laratrust
laratrust copied to clipboard
Setting the permissions_as_gates with teams enabled breaks the `can` method in routes.
- Laravel Version: 10.10.1
- Laratrust Version: 8.2.1
Describe the bug
Setting the permissions_as_gates with teams enabled breaks the can
method in routes. The view is returned 404 not found.
I bumped Laravel 10.7.1 to 10.10.1 and Laratrust from 8.0.1 to 8.2.1, and the app stopped working on all routes with the can
method.
The app was working prior to the upgrade with all tests passing.
To Reproduce
Steps to reproduce the behavior:
New Laravel app, with Laratrust
Update the laratrust configuration file enable teams and permissions_as_gates' => true,
Add a user, policy, model(s) and team.
In web.php add a route with a can method e.g.:
Route::get('/plan', \App\Http\Controllers\Plan\Dashboard::class)
->can('viewAny', \App\Models\Plan::class);
This route will now fail with the error message:
404 NOT FOUND
No exceptions are logged. The Laravel debug bar does catch the exception:
No query results for model [App\Models\LaratrustTeam]. at \vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php:599) [stacktrace] "}},"userId":3,"exception":"[object] (Spatie\LaravelIgnition\Exceptions\ViewException(code: 0): No query results for model [App\Models\LaratrustTeam]. at vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php:599) [stacktrace] #0 vendor\santigarcor\laratrust\src\Helper.php(50): Illuminate\Database\Eloquent\Builder->firstOrFail() #1 \vendor\santigarcor\laratrust\src\Checkers\User\UserDefaultChecker.php(121): Laratrust\Helper::getIdFor('App\\Models\\Even...', 'team') #2 \vendor\santigarcor\laratrust\src\Traits\HasRolesAndPermissions.php(192): Laratrust\Checkers\User\UserDefaultChecker->currentUserHasPermission('viewAny', 'App\\Models\\Even...', false) #3 \vendor\santigarcor\laratrust\src\LaratrustServiceProvider.php(175): App\Models\User->hasPermission('viewAny', 'App\\Models\\Even...', false) #4 \vendor\laravel\framework\src\Illuminate\Auth\Access\Gate.php(553): Laratrust\LaratrustServiceProvider->Laratrust\{closure}(Object(App\Models\User), 'viewAny', Array) #5 \vendor\laravel\framework\src\Illuminate\Auth\Access\Gate.php(426): Illuminate\Auth\Access\Gate->callBeforeCallbacks(Object(App\Models\User), 'viewAny', Array) #6 \vendor\laravel\framework\src\Illuminate\Auth\Access\Gate.php(395): Illuminate\Auth\Access\Gate->raw('viewAny', Array) #7 \vendor\laravel\framework\src\Illuminate\Auth\Access\Gate.php(382): Illuminate\Auth\Access\Gate->inspect('viewAny', 'App\\Models\\Even...') #8 \app\View\Components\Plan\PlanList\Index.php(54): Illuminate\Auth\Access\Gate->authorize('viewAny', 'App\\Models\\Even...') #9 [internal function]: App\View\Components\Plan\PlanList\Index->__construct(Object(Illuminate\Http\Request), Object(App\Models\Plan)) ... etc...
When I run my test most failed too, the stack trace above is from one of the tests, which has the gate in the controller, the stack trace is the same for both.
The Gate in a controller can be fixed:
- Gate::forUser(auth()->user())->authorize('viewAny', Plan::class);
+ Gate::forUser(auth()->user())->authorize('plans-read', auth()->user()->currentTeam);
This used to work with model policies, something changed recently to change the behaviour.
The model policy:
public function viewAny(User $user): \Illuminate\Auth\Access\Response|bool
{
return $user->isAbleTo('plans-read', $user->currentTeam);
}
The can method on routes can not be fixed this way.
e.g.
Route::get('/list', static function () {
return view('list.index');
})
->can('events-read', auth()->user()?->currentTeam)
This will return:
This action is unauthorized.
Reading the stack trace the team is dropped and an empty array is passed through as arguments:
1 => array:6 [▼
"file" => "... \vendor\laravel\framework\src\Illuminate\Auth\Middleware\Authorize.php"
"line" => 55
"function" => "authorize"
"class" => "Illuminate\Auth\Access\Gate"
"type" => "->"
"args" => array:2 [▼
0 => "events-read"
1 => []
]
]
The can method on Route:
/**
* Specify that the "Authorize" / "can" middleware should be applied to the route with the given options.
*
* @param string $ability
* @param array|string $models
* @return $this
*/
public function can($ability, $models = [])
{
return empty($models)
? $this->middleware(['can:'.$ability])
: $this->middleware(['can:'.$ability.','.implode(',', Arr::wrap($models))]);
}
It doesn't accept a team.
The workaround for me was to update the config permissions_as_gates=false
, the previous behaviour using policies returned and everything now works.
Looking at recent changes the Gate policy has been updated to add attributes for a team. This has unexpected consequences regarding the Route can method.
https://github.com/santigarcor/laratrust/commit/a7459625cee7d0e2af59335ebbfb716f62096a04