Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

withoutPermission scope from HasPermissions returns users from outside the team #2639

Open
countless-integers opened this issue Mar 18, 2024 · 2 comments
Open

withoutPermission scope from HasPermissions returns users from outside the team #2639

countless-integers opened this issue Mar 18, 2024 · 2 comments

Comments

@countless-integers
Copy link

Describe the bug
Applying withoutPermission scope from HasPermissions trait returns users from outside the team.

Versions
You can use composer show to get the version numbers of:

  • spatie/laravel-permission package version: 6.4
  • laravel/framework package version: 10.48.2

PHP version: 8.2

Database version: MySQL 8.0

To Reproduce
Steps to reproduce the behavior:

Permission::create(['name' => 'comment.create']);
setPermissionsTeamId(1);
$user1->givePermissionTo('comment.create');
setPermissionsTeamId(2);
$user2->givePermissionTo('comment.create');
setPermissionsTeamId(1);
$users = User::withoutPermission('comment.delete')->get();
// return $user1 and $user2

Expected behavior
If teams feature is enabled I'd expect to only see member of the team in the result.

Additional context
I think this is the result of inverse whereHas constraint. Team id is in the query SQL, but it's in the subquery, so NOT EXISTS(__subquery__ ... team_id = 1) which "matches" all users. I guess it's how eloquent does it, but it's counter-intuitive with teams feature enabled.

Environment (please complete the following information, because it helps us investigate better):

  • OS: macos
  • Version Sonoma
@parallels999
Copy link
Contributor

parallels999 commented Mar 18, 2024
edited

You need to have your own relationship between user and team
This package does not provide you with that part, you must implement it

$users = User::withoutPermission('comment.delete')
    ->whereHas('YOUR_TEAM_RELATION', fn($q) => $q->where('id',  getPermissionsTeamId()))->get();

@countless-integers
Copy link
Author

You need to have your own relationship between user and team This package does not provide you with that part, you must implement it

Fair enough, just that Users::permission() (and hence withoutPermission) includes the team id in the query, it's just that the way the query is constructed make the former look like it works in team scope and the latter doesn't. Anyway, thanks for the suggestion, I can overwrite the trait scope to tack on that extra whereHas constraint to make it work for my app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@countless-integers @parallels999