(collect(['edit-news']))->get(); $scopedUsers3 = User::withoutPermission(collect(['edit-news']))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user1->givePermissionTo($this->testUserPermission->name); $scopedUsers1 = User::permission($this->testUserPermission)->get(); $scopedUsers2 = User::permission([$this->testUserPermission])->get(); $scopedUsers3 = User::permission(collect([$this->testUserPermission]))->get(); $scopedUsers4 = User::withoutPermission(collect([$this->testUserPermission]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); expect($scopedUsers4->count())->toEqual(0); }); it('can scope users without direct permissions only role', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $this->testUserRole->givePermissionTo('edit-articles'); $user1->assignRole('testRole'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::withoutPermission('edit-articles')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users with only direct permission', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-news']); $user2->givePermissionTo(['edit-articles', 'edit-news']); $scopedUsers1 = User::permission('edit-news')->get(); $scopedUsers2 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('throws an exception when calling hasPermissionTo with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(new \stdClass))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasPermissionTo with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(null))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(new \stdClass))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(null))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a non existing permission', function () { expect(fn () => User::permission('not defined permission')->get())->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('not defined permission')->get())->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a permission from another guard', function () { expect(fn () => User::permission('testAdminPermission')->get())->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('testAdminPermission')->get())->toThrow(PermissionDoesNotExist::class); }); it('doesnt detach permissions when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->givePermissionTo(['edit-news']); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasPermissionTo('edit-news'))->toBeTrue(); }); it('can give and revoke multiple permissions', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models array', function () { $models = [app(PermissionContract::class)::where('name', 'edit-articles')->first(), app(PermissionContract::class)::where('name', 'edit-news')->first()]; $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models collection', function () { $models = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can determine that the user does not have a permission', function () { expect($this->testUser->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('throws an exception when the permission does not exist', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist'))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when the permission does not exist for this guard', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist', 'web'))->toThrow(PermissionDoesNotExist::class); }); it('can reject a user that does not have any permissions at all', function () { $user = new User; expect($user->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('can determine that the user has any of the permissions directly', function () { expect($this->testUser->hasAnyPermission('edit-articles'))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission('edit-articles', 'edit-news'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has any of the permissions directly using an array', function () { expect($this->testUser->hasAnyPermission(['edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission(['edit-news', 'edit-articles']))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission(['edit-articles', 'edit-news']))->toBeTrue(); }); it('can determine that the user has any of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has all of the permissions directly', function () { $this->testUser->givePermissionTo('edit-articles', 'edit-news'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeFalse(); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can determine that the user has all of the permissions directly using an array', function () { expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions(['edit-news', 'edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); }); it('can determine that the user has all of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles', 'edit-news'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); }); it('can determine that user has direct permission', function () { $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->getDirectPermissions()->pluck('name'))->toEqual(collect(['edit-articles'])); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); $this->testUser->assignRole('testRole'); $this->testUserRole->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); }); it('can list all the permissions via roles of user', function () { $roleModel = app(Role::class); $roleModel->findByName('testRole2')->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getPermissionsViaRoles()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can list all the coupled permissions both directly and via roles', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->getAllPermissions()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can sync multiple permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->syncPermissions('edit-articles', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('can avoid sync duplicated permissions', function () { $this->testUser->syncPermissions('edit-articles', 'edit-blog', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); }); it('can avoid detach on permission that does not exist sync', function () { $this->testUser->syncPermissions('edit-articles'); expect(fn () => $this->testUser->syncPermissions('permission-does-not-exist'))->toThrow(PermissionDoesNotExist::class); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->checkPermissionTo('permission-does-not-exist'))->toBeFalse(); }); it('can sync multiple permissions by id', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission ignores null inputs', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $ids->push(null); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission error does not detach permissions', function () { $this->testUser->givePermissionTo('edit-news'); expect(fn () => $this->testUser->syncPermissions('edit-articles', 'permission-that-does-not-exist'))->toThrow(PermissionDoesNotExist::class); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not remove already associated permissions when assigning new permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not throw an exception when assigning a permission that is already assigned', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-news'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('can sync permissions to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-articles'); $user->save(); $user->save(); // test save same model twice expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); $user->syncPermissions('edit-articles'); expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new permissions', function () { $permission2 = app(PermissionContract::class)->where('name', ['edit-news'])->first(); DB::enableQueryLog(); $this->testUser->syncPermissions($this->testUserPermission, $permission2); DB::disableQueryLog(); $necessaryQueriesCount = 2; expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling givePermissionTo before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->givePermissionTo('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->givePermissionTo('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling syncPermissions before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->syncPermissions('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('can retrieve permission names', function () { $this->testUser->givePermissionTo('edit-news', 'edit-articles'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can check many direct permissions', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAllDirectPermissions(['edit-news', 'edit-articles']))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news', 'edit-blog']))->toBeFalse(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can check if there is any of the direct permissions given', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAnyDirectPermission(['edit-news', 'edit-blog']))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-news', 'edit-blog'))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can check permission based on logged in user guard', function () { $this->testUser->givePermissionTo(app(PermissionContract::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ])); $response = $this->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => true, ]); }); it('can reject permission based on logged in user guard', function () { $unassignedPermission = app(PermissionContract::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ]); $assignedPermission = app(PermissionContract::class)::create([ 'name' => 'do_that', 'guard_name' => 'web', ]); $this->testUser->givePermissionTo($assignedPermission); $response = $this->withExceptionHandling() ->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => false, ]); }); it('fires an event when a permission is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertDispatched(PermissionAttachedEvent::class, function ($event) use ($ids) { return $event->model instanceof User && $event->model->hasPermissionTo('edit-news') && $event->model->hasPermissionTo('edit-articles') && $ids === $event->permissionsOrIds; }); }); it('does not fire an event when events are not enabled', function () { Event::fake(); app('config')->set('permission.events_enabled', false); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertNotDispatched(PermissionAttachedEvent::class); }); it('fires an event when a permission is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $permissions = app(PermissionContract::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUser->givePermissionTo($permissions); $this->testUser->revokePermissionTo($permissions); Event::assertDispatched(PermissionDetachedEvent::class, function ($event) use ($permissions) { return $event->model instanceof User && ! $event->model->hasPermissionTo('edit-news') && ! $event->model->hasPermissionTo('edit-articles') && $event->permissionsOrIds === $permissions; }); }); it('can be given a permission on role when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testRole = app(Role::class)->with('permissions')->get()->first(); $testRole->givePermissionTo('edit-articles'); expect($testRole->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('can be given a permission on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $testUser = User::with('permissions')->get()->first(); $testUser->givePermissionTo('edit-articles'); expect($testUser->hasPermissionTo('edit-articles'))->toBeTrue(); }); // ---- Custom model-specific tests ---- it('can use custom model permission', function () { expect(get_class($this->testUserPermission))->toBe(Permission::class); }); it('can use custom fields from cache', function () { DB::connection()->getSchemaBuilder()->table(config('permission.table_names.roles'), function ($table) { $table->string('type')->default('R'); }); DB::connection()->getSchemaBuilder()->table(config('permission.table_names.permissions'), function ($table) { $table->string('type')->default('P'); }); $this->testUserRole->givePermissionTo($this->testUserPermission); app(PermissionRegistrar::class)->getPermissions(); DB::enableQueryLog(); expect(Permission::findByName('edit-articles')->type)->toBe('P'); expect(Permission::findByName('edit-articles')->roles[0]->type)->toBe('R'); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(0); }); it('can scope users using a int', function () { // Skipped because custom model uses uuid, // replacement "it_can_scope_users_using_a_uuid" expect(true)->toBeTrue(); }); it('can scope users using a uuid', function () { $uuid1 = $this->testUserPermission->getKey(); $uuid2 = app(Permission::class)::where('name', 'edit-news')->first()->getKey(); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->givePermissionTo([$uuid1, $uuid2]); $this->testUserRole->givePermissionTo($uuid1); $user2->assignRole('testRole'); $scopedUsers1 = User::permission($uuid1)->get(); $scopedUsers2 = User::permission([$uuid2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('doesnt detach roles when soft deleting', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); DB::enableQueryLog(); $this->testUserPermission->delete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(1 + $this->resetDatabaseQuery); $permission = Permission::onlyTrashed()->find($this->testUserPermission->getKey()); expect(DB::table(config('permission.table_names.role_has_permissions'))->where('permission_test_id', $permission->getKey())->count())->toEqual(1); }); it('doesnt detach users when soft deleting', function () { $this->testUser->givePermissionTo($this->testUserPermission); DB::enableQueryLog(); $this->testUserPermission->delete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(1 + $this->resetDatabaseQuery); $permission = Permission::onlyTrashed()->find($this->testUserPermission->getKey()); expect(DB::table(config('permission.table_names.model_has_permissions'))->where('permission_test_id', $permission->getKey())->count())->toEqual(1); }); it('does detach roles and users when force deleting', function () { $permission_id = $this->testUserPermission->getKey(); $this->testUserRole->givePermissionTo($permission_id); $this->testUser->givePermissionTo($permission_id); DB::enableQueryLog(); $this->testUserPermission->forceDelete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(3 + $this->resetDatabaseQuery); // avoid detach permissions on permissions $permission = Permission::withTrashed()->find($permission_id); expect($permission)->toBeNull(); expect(DB::table(config('permission.table_names.role_has_permissions'))->where('permission_test_id', $permission_id)->count())->toEqual(0); expect(DB::table(config('permission.table_names.model_has_permissions'))->where('permission_test_id', $permission_id)->count())->toEqual(0); }); it('should touch when assigning new permissions', function () { Carbon::setTestNow('2021-07-19 10:13:14'); $user = Admin::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => 'edit-news', 'guard_name' => 'admin']); $permission2 = Permission::create(['name' => 'edit-blog', 'guard_name' => 'admin']); expect($permission1->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-19 10:13:14'); Carbon::setTestNow('2021-07-20 19:13:14'); $user->syncPermissions([$permission1->getKey(), $permission2->getKey()]); expect($permission1->refresh()->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-20 19:13:14'); expect($permission2->refresh()->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-20 19:13:14'); }); ================================================ FILE: tests/Traits/HasRolesTest.php ================================================ testUser->hasRole('testRole'))->toBeFalse(); $role = app(Role::class)->findOrCreate('testRoleInWebGuard', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); $this->testUser->assignRole($role); expect($this->testUser->hasRole($role))->toBeTrue(); expect($this->testUser->hasRole($role->name))->toBeTrue(); expect($this->testUser->hasRole($role->name, $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->getKey(), $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->name, 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole($role->getKey(), 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], 'fakeGuard'))->toBeFalse(); $role = app(Role::class)->findOrCreate('testRoleInWebGuard2', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); }); it('can assign and remove a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $enum3 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum1; $enum4 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum2; app(Role::class)->findOrCreate($enum1->value, 'web'); app(Role::class)->findOrCreate($enum2->value, 'web'); app(Role::class)->findOrCreate($enum3->value, 'web'); app(Role::class)->findOrCreate($enum4->value, 'web'); expect($this->testUser->hasRole($enum1))->toBeFalse(); expect($this->testUser->hasRole($enum2))->toBeFalse(); expect($this->testUser->hasRole($enum3))->toBeFalse(); expect($this->testUser->hasRole($enum4))->toBeFalse(); expect($this->testUser->hasRole('user-manager'))->toBeFalse(); expect($this->testUser->hasRole('writer'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-1'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-2'))->toBeFalse(); $this->testUser->assignRole($enum1); $this->testUser->assignRole($enum2); $this->testUser->assignRole($enum3); $this->testUser->assignRole($enum4); expect($this->testUser->hasRole($enum1))->toBeTrue(); expect($this->testUser->hasRole($enum2))->toBeTrue(); expect($this->testUser->hasRole($enum3))->toBeTrue(); expect($this->testUser->hasRole($enum4))->toBeTrue(); expect($this->testUser->hasRole([$enum1, 'writer']))->toBeTrue(); expect($this->testUser->hasRole([$enum3, 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4]))->toBeTrue(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4, 'not exist']))->toBeFalse(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2', 'not exist']))->toBeFalse(); expect($this->testUser->hasExactRoles([$enum4, $enum3, $enum2, $enum1]))->toBeTrue(); expect($this->testUser->hasExactRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); $this->testUser->removeRole($enum1); expect($this->testUser->hasRole($enum1))->toBeFalse(); }); it('can scope a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $role1 = app(Role::class)->findOrCreate($enum1->value, 'web'); $role2 = app(Role::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); // assign only one user to a role $user2->assignRole($enum1); expect($user2->hasRole($enum1))->toBeTrue(); expect($user2->hasRole($enum2))->toBeFalse(); $scopedUsers1 = User::role($enum1)->get(); $scopedUsers2 = User::role($enum2)->get(); $scopedUsers3 = User::withoutRole($enum2)->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(0); expect($scopedUsers3->count())->toEqual(3); }); it('can assign and remove a role', function () { expect($this->testUser->hasRole('testRole'))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); $this->testUser->removeRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); }); it('removes a role and returns roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); expect($this->testUser->hasRole(['testRole', 'testRole2']))->toBeTrue(); $roles = $this->testUser->removeRole('testRole'); expect($roles->hasRole('testRole'))->toBeFalse(); expect($roles->hasRole('testRole2'))->toBeTrue(); }); it('can assign and remove a role on a permission', function () { $this->testUserPermission->assignRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeTrue(); $this->testUserPermission->removeRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); }); it('can assign and remove a role using an object', function () { $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove a role using an id', function () { $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove multiple roles at once', function () { $this->testUser->assignRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('can assign and remove multiple roles using an array', function () { $this->testUser->assignRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('does not remove already associated roles when assigning new roles', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole('testRole2'); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('does not throw an exception when assigning a role that is already assigned', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('throws an exception when assigning a role that does not exist', function () { expect(fn () => $this->testUser->assignRole('evil-emperor'))->toThrow(RoleDoesNotExist::class); }); it('can only assign roles from the correct guard', function () { expect(fn () => $this->testUser->assignRole('testAdminRole'))->toThrow(RoleDoesNotExist::class); }); it('throws an exception when assigning a role from a different guard', function () { expect(fn () => $this->testUser->assignRole($this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('ignores null roles when syncing', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2', null); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string on a permission', function () { $this->testUserPermission->assignRole('testRole'); $this->testUserPermission->syncRoles('testRole2'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); expect($this->testUserPermission->hasRole('testRole2'))->toBeTrue(); }); it('can avoid sync duplicated roles', function () { $this->testUser->syncRoles('testRole', 'testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can avoid detach on role that does not exist sync', function () { $this->testUser->syncRoles('testRole'); expect(fn () => $this->testUser->syncRoles('role-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('role-does-not-exist'))->toBeFalse(); }); it('can sync multiple roles', function () { $this->testUser->syncRoles('testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync multiple roles from an array', function () { $this->testUser->syncRoles(['testRole', 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('will remove all roles when an empty array is passed to sync roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); $this->testUser->syncRoles([]); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('sync roles error does not detach roles', function () { $this->testUser->assignRole('testRole'); expect(fn () => $this->testUser->syncRoles('testRole2', 'role-that-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('will sync roles to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles([$this->testUserRole]); $user->save(); $user->save(); // test save same model twice expect($user->hasRole($this->testUserRole))->toBeTrue(); $user->syncRoles([$this->testUserRole]); expect($user->hasRole($this->testUserRole))->toBeTrue(); expect($user->fresh()->hasRole($this->testUserRole))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new roles', function () { $role2 = app(Role::class)->where('name', ['testRole2'])->first(); DB::enableQueryLog(); $this->testUser->syncRoles($this->testUserRole, $role2); DB::disableQueryLog(); $necessaryQueriesCount = 2; // Teams reloads relation, adding an extra query if (app(PermissionRegistrar::class)->teams) { $necessaryQueriesCount++; } expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling syncRoles before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles('testRole'); $user->save(); $user2 = new User(['email' => 'admin@user.com']); $user2->syncRoles('testRole2'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($user2->fresh()->hasRole('testRole2'))->toBeTrue(); expect($user2->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling assignRole before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->assignRole('testRole'); $user->save(); $admin_user = new User(['email' => 'admin@user.com']); $admin_user->assignRole('testRole2'); DB::enableQueryLog(); $admin_user->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($admin_user->fresh()->hasRole('testRole2'))->toBeTrue(); expect($admin_user->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('throws an exception when syncing a role from another guard', function () { expect(fn () => $this->testUser->syncRoles('testRole', 'testAdminRole'))->toThrow(RoleDoesNotExist::class); expect(fn () => $this->testUser->syncRoles('testRole', $this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('deletes pivot table entries when deleting models', function () { $user = User::create(['email' => 'user@test.com']); $user->assignRole('testRole'); $user->givePermissionTo('edit-articles'); $this->assertDatabaseHas('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseHas('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); $user->delete(); $this->assertDatabaseMissing('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseMissing('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); }); it('can scope users using a string', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers = User::role('testRole')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can withoutscope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers = User::withoutRole('testRole2')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can scope users using an array', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(['testRole', 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole->name, 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(0); }); it('can scope users using an array of ids and names', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $secondAssignedRoleId = app(Role::class)->findByName('testRole2')->getKey(); $scopedUsers = User::role([$firstAssignedRoleName, $secondAssignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can withoutscope users using an array of ids and names', function () { app(Role::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $unassignedRoleId = app(Role::class)->findByName('testRole3')->getKey(); $scopedUsers = User::withoutRole([$firstAssignedRoleName, $unassignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can scope users using a collection', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(collect(['testRole', 'testRole2']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using a collection', function () { app(Role::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole(collect(['testRole', 'testRole3']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users using an object', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role($this->testUserRole)->get(); $scopedUsers2 = User::role([$this->testUserRole])->get(); $scopedUsers3 = User::role(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole($this->testUserRole)->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers3 = User::withoutRole(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(2); }); it('can scope against a specific guard', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers1 = User::role('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(1); $user3 = Admin::create(['email' => 'user3@test.com']); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $testAdminRole2 = app(Role::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user3->assignRole($this->testAdminRole); $user4->assignRole($this->testAdminRole); $user5->assignRole($testAdminRole2); $scopedUsers2 = Admin::role('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::role('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope against a specific guard', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(2); Admin::all()->each(fn ($item) => $item->delete()); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $user6 = Admin::create(['email' => 'user6@test.com']); $testAdminRole2 = app(Role::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user4->assignRole($this->testAdminRole); $user5->assignRole($this->testAdminRole); $user6->assignRole($testAdminRole2); $scopedUsers2 = Admin::withoutRole('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::withoutRole('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('throws an exception when trying to scope a role from another guard', function () { expect(fn () => User::role('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to call withoutscope on a role from another guard', function () { expect(fn () => User::withoutRole('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to scope a non existing role', function () { expect(fn () => User::role('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to use withoutscope on a non existing role', function () { expect(fn () => User::withoutRole('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('can determine that a user has one of the given roles', function () { $roleModel = app(Role::class); $roleModel->create(['name' => 'second role']); expect($this->testUser->hasRole($roleModel->all()))->toBeFalse(); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole('testRole'))->toBeTrue(); expect($this->testUser->hasAnyRole('role does not exist'))->toBeFalse(); expect($this->testUser->hasAnyRole(['testRole']))->toBeTrue(); expect($this->testUser->hasAnyRole(['testRole', 'role does not exist']))->toBeTrue(); expect($this->testUser->hasAnyRole(['role does not exist']))->toBeFalse(); expect($this->testUser->hasAnyRole('testRole', 'role does not exist'))->toBeTrue(); }); it('can determine that a user has all of the given roles', function () { $roleModel = app(Role::class); expect($this->testUser->hasAllRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasAllRoles('testRole'))->toBeFalse(); expect($this->testUser->hasAllRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasAllRoles('testRole'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user has exact all of the given roles', function () { $roleModel = app(Role::class); expect($this->testUser->hasExactRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasExactRoles('testRole'))->toBeFalse(); expect($this->testUser->hasExactRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasExactRoles('testRole'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); $roleModel->create(['name' => 'third role']); $this->testUser->assignRole('third role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user does not have a role from another guard', function () { expect($this->testUser->hasRole('testAdminRole'))->toBeFalse(); expect($this->testUser->hasRole($this->testAdminRole))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole(['testRole', 'testAdminRole']))->toBeTrue(); expect($this->testUser->hasAnyRole('testAdminRole', $this->testAdminRole))->toBeFalse(); }); it('can check against any multiple roles using multiple arguments', function () { $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole($this->testAdminRole, ['testRole'], 'This Role Does Not Even Exist'))->toBeTrue(); }); it('returns false instead of an exception when checking against any undefined roles using multiple arguments', function () { expect($this->testUser->hasAnyRole('This Role Does Not Even Exist', $this->testAdminRole))->toBeFalse(); }); it('throws an exception if an unsupported type is passed to hasRoles', function () { expect(fn () => $this->testUser->hasRole(new class {}))->toThrow(\TypeError::class); }); it('can retrieve role names', function () { $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getRoleNames()->sort()->values())->toEqual( collect(['testRole', 'testRole2']) ); }); it('does not detach roles when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->assignRole('testRole'); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires an event when a role is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole(['testRole', 'testRole2']); $roleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && $event->model->hasRole('testRole') && $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('fires an event when a role is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); $this->testUser->removeRole('testRole', 'testRole2'); $roleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('can be given a role on permission when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testPermission = app(Permission::class)->with('roles')->get()->first(); $testPermission->assignRole('testRole'); expect($testPermission->hasRole('testRole'))->toBeTrue(); }); it('can be given a role on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $user = User::with('roles')->get()->first(); $user->assignRole('testRole'); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires detach event when syncing roles', function () { Event::fake([RoleDetachedEvent::class, RoleAttachedEvent::class]); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); app(Role::class)->create(['name' => 'testRole3']); $this->testUser->syncRoles('testRole3'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); expect($this->testUser->hasRole('testRole3'))->toBeTrue(); $removedRoleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($removedRoleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $removedRoleIds; }); $attachedRoleIds = app(Role::class)::whereIn('name', ['testRole3']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($attachedRoleIds) { return $event->model instanceof User && $event->model->hasRole('testRole3') && $event->rolesOrIds === $attachedRoleIds; }); }); ================================================ FILE: tests/Traits/HasRolesWithCustomModelsTest.php ================================================ setUpCustomModels(); $this->resetDatabaseQuery = config('cache.default') === 'database' ? 1 : 0; }); // ======================================================================= // Tests inherited from HasRolesTest (running with custom models) // ======================================================================= it('can determine that the user does not have a role', function () { expect($this->testUser->hasRole('testRole'))->toBeFalse(); $role = app(RoleContract::class)->findOrCreate('testRoleInWebGuard', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); $this->testUser->assignRole($role); expect($this->testUser->hasRole($role))->toBeTrue(); expect($this->testUser->hasRole($role->name))->toBeTrue(); expect($this->testUser->hasRole($role->name, $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->getKey(), $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->name, 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole($role->getKey(), 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], 'fakeGuard'))->toBeFalse(); $role = app(RoleContract::class)->findOrCreate('testRoleInWebGuard2', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); }); it('can assign and remove a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $enum3 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum1; $enum4 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum2; app(RoleContract::class)->findOrCreate($enum1->value, 'web'); app(RoleContract::class)->findOrCreate($enum2->value, 'web'); app(RoleContract::class)->findOrCreate($enum3->value, 'web'); app(RoleContract::class)->findOrCreate($enum4->value, 'web'); expect($this->testUser->hasRole($enum1))->toBeFalse(); expect($this->testUser->hasRole($enum2))->toBeFalse(); expect($this->testUser->hasRole($enum3))->toBeFalse(); expect($this->testUser->hasRole($enum4))->toBeFalse(); expect($this->testUser->hasRole('user-manager'))->toBeFalse(); expect($this->testUser->hasRole('writer'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-1'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-2'))->toBeFalse(); $this->testUser->assignRole($enum1); $this->testUser->assignRole($enum2); $this->testUser->assignRole($enum3); $this->testUser->assignRole($enum4); expect($this->testUser->hasRole($enum1))->toBeTrue(); expect($this->testUser->hasRole($enum2))->toBeTrue(); expect($this->testUser->hasRole($enum3))->toBeTrue(); expect($this->testUser->hasRole($enum4))->toBeTrue(); expect($this->testUser->hasRole([$enum1, 'writer']))->toBeTrue(); expect($this->testUser->hasRole([$enum3, 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4]))->toBeTrue(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4, 'not exist']))->toBeFalse(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2', 'not exist']))->toBeFalse(); expect($this->testUser->hasExactRoles([$enum4, $enum3, $enum2, $enum1]))->toBeTrue(); expect($this->testUser->hasExactRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); $this->testUser->removeRole($enum1); expect($this->testUser->hasRole($enum1))->toBeFalse(); }); it('can scope a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $role1 = app(RoleContract::class)->findOrCreate($enum1->value, 'web'); $role2 = app(RoleContract::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); // assign only one user to a role $user2->assignRole($enum1); expect($user2->hasRole($enum1))->toBeTrue(); expect($user2->hasRole($enum2))->toBeFalse(); $scopedUsers1 = User::role($enum1)->get(); $scopedUsers2 = User::role($enum2)->get(); $scopedUsers3 = User::withoutRole($enum2)->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(0); expect($scopedUsers3->count())->toEqual(3); }); it('can assign and remove a role', function () { expect($this->testUser->hasRole('testRole'))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); $this->testUser->removeRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); }); it('removes a role and returns roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); expect($this->testUser->hasRole(['testRole', 'testRole2']))->toBeTrue(); $roles = $this->testUser->removeRole('testRole'); expect($roles->hasRole('testRole'))->toBeFalse(); expect($roles->hasRole('testRole2'))->toBeTrue(); }); it('can assign and remove a role on a permission', function () { $this->testUserPermission->assignRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeTrue(); $this->testUserPermission->removeRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); }); it('can assign and remove a role using an object', function () { $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove a role using an id', function () { $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove multiple roles at once', function () { $this->testUser->assignRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('can assign and remove multiple roles using an array', function () { $this->testUser->assignRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('does not remove already associated roles when assigning new roles', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole('testRole2'); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('does not throw an exception when assigning a role that is already assigned', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('throws an exception when assigning a role that does not exist', function () { expect(fn () => $this->testUser->assignRole('evil-emperor'))->toThrow(RoleDoesNotExist::class); }); it('can only assign roles from the correct guard', function () { expect(fn () => $this->testUser->assignRole('testAdminRole'))->toThrow(RoleDoesNotExist::class); }); it('throws an exception when assigning a role from a different guard', function () { expect(fn () => $this->testUser->assignRole($this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('ignores null roles when syncing', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2', null); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string on a permission', function () { $this->testUserPermission->assignRole('testRole'); $this->testUserPermission->syncRoles('testRole2'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); expect($this->testUserPermission->hasRole('testRole2'))->toBeTrue(); }); it('can avoid sync duplicated roles', function () { $this->testUser->syncRoles('testRole', 'testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can avoid detach on role that does not exist sync', function () { $this->testUser->syncRoles('testRole'); expect(fn () => $this->testUser->syncRoles('role-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('role-does-not-exist'))->toBeFalse(); }); it('can sync multiple roles', function () { $this->testUser->syncRoles('testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync multiple roles from an array', function () { $this->testUser->syncRoles(['testRole', 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('will remove all roles when an empty array is passed to sync roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); $this->testUser->syncRoles([]); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('sync roles error does not detach roles', function () { $this->testUser->assignRole('testRole'); expect(fn () => $this->testUser->syncRoles('testRole2', 'role-that-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('will sync roles to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles([$this->testUserRole]); $user->save(); $user->save(); // test save same model twice expect($user->hasRole($this->testUserRole))->toBeTrue(); $user->syncRoles([$this->testUserRole]); expect($user->hasRole($this->testUserRole))->toBeTrue(); expect($user->fresh()->hasRole($this->testUserRole))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new roles', function () { $role2 = app(RoleContract::class)->where('name', ['testRole2'])->first(); DB::enableQueryLog(); $this->testUser->syncRoles($this->testUserRole, $role2); DB::disableQueryLog(); $necessaryQueriesCount = 2; // Teams reloads relation, adding an extra query if (app(PermissionRegistrar::class)->teams) { $necessaryQueriesCount++; } expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling syncRoles before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles('testRole'); $user->save(); $user2 = new User(['email' => 'admin@user.com']); $user2->syncRoles('testRole2'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($user2->fresh()->hasRole('testRole2'))->toBeTrue(); expect($user2->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling assignRole before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->assignRole('testRole'); $user->save(); $admin_user = new User(['email' => 'admin@user.com']); $admin_user->assignRole('testRole2'); DB::enableQueryLog(); $admin_user->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($admin_user->fresh()->hasRole('testRole2'))->toBeTrue(); expect($admin_user->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('throws an exception when syncing a role from another guard', function () { expect(fn () => $this->testUser->syncRoles('testRole', 'testAdminRole'))->toThrow(RoleDoesNotExist::class); expect(fn () => $this->testUser->syncRoles('testRole', $this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('deletes pivot table entries when deleting models', function () { $user = User::create(['email' => 'user@test.com']); $user->assignRole('testRole'); $user->givePermissionTo('edit-articles'); $this->assertDatabaseHas('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseHas('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); $user->delete(); $this->assertDatabaseMissing('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseMissing('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); }); it('can scope users using a string', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers = User::role('testRole')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can withoutscope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers = User::withoutRole('testRole2')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can scope users using an array', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(['testRole', 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole->name, 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(0); }); it('can scope users using an array of ids and names', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $secondAssignedRoleId = app(RoleContract::class)->findByName('testRole2')->getKey(); $scopedUsers = User::role([$firstAssignedRoleName, $secondAssignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can withoutscope users using an array of ids and names', function () { app(RoleContract::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $unassignedRoleId = app(RoleContract::class)->findByName('testRole3')->getKey(); $scopedUsers = User::withoutRole([$firstAssignedRoleName, $unassignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can scope users using a collection', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(collect(['testRole', 'testRole2']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using a collection', function () { app(RoleContract::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole(collect(['testRole', 'testRole3']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users using an object', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role($this->testUserRole)->get(); $scopedUsers2 = User::role([$this->testUserRole])->get(); $scopedUsers3 = User::role(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole($this->testUserRole)->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers3 = User::withoutRole(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(2); }); it('can scope against a specific guard', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers1 = User::role('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(1); $user3 = Admin::create(['email' => 'user3@test.com']); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $testAdminRole2 = app(RoleContract::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user3->assignRole($this->testAdminRole); $user4->assignRole($this->testAdminRole); $user5->assignRole($testAdminRole2); $scopedUsers2 = Admin::role('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::role('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope against a specific guard', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(2); Admin::all()->each(fn ($item) => $item->delete()); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $user6 = Admin::create(['email' => 'user6@test.com']); $testAdminRole2 = app(RoleContract::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user4->assignRole($this->testAdminRole); $user5->assignRole($this->testAdminRole); $user6->assignRole($testAdminRole2); $scopedUsers2 = Admin::withoutRole('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::withoutRole('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('throws an exception when trying to scope a role from another guard', function () { expect(fn () => User::role('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to call withoutscope on a role from another guard', function () { expect(fn () => User::withoutRole('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to scope a non existing role', function () { expect(fn () => User::role('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to use withoutscope on a non existing role', function () { expect(fn () => User::withoutRole('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('can determine that a user has one of the given roles', function () { $roleModel = app(RoleContract::class); $roleModel->create(['name' => 'second role']); expect($this->testUser->hasRole($roleModel->all()))->toBeFalse(); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole('testRole'))->toBeTrue(); expect($this->testUser->hasAnyRole('role does not exist'))->toBeFalse(); expect($this->testUser->hasAnyRole(['testRole']))->toBeTrue(); expect($this->testUser->hasAnyRole(['testRole', 'role does not exist']))->toBeTrue(); expect($this->testUser->hasAnyRole(['role does not exist']))->toBeFalse(); expect($this->testUser->hasAnyRole('testRole', 'role does not exist'))->toBeTrue(); }); it('can determine that a user has all of the given roles', function () { $roleModel = app(RoleContract::class); expect($this->testUser->hasAllRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasAllRoles('testRole'))->toBeFalse(); expect($this->testUser->hasAllRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasAllRoles('testRole'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user has exact all of the given roles', function () { $roleModel = app(RoleContract::class); expect($this->testUser->hasExactRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasExactRoles('testRole'))->toBeFalse(); expect($this->testUser->hasExactRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasExactRoles('testRole'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); $roleModel->create(['name' => 'third role']); $this->testUser->assignRole('third role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user does not have a role from another guard', function () { expect($this->testUser->hasRole('testAdminRole'))->toBeFalse(); expect($this->testUser->hasRole($this->testAdminRole))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole(['testRole', 'testAdminRole']))->toBeTrue(); expect($this->testUser->hasAnyRole('testAdminRole', $this->testAdminRole))->toBeFalse(); }); it('can check against any multiple roles using multiple arguments', function () { $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole($this->testAdminRole, ['testRole'], 'This Role Does Not Even Exist'))->toBeTrue(); }); it('returns false instead of an exception when checking against any undefined roles using multiple arguments', function () { expect($this->testUser->hasAnyRole('This Role Does Not Even Exist', $this->testAdminRole))->toBeFalse(); }); it('throws an exception if an unsupported type is passed to hasRoles', function () { expect(fn () => $this->testUser->hasRole(new class {}))->toThrow(\TypeError::class); }); it('can retrieve role names', function () { $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getRoleNames()->sort()->values())->toEqual( collect(['testRole', 'testRole2']) ); }); it('does not detach roles when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->assignRole('testRole'); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires an event when a role is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole(['testRole', 'testRole2']); $roleIds = app(RoleContract::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && $event->model->hasRole('testRole') && $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('fires an event when a role is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); $this->testUser->removeRole('testRole', 'testRole2'); $roleIds = app(RoleContract::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('can be given a role on permission when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testPermission = app(PermissionContract::class)->with('roles')->get()->first(); $testPermission->assignRole('testRole'); expect($testPermission->hasRole('testRole'))->toBeTrue(); }); it('can be given a role on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $user = User::with('roles')->get()->first(); $user->assignRole('testRole'); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires detach event when syncing roles', function () { Event::fake([RoleDetachedEvent::class, RoleAttachedEvent::class]); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); app(RoleContract::class)->create(['name' => 'testRole3']); $this->testUser->syncRoles('testRole3'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); expect($this->testUser->hasRole('testRole3'))->toBeTrue(); $removedRoleIds = app(RoleContract::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($removedRoleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $removedRoleIds; }); $attachedRoleIds = app(RoleContract::class)::whereIn('name', ['testRole3']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($attachedRoleIds) { return $event->model instanceof User && $event->model->hasRole('testRole3') && $event->rolesOrIds === $attachedRoleIds; }); }); // ======================================================================= // Custom model-specific tests // ======================================================================= it('can use custom model role', function () { expect(get_class($this->testUserRole))->toBe(Role::class); }); it('doesnt detach permissions when soft deleting', function () { $this->testUserRole->givePermissionTo($this->testUserPermission); DB::enableQueryLog(); $this->testUserRole->delete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(1 + $this->resetDatabaseQuery); $role = Role::onlyTrashed()->find($this->testUserRole->getKey()); expect(DB::table(config('permission.table_names.role_has_permissions'))->where('role_test_id', $role->getKey())->count())->toEqual(1); }); it('doesnt detach users when soft deleting', function () { $this->testUser->assignRole($this->testUserRole); DB::enableQueryLog(); $this->testUserRole->delete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(1 + $this->resetDatabaseQuery); $role = Role::onlyTrashed()->find($this->testUserRole->getKey()); expect(DB::table(config('permission.table_names.model_has_roles'))->where('role_test_id', $role->getKey())->count())->toEqual(1); }); it('does detach permissions and users when force deleting', function () { $role_id = $this->testUserRole->getKey(); $this->testUserPermission->assignRole($role_id); $this->testUser->assignRole($role_id); DB::enableQueryLog(); $this->testUserRole->forceDelete(); DB::disableQueryLog(); expect(count(DB::getQueryLog()))->toBe(3 + $this->resetDatabaseQuery); $role = Role::withTrashed()->find($role_id); expect($role)->toBeNull(); expect(DB::table(config('permission.table_names.role_has_permissions'))->where('role_test_id', $role_id)->count())->toEqual(0); expect(DB::table(config('permission.table_names.model_has_roles'))->where('role_test_id', $role_id)->count())->toEqual(0); }); it('should touch when assigning new roles', function () { Carbon::setTestNow('2021-07-19 10:13:14'); $user = Admin::create(['email' => 'user1@test.com']); $role1 = app(Role::class)->create(['name' => 'testRoleInWebGuard', 'guard_name' => 'admin']); $role2 = app(Role::class)->create(['name' => 'testRoleInWebGuard1', 'guard_name' => 'admin']); expect($role1->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-19 10:13:14'); Carbon::setTestNow('2021-07-20 19:13:14'); $user->syncRoles([$role1->getKey(), $role2->getKey()]); expect($role1->refresh()->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-20 19:13:14'); expect($role2->refresh()->updated_at->format('Y-m-d H:i:s'))->toBe('2021-07-20 19:13:14'); }); ================================================ FILE: tests/Traits/TeamHasPermissionsTest.php ================================================ $this->setUpTeams()); // ---- Tests inherited from HasPermissionsTest (running with $hasTeams = true) ---- it('can assign a permission to a user', function () { $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); }); it('can assign a permission to a user with a non default guard', function () { $testUserPermission = app(Permission::class)->create([ 'name' => 'edit-articles', 'guard_name' => 'api', ]); $this->testUser->givePermissionTo($testUserPermission); expect($this->testUser->hasPermissionTo($testUserPermission))->toBeTrue(); }); it('throws an exception when assigning a permission that does not exist', function () { expect(fn () => $this->testUser->givePermissionTo('permission-does-not-exist'))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when assigning a permission to a user from a different guard', function () { expect(fn () => $this->testUser->givePermissionTo($this->testAdminPermission))->toThrow(GuardDoesNotMatch::class); expect(fn () => $this->testUser->givePermissionTo('admin-permission'))->toThrow(PermissionDoesNotExist::class); }); it('can revoke a permission from a user', function () { $this->testUser->givePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeTrue(); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasPermissionTo($this->testUserPermission))->toBeFalse(); }); it('can assign and remove a permission using enums', function () { $enum = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $permission = app(Permission::class)->findOrCreate($enum->value, 'web'); $this->testUser->givePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeTrue(); expect($this->testUser->hasAnyPermission($enum))->toBeTrue(); expect($this->testUser->hasDirectPermission($enum))->toBeTrue(); $this->testUser->revokePermissionTo($enum); expect($this->testUser->hasPermissionTo($enum))->toBeFalse(); expect($this->testUser->hasAnyPermission($enum))->toBeFalse(); expect($this->testUser->hasDirectPermission($enum))->toBeFalse(); }); it('can scope users using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::ViewArticles; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::EditArticles; $permission1 = app(Permission::class)->findOrCreate($enum1->value, 'web'); $permission2 = app(Permission::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo([$enum1, $enum2]); $this->testUserRole->givePermissionTo($enum2); $user2->assignRole('testRole'); $scopedUsers1 = User::permission($enum2)->get(); $scopedUsers2 = User::permission([$enum1])->get(); $scopedUsers3 = User::withoutPermission([$enum1])->get(); $scopedUsers4 = User::withoutPermission([$enum2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); expect($scopedUsers4->count())->toEqual(1); }); it('can scope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using a int', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo([1, 2]); $this->testUserRole->givePermissionTo(1); $user2->assignRole('testRole'); $scopedUsers1 = User::permission(1)->get(); $scopedUsers2 = User::permission([2])->get(); $scopedUsers3 = User::withoutPermission([2])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(['edit-articles', 'edit-news'])->get(); $scopedUsers2 = User::permission(['edit-news'])->get(); $scopedUsers3 = User::withoutPermission(['edit-news'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using a collection', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission(collect(['edit-articles', 'edit-news']))->get(); $scopedUsers2 = User::permission(collect(['edit-news']))->get(); $scopedUsers3 = User::withoutPermission(collect(['edit-news']))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('can scope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user1->givePermissionTo($this->testUserPermission->name); $scopedUsers1 = User::permission($this->testUserPermission)->get(); $scopedUsers2 = User::permission([$this->testUserPermission])->get(); $scopedUsers3 = User::permission(collect([$this->testUserPermission]))->get(); $scopedUsers4 = User::withoutPermission(collect([$this->testUserPermission]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); expect($scopedUsers4->count())->toEqual(0); }); it('can scope users without direct permissions only role', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $this->testUserRole->givePermissionTo('edit-articles'); $user1->assignRole('testRole'); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::permission('edit-articles')->get(); $scopedUsers2 = User::withoutPermission('edit-articles')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users with only direct permission', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->givePermissionTo(['edit-news']); $user2->givePermissionTo(['edit-articles', 'edit-news']); $scopedUsers1 = User::permission('edit-news')->get(); $scopedUsers2 = User::withoutPermission('edit-news')->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(1); }); it('throws an exception when calling hasPermissionTo with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(new \stdClass))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasPermissionTo with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasPermissionTo(null))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with an invalid type', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(new \stdClass))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when calling hasDirectPermission with null', function () { $user = User::create(['email' => 'user1@test.com']); expect(fn () => $user->hasDirectPermission(null))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a non existing permission', function () { expect(fn () => User::permission('not defined permission')->get())->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('not defined permission')->get())->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when trying to scope a permission from another guard', function () { expect(fn () => User::permission('testAdminPermission')->get())->toThrow(PermissionDoesNotExist::class); expect(fn () => User::withoutPermission('testAdminPermission')->get())->toThrow(PermissionDoesNotExist::class); }); it('doesnt detach permissions when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->givePermissionTo(['edit-news']); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasPermissionTo('edit-news'))->toBeTrue(); }); it('can give and revoke multiple permissions', function () { $this->testUserRole->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo(['edit-articles', 'edit-news']); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models array', function () { $models = [app(Permission::class)::where('name', 'edit-articles')->first(), app(Permission::class)::where('name', 'edit-news')->first()]; $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can give and revoke permissions models collection', function () { $models = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUserRole->givePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(2); $this->testUserRole->revokePermissionTo($models); expect($this->testUserRole->permissions()->count())->toEqual(0); }); it('can determine that the user does not have a permission', function () { expect($this->testUser->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('throws an exception when the permission does not exist', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist'))->toThrow(PermissionDoesNotExist::class); }); it('throws an exception when the permission does not exist for this guard', function () { expect(fn () => $this->testUser->hasPermissionTo('does-not-exist', 'web'))->toThrow(PermissionDoesNotExist::class); }); it('can reject a user that does not have any permissions at all', function () { $user = new User; expect($user->hasPermissionTo('edit-articles'))->toBeFalse(); }); it('can determine that the user has any of the permissions directly', function () { expect($this->testUser->hasAnyPermission('edit-articles'))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission('edit-articles', 'edit-news'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has any of the permissions directly using an array', function () { expect($this->testUser->hasAnyPermission(['edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasAnyPermission(['edit-news', 'edit-articles']))->toBeTrue(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAnyPermission(['edit-articles', 'edit-news']))->toBeTrue(); }); it('can determine that the user has any of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyPermission('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAnyPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can determine that the user has all of the permissions directly', function () { $this->testUser->givePermissionTo('edit-articles', 'edit-news'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeFalse(); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can determine that the user has all of the permissions directly using an array', function () { expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasAllPermissions(['edit-news', 'edit-articles']))->toBeFalse(); $this->testUser->givePermissionTo('edit-news'); $this->testUser->revokePermissionTo($this->testUserPermission); expect($this->testUser->hasAllPermissions(['edit-articles', 'edit-news']))->toBeFalse(); }); it('can determine that the user has all of the permissions via role', function () { $this->testUserRole->givePermissionTo('edit-articles', 'edit-news'); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAllPermissions('edit-articles', 'edit-news'))->toBeTrue(); }); it('can determine that user has direct permission', function () { $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->getDirectPermissions()->pluck('name'))->toEqual(collect(['edit-articles'])); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); $this->testUser->assignRole('testRole'); $this->testUserRole->givePermissionTo('edit-articles'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeFalse(); }); it('can list all the permissions via roles of user', function () { $roleModel = app(Role::class); $roleModel->findByName('testRole2')->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getPermissionsViaRoles()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can list all the coupled permissions both directly and via roles', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUserRole->givePermissionTo('edit-articles'); $this->testUser->assignRole('testRole'); expect($this->testUser->getAllPermissions()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can sync multiple permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->syncPermissions('edit-articles', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('can avoid sync duplicated permissions', function () { $this->testUser->syncPermissions('edit-articles', 'edit-blog', 'edit-blog'); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); }); it('can avoid detach on permission that does not exist sync', function () { $this->testUser->syncPermissions('edit-articles'); expect(fn () => $this->testUser->syncPermissions('permission-does-not-exist'))->toThrow(PermissionDoesNotExist::class); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->checkPermissionTo('permission-does-not-exist'))->toBeFalse(); }); it('can sync multiple permissions by id', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission ignores null inputs', function () { $this->testUser->givePermissionTo('edit-news'); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-blog'])->pluck($this->testUserPermission->getKeyName()); $ids->push(null); $this->testUser->syncPermissions($ids); expect($this->testUser->hasDirectPermission('edit-articles'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-blog'))->toBeTrue(); expect($this->testUser->hasDirectPermission('edit-news'))->toBeFalse(); }); it('sync permission error does not detach permissions', function () { $this->testUser->givePermissionTo('edit-news'); expect(fn () => $this->testUser->syncPermissions('edit-articles', 'permission-that-does-not-exist'))->toThrow(PermissionDoesNotExist::class); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not remove already associated permissions when assigning new permissions', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-articles'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('does not throw an exception when assigning a permission that is already assigned', function () { $this->testUser->givePermissionTo('edit-news'); $this->testUser->givePermissionTo('edit-news'); expect($this->testUser->fresh()->hasDirectPermission('edit-news'))->toBeTrue(); }); it('can sync permissions to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-articles'); $user->save(); $user->save(); // test save same model twice expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); $user->syncPermissions('edit-articles'); expect($user->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new permissions', function () { $permission2 = app(Permission::class)->where('name', ['edit-news'])->first(); DB::enableQueryLog(); $this->testUser->syncPermissions($this->testUserPermission, $permission2); DB::disableQueryLog(); $necessaryQueriesCount = 2; expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling givePermissionTo before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->givePermissionTo('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->givePermissionTo('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling syncPermissions before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncPermissions('edit-news'); $user->save(); $user2 = new User(['email' => 'test2@user.com']); $user2->syncPermissions('edit-articles'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasPermissionTo('edit-news'))->toBeTrue(); expect($user->fresh()->hasPermissionTo('edit-articles'))->toBeFalse(); expect($user2->fresh()->hasPermissionTo('edit-articles'))->toBeTrue(); expect($user2->fresh()->hasPermissionTo('edit-news'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('can retrieve permission names', function () { $this->testUser->givePermissionTo('edit-news', 'edit-articles'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); }); it('can check many direct permissions', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAllDirectPermissions(['edit-news', 'edit-articles']))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions('edit-news', 'edit-articles'))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news', 'edit-blog']))->toBeFalse(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news'], 'edit-blog'))->toBeFalse(); }); it('can check if there is any of the direct permissions given', function () { $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); expect($this->testUser->hasAnyDirectPermission(['edit-news', 'edit-blog']))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-news', 'edit-blog'))->toBeTrue(); expect($this->testUser->hasAnyDirectPermission('edit-blog', 'Edit News', ['Edit News']))->toBeFalse(); }); it('can check permission based on logged in user guard', function () { $this->testUser->givePermissionTo(app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ])); $response = $this->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => true, ]); }); it('can reject permission based on logged in user guard', function () { $unassignedPermission = app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'api', ]); $assignedPermission = app(Permission::class)::create([ 'name' => 'do_that', 'guard_name' => 'web', ]); $this->testUser->givePermissionTo($assignedPermission); $response = $this->withExceptionHandling() ->actingAs($this->testUser, 'api') ->json('GET', '/check-api-guard-permission'); $response->assertJson([ 'status' => false, ]); }); it('fires an event when a permission is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertDispatched(PermissionAttachedEvent::class, function ($event) use ($ids) { return $event->model instanceof User && $event->model->hasPermissionTo('edit-news') && $event->model->hasPermissionTo('edit-articles') && $ids === $event->permissionsOrIds; }); }); it('does not fire an event when events are not enabled', function () { Event::fake(); app('config')->set('permission.events_enabled', false); $this->testUser->givePermissionTo(['edit-articles', 'edit-news']); $ids = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news']) ->pluck($this->testUserPermission->getKeyName()) ->toArray(); Event::assertNotDispatched(PermissionAttachedEvent::class); }); it('fires an event when a permission is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $permissions = app(Permission::class)::whereIn('name', ['edit-articles', 'edit-news'])->get(); $this->testUser->givePermissionTo($permissions); $this->testUser->revokePermissionTo($permissions); Event::assertDispatched(PermissionDetachedEvent::class, function ($event) use ($permissions) { return $event->model instanceof User && ! $event->model->hasPermissionTo('edit-news') && ! $event->model->hasPermissionTo('edit-articles') && $event->permissionsOrIds === $permissions; }); }); it('can be given a permission on role when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testRole = app(Role::class)->with('permissions')->get()->first(); $testRole->givePermissionTo('edit-articles'); expect($testRole->hasPermissionTo('edit-articles'))->toBeTrue(); }); it('can be given a permission on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $testUser = User::with('permissions')->get()->first(); $testUser->givePermissionTo('edit-articles'); expect($testUser->hasPermissionTo('edit-articles'))->toBeTrue(); }); // ---- Team-specific tests ---- it('can assign same and different permission on same user on different teams', function () { setPermissionsTeamId(1); $this->testUser->givePermissionTo('edit-articles', 'edit-news'); setPermissionsTeamId(2); $this->testUser->givePermissionTo('edit-articles', 'edit-blog'); setPermissionsTeamId(1); $this->testUser->load('permissions'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news']))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-blog']))->toBeFalse(); setPermissionsTeamId(2); $this->testUser->load('permissions'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-blog'])); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-blog']))->toBeTrue(); expect($this->testUser->hasAllDirectPermissions(['edit-articles', 'edit-news']))->toBeFalse(); }); it('can list all the coupled permissions both directly and via roles on same user on different teams', function () { $this->testUserRole->givePermissionTo('edit-articles'); setPermissionsTeamId(1); $this->testUser->assignRole('testRole'); $this->testUser->givePermissionTo('edit-news'); setPermissionsTeamId(2); $this->testUser->assignRole('testRole'); $this->testUser->givePermissionTo('edit-blog'); setPermissionsTeamId(1); $this->testUser->load('roles', 'permissions'); expect($this->testUser->getAllPermissions()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); setPermissionsTeamId(2); $this->testUser->load('roles', 'permissions'); expect($this->testUser->getAllPermissions()->pluck('name')->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-blog'])); }); it('can sync or remove permission without detach on different teams', function () { setPermissionsTeamId(1); $this->testUser->syncPermissions('edit-articles', 'edit-news'); setPermissionsTeamId(2); $this->testUser->syncPermissions('edit-articles', 'edit-blog'); setPermissionsTeamId(1); $this->testUser->load('permissions'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-news'])); $this->testUser->revokePermissionTo('edit-articles'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-news'])); setPermissionsTeamId(2); $this->testUser->load('permissions'); expect($this->testUser->getPermissionNames()->sort()->values()) ->toEqual(collect(['edit-articles', 'edit-blog'])); }); it('can scope users on different teams', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); setPermissionsTeamId(2); $user1->givePermissionTo(['edit-articles', 'edit-news']); $this->testUserRole->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); setPermissionsTeamId(1); $user1->givePermissionTo(['edit-articles']); setPermissionsTeamId(2); $scopedUsers1Team2 = User::permission(['edit-articles', 'edit-news'])->get(); $scopedUsers2Team2 = User::permission('edit-news')->get(); expect($scopedUsers1Team2->count())->toEqual(2); expect($scopedUsers2Team2->count())->toEqual(1); setPermissionsTeamId(1); $scopedUsers1Team1 = User::permission(['edit-articles', 'edit-news'])->get(); $scopedUsers2Team1 = User::permission('edit-news')->get(); expect($scopedUsers1Team1->count())->toEqual(1); expect($scopedUsers2Team1->count())->toEqual(0); }); ================================================ FILE: tests/Traits/TeamHasRolesTest.php ================================================ $this->setUpTeams()); // ---- Tests inherited from HasRolesTest (running under TeamTestCase with $hasTeams = true) ---- it('can determine that the user does not have a role', function () { expect($this->testUser->hasRole('testRole'))->toBeFalse(); $role = app(Role::class)->findOrCreate('testRoleInWebGuard', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); $this->testUser->assignRole($role); expect($this->testUser->hasRole($role))->toBeTrue(); expect($this->testUser->hasRole($role->name))->toBeTrue(); expect($this->testUser->hasRole($role->name, $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->getKey(), $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], $role->guard_name))->toBeTrue(); expect($this->testUser->hasRole($role->name, 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->name, 'fakeRole'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole($role->getKey(), 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasRole([$role->getKey(), 'fakeRole'], 'fakeGuard'))->toBeFalse(); $role = app(Role::class)->findOrCreate('testRoleInWebGuard2', 'web'); expect($this->testUser->hasRole($role))->toBeFalse(); }); it('can assign and remove a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $enum3 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum1; $enum4 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::CastedEnum2; app(Role::class)->findOrCreate($enum1->value, 'web'); app(Role::class)->findOrCreate($enum2->value, 'web'); app(Role::class)->findOrCreate($enum3->value, 'web'); app(Role::class)->findOrCreate($enum4->value, 'web'); expect($this->testUser->hasRole($enum1))->toBeFalse(); expect($this->testUser->hasRole($enum2))->toBeFalse(); expect($this->testUser->hasRole($enum3))->toBeFalse(); expect($this->testUser->hasRole($enum4))->toBeFalse(); expect($this->testUser->hasRole('user-manager'))->toBeFalse(); expect($this->testUser->hasRole('writer'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-1'))->toBeFalse(); expect($this->testUser->hasRole('casted_enum-2'))->toBeFalse(); $this->testUser->assignRole($enum1); $this->testUser->assignRole($enum2); $this->testUser->assignRole($enum3); $this->testUser->assignRole($enum4); expect($this->testUser->hasRole($enum1))->toBeTrue(); expect($this->testUser->hasRole($enum2))->toBeTrue(); expect($this->testUser->hasRole($enum3))->toBeTrue(); expect($this->testUser->hasRole($enum4))->toBeTrue(); expect($this->testUser->hasRole([$enum1, 'writer']))->toBeTrue(); expect($this->testUser->hasRole([$enum3, 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4]))->toBeTrue(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); expect($this->testUser->hasAllRoles([$enum1, $enum2, $enum3, $enum4, 'not exist']))->toBeFalse(); expect($this->testUser->hasAllRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2', 'not exist']))->toBeFalse(); expect($this->testUser->hasExactRoles([$enum4, $enum3, $enum2, $enum1]))->toBeTrue(); expect($this->testUser->hasExactRoles(['user-manager', 'writer', 'casted_enum-1', 'casted_enum-2']))->toBeTrue(); $this->testUser->removeRole($enum1); expect($this->testUser->hasRole($enum1))->toBeFalse(); }); it('can scope a role using enums', function () { $enum1 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::UserManager; $enum2 = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::Writer; $role1 = app(Role::class)->findOrCreate($enum1->value, 'web'); $role2 = app(Role::class)->findOrCreate($enum2->value, 'web'); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); // assign only one user to a role $user2->assignRole($enum1); expect($user2->hasRole($enum1))->toBeTrue(); expect($user2->hasRole($enum2))->toBeFalse(); $scopedUsers1 = User::role($enum1)->get(); $scopedUsers2 = User::role($enum2)->get(); $scopedUsers3 = User::withoutRole($enum2)->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(0); expect($scopedUsers3->count())->toEqual(3); }); it('can assign and remove a role', function () { expect($this->testUser->hasRole('testRole'))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); $this->testUser->removeRole('testRole'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); }); it('removes a role and returns roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); expect($this->testUser->hasRole(['testRole', 'testRole2']))->toBeTrue(); $roles = $this->testUser->removeRole('testRole'); expect($roles->hasRole('testRole'))->toBeFalse(); expect($roles->hasRole('testRole2'))->toBeTrue(); }); it('can assign and remove a role on a permission', function () { $this->testUserPermission->assignRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeTrue(); $this->testUserPermission->removeRole('testRole'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); }); it('can assign and remove a role using an object', function () { $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove a role using an id', function () { $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey()); expect($this->testUser->hasRole($this->testUserRole))->toBeFalse(); }); it('can assign and remove multiple roles at once', function () { $this->testUser->assignRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole($this->testUserRole->getKey(), 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('can assign and remove multiple roles using an array', function () { $this->testUser->assignRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); $this->testUser->removeRole([$this->testUserRole->getKey(), 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('does not remove already associated roles when assigning new roles', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole('testRole2'); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('does not throw an exception when assigning a role that is already assigned', function () { $this->testUser->assignRole($this->testUserRole->getKey()); $this->testUser->assignRole($this->testUserRole->getKey()); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('throws an exception when assigning a role that does not exist', function () { expect(fn () => $this->testUser->assignRole('evil-emperor'))->toThrow(RoleDoesNotExist::class); }); it('can only assign roles from the correct guard', function () { expect(fn () => $this->testUser->assignRole('testAdminRole'))->toThrow(RoleDoesNotExist::class); }); it('throws an exception when assigning a role from a different guard', function () { expect(fn () => $this->testUser->assignRole($this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('ignores null roles when syncing', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2', null); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string', function () { $this->testUser->assignRole('testRole'); $this->testUser->syncRoles('testRole2'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync roles from a string on a permission', function () { $this->testUserPermission->assignRole('testRole'); $this->testUserPermission->syncRoles('testRole2'); expect($this->testUserPermission->hasRole('testRole'))->toBeFalse(); expect($this->testUserPermission->hasRole('testRole2'))->toBeTrue(); }); it('can avoid sync duplicated roles', function () { $this->testUser->syncRoles('testRole', 'testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can avoid detach on role that does not exist sync', function () { $this->testUser->syncRoles('testRole'); expect(fn () => $this->testUser->syncRoles('role-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('role-does-not-exist'))->toBeFalse(); }); it('can sync multiple roles', function () { $this->testUser->syncRoles('testRole', 'testRole2'); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('can sync multiple roles from an array', function () { $this->testUser->syncRoles(['testRole', 'testRole2']); expect($this->testUser->hasRole('testRole'))->toBeTrue(); expect($this->testUser->hasRole('testRole2'))->toBeTrue(); }); it('will remove all roles when an empty array is passed to sync roles', function () { $this->testUser->assignRole('testRole'); $this->testUser->assignRole('testRole2'); $this->testUser->syncRoles([]); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); }); it('sync roles error does not detach roles', function () { $this->testUser->assignRole('testRole'); expect(fn () => $this->testUser->syncRoles('testRole2', 'role-that-does-not-exist'))->toThrow(RoleDoesNotExist::class); expect($this->testUser->fresh()->hasRole('testRole'))->toBeTrue(); }); it('will sync roles to a model that is not persisted', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles([$this->testUserRole]); $user->save(); $user->save(); // test save same model twice expect($user->hasRole($this->testUserRole))->toBeTrue(); $user->syncRoles([$this->testUserRole]); expect($user->hasRole($this->testUserRole))->toBeTrue(); expect($user->fresh()->hasRole($this->testUserRole))->toBeTrue(); }); it('does not run unnecessary sqls when assigning new roles', function () { $role2 = app(Role::class)->where('name', ['testRole2'])->first(); DB::enableQueryLog(); $this->testUser->syncRoles($this->testUserRole, $role2); DB::disableQueryLog(); $necessaryQueriesCount = 2; // Teams reloads relation, adding an extra query if (app(PermissionRegistrar::class)->teams) { $necessaryQueriesCount++; } expect(DB::getQueryLog())->toHaveCount($necessaryQueriesCount); }); it('calling syncRoles before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->syncRoles('testRole'); $user->save(); $user2 = new User(['email' => 'admin@user.com']); $user2->syncRoles('testRole2'); DB::enableQueryLog(); $user2->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($user2->fresh()->hasRole('testRole2'))->toBeTrue(); expect($user2->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('calling assignRole before saving object doesnt interfere with other objects', function () { $user = new User(['email' => 'test@user.com']); $user->assignRole('testRole'); $user->save(); $admin_user = new User(['email' => 'admin@user.com']); $admin_user->assignRole('testRole2'); DB::enableQueryLog(); $admin_user->save(); DB::disableQueryLog(); expect($user->fresh()->hasRole('testRole'))->toBeTrue(); expect($user->fresh()->hasRole('testRole2'))->toBeFalse(); expect($admin_user->fresh()->hasRole('testRole2'))->toBeTrue(); expect($admin_user->fresh()->hasRole('testRole'))->toBeFalse(); expect(count(DB::getQueryLog()))->toBe(2); // avoid unnecessary sync }); it('throws an exception when syncing a role from another guard', function () { expect(fn () => $this->testUser->syncRoles('testRole', 'testAdminRole'))->toThrow(RoleDoesNotExist::class); expect(fn () => $this->testUser->syncRoles('testRole', $this->testAdminRole))->toThrow(GuardDoesNotMatch::class); }); it('deletes pivot table entries when deleting models from HasRolesTest', function () { $user = User::create(['email' => 'user@test.com']); $user->assignRole('testRole'); $user->givePermissionTo('edit-articles'); $this->assertDatabaseHas('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseHas('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); $user->delete(); $this->assertDatabaseMissing('model_has_permissions', [config('permission.column_names.model_morph_key') => $user->id]); $this->assertDatabaseMissing('model_has_roles', [config('permission.column_names.model_morph_key') => $user->id]); }); it('can scope users using a string', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers = User::role('testRole')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can withoutscope users using a string', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers = User::withoutRole('testRole2')->get(); expect($scopedUsers->count())->toEqual(1); }); it('can scope users using an array', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(['testRole', 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using an array', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole->name, 'testRole2'])->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(0); }); it('can scope users using an array of ids and names', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $secondAssignedRoleId = app(Role::class)->findByName('testRole2')->getKey(); $scopedUsers = User::role([$firstAssignedRoleName, $secondAssignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can withoutscope users using an array of ids and names', function () { app(Role::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $firstAssignedRoleName = $this->testUserRole->name; $unassignedRoleId = app(Role::class)->findByName('testRole3')->getKey(); $scopedUsers = User::withoutRole([$firstAssignedRoleName, $unassignedRoleId])->get(); expect($scopedUsers->count())->toEqual(2); }); it('can scope users using a collection', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role([$this->testUserRole])->get(); $scopedUsers2 = User::role(collect(['testRole', 'testRole2']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(2); }); it('can withoutscope users using a collection', function () { app(Role::class)->create(['name' => 'testRole3']); User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers2 = User::withoutRole(collect(['testRole', 'testRole3']))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); }); it('can scope users using an object', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $scopedUsers1 = User::role($this->testUserRole)->get(); $scopedUsers2 = User::role([$this->testUserRole])->get(); $scopedUsers3 = User::role(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(1); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope users using an object', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole($this->testUserRole)->get(); $scopedUsers2 = User::withoutRole([$this->testUserRole])->get(); $scopedUsers3 = User::withoutRole(collect([$this->testUserRole]))->get(); expect($scopedUsers1->count())->toEqual(2); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(2); }); it('can scope against a specific guard', function () { $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $scopedUsers1 = User::role('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(1); $user3 = Admin::create(['email' => 'user3@test.com']); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $testAdminRole2 = app(Role::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user3->assignRole($this->testAdminRole); $user4->assignRole($this->testAdminRole); $user5->assignRole($testAdminRole2); $scopedUsers2 = Admin::role('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::role('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(2); expect($scopedUsers3->count())->toEqual(1); }); it('can withoutscope against a specific guard', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); $user3 = User::create(['email' => 'user3@test.com']); $user1->assignRole('testRole'); $user2->assignRole('testRole2'); $user3->assignRole('testRole2'); $scopedUsers1 = User::withoutRole('testRole', 'web')->get(); expect($scopedUsers1->count())->toEqual(2); Admin::all()->each(fn ($item) => $item->delete()); $user4 = Admin::create(['email' => 'user4@test.com']); $user5 = Admin::create(['email' => 'user5@test.com']); $user6 = Admin::create(['email' => 'user6@test.com']); $testAdminRole2 = app(Role::class)->create(['name' => 'testAdminRole2', 'guard_name' => 'admin']); $user4->assignRole($this->testAdminRole); $user5->assignRole($this->testAdminRole); $user6->assignRole($testAdminRole2); $scopedUsers2 = Admin::withoutRole('testAdminRole', 'admin')->get(); $scopedUsers3 = Admin::withoutRole('testAdminRole2', 'admin')->get(); expect($scopedUsers2->count())->toEqual(1); expect($scopedUsers3->count())->toEqual(2); }); it('throws an exception when trying to scope a role from another guard', function () { expect(fn () => User::role('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to call withoutscope on a role from another guard', function () { expect(fn () => User::withoutRole('testAdminRole')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to scope a non existing role', function () { expect(fn () => User::role('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('throws an exception when trying to use withoutscope on a non existing role', function () { expect(fn () => User::withoutRole('role not defined')->get())->toThrow(RoleDoesNotExist::class); }); it('can determine that a user has one of the given roles', function () { $roleModel = app(Role::class); $roleModel->create(['name' => 'second role']); expect($this->testUser->hasRole($roleModel->all()))->toBeFalse(); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole($roleModel->all()))->toBeTrue(); expect($this->testUser->hasAnyRole('testRole'))->toBeTrue(); expect($this->testUser->hasAnyRole('role does not exist'))->toBeFalse(); expect($this->testUser->hasAnyRole(['testRole']))->toBeTrue(); expect($this->testUser->hasAnyRole(['testRole', 'role does not exist']))->toBeTrue(); expect($this->testUser->hasAnyRole(['role does not exist']))->toBeFalse(); expect($this->testUser->hasAnyRole('testRole', 'role does not exist'))->toBeTrue(); }); it('can determine that a user has all of the given roles', function () { $roleModel = app(Role::class); expect($this->testUser->hasAllRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasAllRoles('testRole'))->toBeFalse(); expect($this->testUser->hasAllRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasAllRoles('testRole'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasAllRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasAllRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user has exact all of the given roles', function () { $roleModel = app(Role::class); expect($this->testUser->hasExactRoles($roleModel->first()))->toBeFalse(); expect($this->testUser->hasExactRoles('testRole'))->toBeFalse(); expect($this->testUser->hasExactRoles($roleModel->all()))->toBeFalse(); $roleModel->create(['name' => 'second role']); $this->testUser->assignRole($this->testUserRole); expect($this->testUser->hasExactRoles('testRole'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles('testRole', 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); $this->testUser->assignRole('second role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); $roleModel->create(['name' => 'third role']); $this->testUser->assignRole('third role'); expect($this->testUser->hasExactRoles(['testRole', 'second role']))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'web'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role'], 'fakeGuard'))->toBeFalse(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role']))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'web'))->toBeTrue(); expect($this->testUser->hasExactRoles(['testRole', 'second role', 'third role'], 'fakeGuard'))->toBeFalse(); }); it('can determine that a user does not have a role from another guard', function () { expect($this->testUser->hasRole('testAdminRole'))->toBeFalse(); expect($this->testUser->hasRole($this->testAdminRole))->toBeFalse(); $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole(['testRole', 'testAdminRole']))->toBeTrue(); expect($this->testUser->hasAnyRole('testAdminRole', $this->testAdminRole))->toBeFalse(); }); it('can check against any multiple roles using multiple arguments', function () { $this->testUser->assignRole('testRole'); expect($this->testUser->hasAnyRole($this->testAdminRole, ['testRole'], 'This Role Does Not Even Exist'))->toBeTrue(); }); it('returns false instead of an exception when checking against any undefined roles using multiple arguments', function () { expect($this->testUser->hasAnyRole('This Role Does Not Even Exist', $this->testAdminRole))->toBeFalse(); }); it('throws an exception if an unsupported type is passed to hasRoles', function () { expect(fn () => $this->testUser->hasRole(new class {}))->toThrow(\TypeError::class); }); it('can retrieve role names', function () { $this->testUser->assignRole('testRole', 'testRole2'); expect($this->testUser->getRoleNames()->sort()->values())->toEqual( collect(['testRole', 'testRole2']) ); }); it('does not detach roles when user soft deleting', function () { $user = SoftDeletingUser::create(['email' => 'test@example.com']); $user->assignRole('testRole'); $user->delete(); $user = SoftDeletingUser::withTrashed()->find($user->id); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires an event when a role is added', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole(['testRole', 'testRole2']); $roleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && $event->model->hasRole('testRole') && $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('fires an event when a role is removed', function () { Event::fake(); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); $this->testUser->removeRole('testRole', 'testRole2'); $roleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($roleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $roleIds; }); }); it('can be given a role on permission when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); $testPermission = app(Permission::class)->with('roles')->get()->first(); $testPermission->assignRole('testRole'); expect($testPermission->hasRole('testRole'))->toBeTrue(); }); it('can be given a role on user when lazy loading is restricted', function () { expect(Model::preventsLazyLoading())->toBeTrue(); User::create(['email' => 'other@user.com']); $user = User::with('roles')->get()->first(); $user->assignRole('testRole'); expect($user->hasRole('testRole'))->toBeTrue(); }); it('fires detach event when syncing roles', function () { Event::fake([RoleDetachedEvent::class, RoleAttachedEvent::class]); app('config')->set('permission.events_enabled', true); $this->testUser->assignRole('testRole', 'testRole2'); app(Role::class)->create(['name' => 'testRole3']); $this->testUser->syncRoles('testRole3'); expect($this->testUser->hasRole('testRole'))->toBeFalse(); expect($this->testUser->hasRole('testRole2'))->toBeFalse(); expect($this->testUser->hasRole('testRole3'))->toBeTrue(); $removedRoleIds = app(Role::class)::whereIn('name', ['testRole', 'testRole2']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleDetachedEvent::class, function ($event) use ($removedRoleIds) { return $event->model instanceof User && ! $event->model->hasRole('testRole') && ! $event->model->hasRole('testRole2') && $event->rolesOrIds === $removedRoleIds; }); $attachedRoleIds = app(Role::class)::whereIn('name', ['testRole3']) ->pluck($this->testUserRole->getKeyName()) ->toArray(); Event::assertDispatched(RoleAttachedEvent::class, function ($event) use ($attachedRoleIds) { return $event->model instanceof User && $event->model->hasRole('testRole3') && $event->rolesOrIds === $attachedRoleIds; }); }); // ---- Team-specific tests ---- it('deletes pivot table entries when deleting models', function () { $user1 = User::create(['email' => 'user2@test.com']); $user2 = User::create(['email' => 'user2@test.com']); setPermissionsTeamId(1); $user1->assignRole('testRole'); $user1->givePermissionTo('edit-articles'); $user2->assignRole('testRole'); $user2->givePermissionTo('edit-articles'); setPermissionsTeamId(2); $user1->givePermissionTo('edit-news'); $this->assertDatabaseHas('model_has_permissions', [config('permission.column_names.model_morph_key') => $user1->id]); $this->assertDatabaseHas('model_has_roles', [config('permission.column_names.model_morph_key') => $user1->id]); $user1->delete(); setPermissionsTeamId(1); $this->assertDatabaseMissing('model_has_permissions', [config('permission.column_names.model_morph_key') => $user1->id]); $this->assertDatabaseMissing('model_has_roles', [config('permission.column_names.model_morph_key') => $user1->id]); $this->assertDatabaseHas('model_has_permissions', [config('permission.column_names.model_morph_key') => $user2->id]); $this->assertDatabaseHas('model_has_roles', [config('permission.column_names.model_morph_key') => $user2->id]); }); it('can assign same and different roles on same user different teams', function () { app(Role::class)->create(['name' => 'testRole3']); // team_test_id = 1 by main class app(Role::class)->create(['name' => 'testRole3', 'team_test_id' => 2]); app(Role::class)->create(['name' => 'testRole4', 'team_test_id' => null]); // global role $testRole3Team1 = app(Role::class)->where(['name' => 'testRole3', 'team_test_id' => 1])->first(); $testRole3Team2 = app(Role::class)->where(['name' => 'testRole3', 'team_test_id' => 2])->first(); $testRole4NoTeam = app(Role::class)->where(['name' => 'testRole4', 'team_test_id' => null])->first(); expect($testRole3Team1)->not->toBeNull(); expect($testRole4NoTeam)->not->toBeNull(); setPermissionsTeamId(1); $this->testUser->assignRole('testRole', 'testRole2'); // explicit load of roles to assert no mismatch // when same role assigned in diff teams // while old team's roles are loaded $this->testUser->load('roles'); setPermissionsTeamId(2); $this->testUser->assignRole('testRole', 'testRole3'); setPermissionsTeamId(1); $this->testUser->load('roles'); expect($this->testUser->getRoleNames()->sort()->values()) ->toEqual(collect(['testRole', 'testRole2'])); expect($this->testUser->hasExactRoles(['testRole', 'testRole2']))->toBeTrue(); $this->testUser->assignRole('testRole3', 'testRole4'); expect($this->testUser->hasExactRoles(['testRole', 'testRole2', 'testRole3', 'testRole4']))->toBeTrue(); expect($this->testUser->hasRole($testRole3Team1))->toBeTrue(); // testRole3 team=1 expect($this->testUser->hasRole($testRole4NoTeam))->toBeTrue(); // global role team=null setPermissionsTeamId(2); $this->testUser->load('roles'); expect($this->testUser->getRoleNames()->sort()->values()) ->toEqual(collect(['testRole', 'testRole3'])); expect($this->testUser->hasExactRoles(['testRole', 'testRole3']))->toBeTrue(); expect($this->testUser->hasRole($testRole3Team2))->toBeTrue(); // testRole3 team=2 $this->testUser->assignRole('testRole4'); expect($this->testUser->hasExactRoles(['testRole', 'testRole3', 'testRole4']))->toBeTrue(); expect($this->testUser->hasRole($testRole4NoTeam))->toBeTrue(); // global role team=null }); it('can sync or remove roles without detach on different teams', function () { app(Role::class)->create(['name' => 'testRole3', 'team_test_id' => 2]); setPermissionsTeamId(1); $this->testUser->syncRoles('testRole', 'testRole2'); setPermissionsTeamId(2); $this->testUser->syncRoles('testRole', 'testRole3'); setPermissionsTeamId(1); $this->testUser->load('roles'); expect($this->testUser->getRoleNames()->sort()->values()) ->toEqual(collect(['testRole', 'testRole2'])); $this->testUser->removeRole('testRole'); expect($this->testUser->getRoleNames()->sort()->values()) ->toEqual(collect(['testRole2'])); setPermissionsTeamId(2); $this->testUser->load('roles'); expect($this->testUser->getRoleNames()->sort()->values()) ->toEqual(collect(['testRole', 'testRole3'])); }); it('can scope users on different teams', function () { User::all()->each(fn ($item) => $item->delete()); $user1 = User::create(['email' => 'user1@test.com']); $user2 = User::create(['email' => 'user2@test.com']); setPermissionsTeamId(2); $user1->assignRole($this->testUserRole); $user2->assignRole('testRole2'); setPermissionsTeamId(1); $user1->assignRole('testRole'); setPermissionsTeamId(2); $scopedUsers1Team1 = User::role($this->testUserRole)->get(); $scopedUsers2Team1 = User::role(['testRole', 'testRole2'])->get(); $scopedUsers3Team1 = User::withoutRole('testRole')->get(); expect($scopedUsers1Team1->count())->toEqual(1); expect($scopedUsers2Team1->count())->toEqual(2); expect($scopedUsers3Team1->count())->toEqual(1); setPermissionsTeamId(1); $scopedUsers1Team2 = User::role($this->testUserRole)->get(); $scopedUsers2Team2 = User::role('testRole2')->get(); $scopedUsers3Team2 = User::withoutRole('testRole')->get(); expect($scopedUsers1Team2->count())->toEqual(1); expect($scopedUsers2Team2->count())->toEqual(0); expect($scopedUsers3Team2->count())->toEqual(1); }); ================================================ FILE: tests/Traits/WildcardHasPermissionsTest.php ================================================ set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => 'articles.edit,view,create']); $permission2 = Permission::create(['name' => 'news.*']); $permission3 = Permission::create(['name' => 'posts.*']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('posts.create'))->toBeTrue(); expect($user1->hasPermissionTo('posts.create.123'))->toBeTrue(); expect($user1->hasPermissionTo('posts.*'))->toBeTrue(); expect($user1->hasPermissionTo('articles.view'))->toBeTrue(); expect($user1->hasPermissionTo('projects.view'))->toBeFalse(); }); it('can check wildcard permission for a non default guard', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => 'articles.edit,view,create', 'guard_name' => 'api']); $permission2 = Permission::create(['name' => 'news.*', 'guard_name' => 'api']); $permission3 = Permission::create(['name' => 'posts.*', 'guard_name' => 'api']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('posts.create', 'api'))->toBeTrue(); expect($user1->hasPermissionTo('posts.create.123', 'api'))->toBeTrue(); expect($user1->hasPermissionTo('posts.*', 'api'))->toBeTrue(); expect($user1->hasPermissionTo('articles.view', 'api'))->toBeTrue(); expect($user1->hasPermissionTo('projects.view', 'api'))->toBeFalse(); }); it('can check wildcard permission from instance without explicit guard argument', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission2 = Permission::create(['name' => 'articles.view']); $permission1 = Permission::create(['name' => 'articles.edit', 'guard_name' => 'api']); $permission3 = Permission::create(['name' => 'news.*', 'guard_name' => 'api']); $permission4 = Permission::create(['name' => 'posts.*', 'guard_name' => 'api']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo($permission1))->toBeTrue(); expect($user1->hasPermissionTo($permission2))->toBeTrue(); expect($user1->hasPermissionTo($permission3))->toBeTrue(); expect($user1->hasPermissionTo($permission4))->toBeFalse(); expect($user1->hasPermissionTo('articles.edit'))->toBeFalse(); }); it('can assign wildcard permissions using enums', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $articlesCreator = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardArticlesCreator; $newsEverything = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardNewsEverything; $postsEverything = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardPostsEverything; $postsCreate = Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardPostsCreate; $permission1 = app(Permission::class)->findOrCreate($articlesCreator->value, 'web'); $permission2 = app(Permission::class)->findOrCreate($newsEverything->value, 'web'); $permission3 = app(Permission::class)->findOrCreate($postsEverything->value, 'web'); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo($postsCreate))->toBeTrue(); expect($user1->hasPermissionTo($postsCreate->value.'.123'))->toBeTrue(); expect($user1->hasPermissionTo($postsEverything))->toBeTrue(); expect($user1->hasPermissionTo(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardArticlesView))->toBeTrue(); expect($user1->hasAnyPermission(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardArticlesView))->toBeTrue(); expect($user1->hasPermissionTo(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardProjectsView))->toBeFalse(); $user1->revokePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardPostsCreate))->toBeFalse(); expect($user1->hasPermissionTo($postsCreate->value.'.123'))->toBeFalse(); expect($user1->hasPermissionTo(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardPostsEverything))->toBeFalse(); expect($user1->hasPermissionTo(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardArticlesView))->toBeFalse(); expect($user1->hasAnyPermission(Spatie\Permission\Tests\TestSupport\TestModels\TestRolePermissionsEnum::WildcardArticlesView))->toBeFalse(); }); it('can check wildcard permissions via roles', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $user1->assignRole('testRole'); $permission1 = Permission::create(['name' => 'articles,projects.edit,view,create']); $permission2 = Permission::create(['name' => 'news.*.456']); $permission3 = Permission::create(['name' => 'posts']); $this->testUserRole->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('posts.create'))->toBeTrue(); expect($user1->hasPermissionTo('news.create.456'))->toBeTrue(); expect($user1->hasPermissionTo('projects.create'))->toBeTrue(); expect($user1->hasPermissionTo('articles.view'))->toBeTrue(); expect($user1->hasPermissionTo('articles.list'))->toBeFalse(); expect($user1->hasPermissionTo('projects.list'))->toBeFalse(); }); it('clears wildcard index when assigning a role', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user1@test.com']); $permission = Permission::create(['name' => 'posts.*']); $this->testUserRole->givePermissionTo($permission); // Check permission before assigning role — this populates the wildcard index expect($user->hasPermissionTo('posts.create'))->toBeFalse(); $user->assignRole('testRole'); // After assigning the role, the wildcard index should be cleared expect($user->hasPermissionTo('posts.create'))->toBeTrue(); }); it('clears wildcard index when removing a role', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user1@test.com']); $permission = Permission::create(['name' => 'posts.*']); $this->testUserRole->givePermissionTo($permission); $user->assignRole('testRole'); expect($user->hasPermissionTo('posts.create'))->toBeTrue(); $user->removeRole('testRole'); // After removing the role, the wildcard index should be cleared expect($user->hasPermissionTo('posts.create'))->toBeFalse(); }); it('can check custom wildcard permission', function () { app('config')->set('permission.enable_wildcard_permission', true); app('config')->set('permission.wildcard_permission', WildcardPermission::class); $user1 = User::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => 'articles:edit;view;create']); $permission2 = Permission::create(['name' => 'news:@']); $permission3 = Permission::create(['name' => 'posts:@']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('posts:create'))->toBeTrue(); expect($user1->hasPermissionTo('posts:create:123'))->toBeTrue(); expect($user1->hasPermissionTo('posts:@'))->toBeTrue(); expect($user1->hasPermissionTo('articles:view'))->toBeTrue(); expect($user1->hasPermissionTo('posts.*'))->toBeFalse(); expect($user1->hasPermissionTo('articles.view'))->toBeFalse(); expect($user1->hasPermissionTo('projects:view'))->toBeFalse(); }); it('can check custom wildcard permissions via roles', function () { app('config')->set('permission.enable_wildcard_permission', true); app('config')->set('permission.wildcard_permission', WildcardPermission::class); $user1 = User::create(['email' => 'user1@test.com']); $user1->assignRole('testRole'); $permission1 = Permission::create(['name' => 'articles;projects:edit;view;create']); $permission2 = Permission::create(['name' => 'news:@:456']); $permission3 = Permission::create(['name' => 'posts']); $this->testUserRole->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('posts:create'))->toBeTrue(); expect($user1->hasPermissionTo('news:create:456'))->toBeTrue(); expect($user1->hasPermissionTo('projects:create'))->toBeTrue(); expect($user1->hasPermissionTo('articles:view'))->toBeTrue(); expect($user1->hasPermissionTo('news.create.456'))->toBeFalse(); expect($user1->hasPermissionTo('projects.create'))->toBeFalse(); expect($user1->hasPermissionTo('articles:list'))->toBeFalse(); expect($user1->hasPermissionTo('projects:list'))->toBeFalse(); }); it('can check non wildcard permissions', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => 'edit articles']); $permission2 = Permission::create(['name' => 'create news']); $permission3 = Permission::create(['name' => 'update comments']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('edit articles'))->toBeTrue(); expect($user1->hasPermissionTo('create news'))->toBeTrue(); expect($user1->hasPermissionTo('update comments'))->toBeTrue(); }); it('can verify complex wildcard permissions', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission1 = Permission::create(['name' => '*.create,update,delete.*.test,course,finance']); $permission2 = Permission::create(['name' => 'papers,posts,projects,orders.*.test,test1,test2.*']); $permission3 = Permission::create(['name' => 'User::class.create,edit,view']); $user1->givePermissionTo([$permission1, $permission2, $permission3]); expect($user1->hasPermissionTo('invoices.delete.367463.finance'))->toBeTrue(); expect($user1->hasPermissionTo('projects.update.test2.test3'))->toBeTrue(); expect($user1->hasPermissionTo('User::class.edit'))->toBeTrue(); expect($user1->hasPermissionTo('User::class.delete'))->toBeFalse(); expect($user1->hasPermissionTo('User::class.*'))->toBeFalse(); }); it('throws exception when wildcard permission is not properly formatted', function () { app('config')->set('permission.enable_wildcard_permission', true); $user1 = User::create(['email' => 'user1@test.com']); $permission = Permission::create(['name' => '*..']); $user1->givePermissionTo([$permission]); expect(fn () => $user1->hasPermissionTo('invoices.*')) ->toThrow(WildcardPermissionNotProperlyFormatted::class); }); it('can verify permission instances not assigned to user', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user@test.com']); $userPermission = Permission::create(['name' => 'posts.*']); $permissionToVerify = Permission::create(['name' => 'posts.create']); $user->givePermissionTo([$userPermission]); expect($user->hasPermissionTo('posts.create'))->toBeTrue(); expect($user->hasPermissionTo('posts.create.123'))->toBeTrue(); expect($user->hasPermissionTo($permissionToVerify->id))->toBeTrue(); expect($user->hasPermissionTo($permissionToVerify))->toBeTrue(); }); it('can verify permission instances assigned to user', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user@test.com']); $userPermission = Permission::create(['name' => 'posts.*']); $permissionToVerify = Permission::create(['name' => 'posts.create']); $user->givePermissionTo([$userPermission, $permissionToVerify]); expect($user->hasPermissionTo('posts.create'))->toBeTrue(); expect($user->hasPermissionTo('posts.create.123'))->toBeTrue(); expect($user->hasPermissionTo($permissionToVerify))->toBeTrue(); expect($user->hasPermissionTo($userPermission))->toBeTrue(); }); it('can verify integers as strings', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user@test.com']); $userPermission = Permission::create(['name' => '8']); $user->givePermissionTo([$userPermission]); expect($user->hasPermissionTo('8'))->toBeTrue(); }); it('throws exception when permission has invalid arguments', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user@test.com']); expect(fn () => $user->hasPermissionTo(['posts.create'])) ->toThrow(WildcardPermissionInvalidArgument::class); }); it('throws exception when permission id not exists', function () { app('config')->set('permission.enable_wildcard_permission', true); $user = User::create(['email' => 'user@test.com']); expect(fn () => $user->hasPermissionTo(6)) ->toThrow(PermissionDoesNotExist::class); });