This adds substantial speed increases by caching the associations between models and permissions. Part of the changes focus on the PermissionRegistar, specifically caching for getPermissions(), thanks to @klincheg for these changes.

The rest is focussed on caching calls to HasPermissionTo() in HasPermissions.php.

The association is cached under a compound key comprised of the package key, the model and the permission: spatie.permission.cache.App.Models.User.12.Spatie.Permission.Models.Permissions.view-dashboard

These values are also used as tags: spatie.permission.cache, App.Models.User.12, Spatie.Permission.Models.Permissions.view-dashboard (if tags are not supported then the package continues as before, as they are essential to this functionality)

As we are still using the package cache key, then the already existing cache-busting should not need to be updated to account for these changes. However, the usage of the model and the permissions in the tags allow for future addition of model specific, or permission specific cache-busting, helping prevent the stampeding herd effect that larger applications may experience each time a permission or role is updated.

Performance tests involved seeding a database with 250 users, who were assigned between 2 - 4 roles, which were assigned between 30 - 500 permissions. Then each permission for each user was tested:

$this->users->each(function (User $user) {
    $user->getAllPermissions()->each(function (Permission $permission) use ($user) {
        $this->assertTrue($user->can($permission->name));
    });
});

I went through different variations of the above, some including non-assigned permissions, etc.

These changes increase the speed of the checks from several minutes down to 4 - 20 seconds (approx 32000 assertions in a couple of seconds in some tests). And the database calls went from 1800+ to 0.

Things to note/get feedback on are:

• Is the current cache busting effective enough for these changes? I reviewed the tests and ran through some real-world examples and had no issues, but a second opinion would be great.
• The changes to the config could be breaking
• The naming of checkHasPermissionTo() inside HasPermissions could be confused with the newly added method checkPermissionTo()
• Clutter. I'm concious this has added a fair bit of new methods and checks, and I don't want to clutter up the package.

Closes #732 Fixes #759 Fixes #789

It feels like the last couple of months a lot of issues were related to the multi-guard functionality introduced in v2. Apart from that there have been some vague caching issues as well. Time to do something about that in v3 of the package.

The multi-guard issue

Supporting multiple guards has added a lot of complexity to the package and made it feel quite "heavy". The multi-guard functionality is definitely a selling point for this package but it also seems to confuse some users that are new to the framework and haven't learned about guards yet. Not to mention the countless times a misconfiguration in auth.php causes the wrong guard to be used.

Some possible solutions:

• completely dropping support for guards - as @drbyte and I discussed at Laracon removing all support for multiple guards would make the package a lot easier to maintain, simpler and lighter.
• my personal favourite: drop guard support but keep Permissions and Roles polymorphic relations. This means any model can have roles and permissions but there's no extra functionality related to guards.
• maintaining two branches: one with- and one without support for guards.

Caching issue

There's no interface or CLI tool that comes with the package to create and manage roles/permissions. This means a lot of users revert to editing the DB to manage permissions causing the cache to be rendered invalid. Even though it's well documented this seems to be an issue that keeps coming back. Maybe caching should be limited to a single request lifecycle by default and configurable for anyone that needs more anything else?

Any thoughts on these two issues or suggestions for other features for v3 of the package are very welcome!

With regards the latest laravel update that is documented here: Security Release: Laravel 6.18.35, 7.24.0

And also the code change happened here in the 6.x branch https://github.com/laravel/framework/pull/33777

These two updates have broken the functionality when you try to perform a with() query on the Roles model.

For example I have the code:

Role::orderBy('type')
    ->withCount('users')
    ->paginate();

This gives the error:

PHP Notice:  Undefined index: guard_name in app/vendor/spatie/laravel-permission/src/Models/Role.php on line 62
TypeError: Argument 1 passed to getModelForGuard() must be of the type string, null given, called in app/vendor/spatie/laravel-permission/src/Models/Role.php on line 62

It seems the solution is to just set the $guarded property to [] in the model classes.

If someone is extending the class this is easy to fix, but unfortunately it isn't very clear immediately what error caused this.

If it is alright with the maintainers I don't mind making the change to the model files to the code that will make it functional.

System Info:

Laravel: 6.18.35 PHP: 7.3.8 Permissions: 3.13

Hi. First, thanks for this great packages. I've been using this packages since version 1.

I have user with Role 'System Administrator', and this roles has permission named 'dashboard', 'logs', etc. When I'm checking the user's permission via can, it throws Spatie\Permission\Exceptions\PermissionDoesNotExist.

• spatie/laravel-permission package version: 4.3.0
• illuminate/framework package: v8.55.0

PHP version: 8.0.7 Database version: MySQL 8.0.25

This is not happening prior to version 4.3.0. We have traced this issue, and found that getPermissions on Spatie\Permission\PermissionRegistrar is the culprit here.

This is how we resolve this problem:

        $permissions = $this->permissions->$method(static function ($permission) use ($params) {
            foreach ($params as $attr => $value) {
                if ($permission->getAttribute($attr) == $value) {
                    return true;
                }
            }

            return false;
        });

I think the return value are swapped? If I swap the 'true' and 'false' value like above, it behaves normally, and I only get PermissionDoesNotExists exception only when I'm supplying it with wrong / invalid permission.

Thanks

Hello,

I am trying to implement permissions in my pages to hide menu items, by example. Currently, I am using this:

@if(auth()->user()->hasPermissionTo('view_admin_top_menu'))
//content
@endif

But it keeps returning the PermissionDoesNotExist exception while I am very sure the permission is in the database. Also, @hasrole() works... so it is very weird to me.

Thanks.

Could it be possible to make $guard_name a property and a static function in the same way Nova does it with 'group' and 'name'? So we can use config('nova.guard')? I'm using a 'web' guard for normal users and a 'back' guard for admin users.

I am having issue when seeding the roles and permissions. I even copy their sample on database seeding here https://github.com/spatie/laravel-permission#database-seeding. I even clear and removed cache before seeding and still I get that error as you can see on this screenshot https://www.screencast.com/t/PAMOsZjS

Anyone could help?

Thank you.

I can't install the package on my recent laravel project. It works fine on the previous ones. Here is the error I get

`composer require spatie/laravel-permission Using version ^3.6 for spatie/laravel-permission ./composer.json has been updated Loading composer repositories with package information Updating dependencies (including require-dev) Package operations: 1 install, 0 updates, 1 removal

• Removing spatie/laravel-view-components (1.2.0)
• Installing spatie/laravel-permission (3.6.0): Loading from cache Writing lock file Generating optimized autoload files

Illuminate\Foundation\ComposerScripts::postAutoloadDump @php artisan package:discover --ansi

ErrorException : Trying to access array offset on value of type null

at /home/abdellah/Documents/PROJECTS/Bank/vendor/spatie/laravel-permission/src/PermissionServiceProvider.php:61 57| protected function registerModelBindings() 58| { 59| $config = $this->app->config['permission.models']; 60|

61| $this->app->bind(PermissionContract::class, $config['permission']); 62| $this->app->bind(RoleContract::class, $config['role']); 63| } 64| 65| protected function registerBladeExtensions()

Exception trace:

1 Illuminate\Foundation\Bootstrap\HandleExceptions::handleError() /home/abdellah/Documents/PROJECTS/Bank/vendor/spatie/laravel-permission/src/PermissionServiceProvider.php:61

2 Spatie\Permission\PermissionServiceProvider::registerModelBindings() /home/abdellah/Documents/PROJECTS/Bank/vendor/spatie/laravel-permission/src/PermissionServiceProvider.php:36

Please use the argument -v to see more details. Script @php artisan package:discover --ansi handling the post-autoload-dump event returned with error code 1

Installation failed, reverting ./composer.json to its original content.`

In a SaaS kind of app, I want the Roles to be tenant specific, meaning:

Roles for App X | Roles for App Y ------------ | ------------- Owner | Superintendent Worker| All mighty Maintenance| Superman

Its not only a matter of naming, each role has different permissions, and App X can't see App Y roles and vice versa. Also there can be an infinite number of apps...

Any suggestion for achieving this? Maybe using guards? Maybe adding a tenant column to the tables? Thanks.

Hey all,

thanks for this awesome package - i really like it as it is quite easy to use. Recently, i stumbled upon a problem, which i thought i could share with you - this might be a contribution for your package.

Problem

In my application i have Teams (a User can be in multiple Teams) and Projects (a Project can have multiple Teams). Furthermore, a Team can have a specific Role within a Project. Therefore, one User can have multiple Roles within a Project.

For now, let us call these Roles Owner, Manager and Member (as they already imply some kind of Hierarchy: Owner > Manager > Member.

I would like to retrieve the highest (i.e., the role with the most access rights) Role for one specific User within a Project.

Idea

I thought it may be possible to enhance the Role table and add an additional level (int, default 0) field to the database. This field would act as some kind of hierarchy.

In the given example, one could just define Owner (10) > Manager (5) > Member (1). Note that the numbers indicate the level.

When retrieving all Roles for the User within a Project we would just need to sort by level and we're already set up!

Furthermore, this idea could be enhanced in order to provide some additional functions to restrict access not only by Role or Permission but also by Level. Think about a method like this hasAtLeastRoleLevel(int level) to check, if the level of the User is higher than - therefore he has access..

What do you think about this feature? Best

Hi! I need to implement in a system where a user can be from different companies with different rules for each of them. Ex: User X - Company A - Admin User X - Company B - Manager Remembering that my system is not Multi Tenancy. It's possible with this package?

Bumps aglipanci/laravel-pint-action from 1.0.0 to 2.1.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

i create a laravel 9 project, but when i check de permissions this always return false, i use the method $this->middleware('permission:opportunities.index|opportunities.index_me|opportunities.index_me_assigns')->only('index');, in laravel 8 this works, but in laravel 9 this alwys return false

Versions You can use composer show to get the version numbers of:

• spatie/laravel-permission package version: 5.7.0
• laravel/framework : v9.45.1

PHP version: 8.1.10 Database version:

i reate de route api and in the controller have public function __construct() { $this->middleware('permission:opportunities.index|opportunities.index_me|opportunities.index_me_assigns')->only('index'); } in the request this fails with the menssage {"data":{"error":"User does not have the right permissions. Necessary permissions are opportunities.index, opportunities.index_me, opportunities.index_me_assigns","code":500}}

Environment (please complete the following information, because it helps us investigate better):

• im using docker

this my dockerfile FROM php:8.1-fpm

Install system dependencies

RUN apt-get update && apt-get install -y libpq-dev
git
curl
libpng-dev
libonig-dev
libxml2-dev
libzip-dev
zip
unzip

Add Node 12 LTS

RUN curl -sL https://deb.nodesource.com/setup_12.x | bash --
&& apt-get install -y nodejs
&& apt-get autoremove -y

Clear cache

RUN apt-get clean && rm -rf /var/lib/apt/lists/*

Install PHP extensions

RUN docker-php-ext-install zip pdo pdo_pgsql pgsql mbstring exif pcntl bcmath gd RUN docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql

Get latest Composer

COPY --from=composer:latest /usr/bin/composer /usr/bin/composer

Create system user to run Composer and Artisan Commands

TO DO change user

RUN useradd -G www-data,root -u 1000 -d /home/xx1196 xx1196 RUN mkdir -p /home/xx1196/.composer &&
chown -R xx1196:xx1196 /home/xx1196

Memory Limit

RUN echo "memory_limit=-1" > $PHP_INI_DIR/conf.d/memory-limit.ini

size upload

RUN echo "upload_max_filesize = -1" > $PHP_INI_DIR/conf.d/upload-max-filesize.ini RUN echo "post_max_size = -1" > $PHP_INI_DIR/conf.d/post-max-size.ini

Set working directory

#WORKDIR /var/www WORKDIR /var/www COPY . /var/www

RUN chown -R xx1196:xx1196 . RUN chmod 755 .

RUN rm -f package-lock.json RUN npm i RUN npm run prod RUN composer install

#RUN php artisan optimize #RUN php artisan migrate

TO DO genera ficheos para firmar

RUN php artisan translations:export -A

RUN php storage.php

RUN chmod -R 777 /var/www/storage RUN chmod -R 777 /var/www/storage/app RUN chmod -R 777 /var/www/storage/app/public #RUN chmod -R 777 /var/www/storage/app/public/*

RUN chmod -R 777 /var/www/resources/lang/ RUN chmod -R 777 /var/www/resources/lang/en/.php RUN chmod -R 777 /var/www/resources/lang/en/.php

RUN php artisan cache:forget spatie.permission.cache CMD php artisan serve --host=0.0.0.0 --port=80

EXPOSE 80

TO DO user v

USER xx1196

this my composer json: { "name": "xx1196/test", "type": "project", "description": "", "keywords": [ "framework", "laravel" ], "license": "MIT", "require": { "php": "^8.1", "assada/laravel-achievements": "^2.5", "aws/aws-sdk-php": "^3.255", "barryvdh/laravel-dompdf": "^2.0", "barryvdh/laravel-translation-manager": "^0.6.3", "coderello/laravel-passport-social-grant": "^3.0", "doctrine/dbal": "^3.5", "fruitcake/laravel-cors": "^3.0", "google/apiclient": "^2.13", "guzzlehttp/guzzle": "^7.5", "kreait/laravel-firebase": "^4.2", "laravel-notification-channels/fcm": "^2.6", "laravel/cashier": "^14.5", "laravel/framework": "^9.45", "laravel/passport": "^11.3", "laravel/sanctum": "^3.0", "laravel/socialite": "^5.5", "laravel/tinker": "^2.7", "laravel/ui": "^4.1", "league/flysystem-aws-s3-v3": "^3.10", "owen-oj/laravel-getid3": "^2.1", "phpoffice/phpspreadsheet": "^1.26", "predis/predis": "^2.0", "ramsey/uuid": "^4.7", "sendgrid/sendgrid": "^8.0", "sentry/sentry-laravel": "^3.1", "spatie/laravel-google-calendar": "^3.5", "spatie/laravel-permission": "^5.7", "tightenco/ziggy": "^1.5" }, "require-dev": { "fakerphp/faker": "^1.9.1", "laravel/pint": "^1.0", "laravel/sail": "^1.0.1", "mockery/mockery": "^1.4.4", "nunomaduro/collision": "^6.1", "phpunit/phpunit": "^9.5.10", "spatie/laravel-ignition": "^1.0", "pestphp/pest-plugin-laravel": "^1.3" }, "autoload": { "psr-4": { "App\": "app/", "Database\Factories\": "database/factories/", "Database\Seeders\": "database/seeders/" } }, "autoload-dev": { "psr-4": { "Tests\": "tests/" } }, "scripts": { "post-autoload-dump": [ "Illuminate\Foundation\ComposerScripts::postAutoloadDump", "@php artisan package:discover --ansi" ], "post-update-cmd": [ "@php artisan vendor:publish --tag=laravel-assets --ansi --force" ] }, "extra": { "laravel": { "dont-discover": [] } }, "config": { "optimize-autoloader": true, "preferred-install": "dist", "sort-packages": true, "allow-plugins": { "pestphp/pest-plugin": true } }, "minimum-stability": "dev", "prefer-stable": true }

I needed to get ManyToMany relation of roles (structure of departments). To do this, I extended the \Spatie\Permission\Models\Role class with methods:

class Department extends \Spatie\Permission\Models\Role
{
    ....
    public function parents(): BelongsToMany
    {
        return $this->belongsToMany(
            Department::class,
            "department_hierarchy,
            'child_id',
            'parent_id'
        );
    }

    public function children(): BelongsToMany
    {
        return $this->belongsToMany(
            Department::class,
            'department_hierarchy',
            'parent_id',
            'child_id'
        );
    }
    ....
}

and created migration:

    Schema::create('department_hierarchy', function (Blueprint $table) {
        $table->string("rel_id", 25)->primary();
        $table->bigInteger("parent_id", false, true);
        $table->bigInteger("child_id", false, true);
        $table->boolean("is_direct")->default(false);
        $table->foreign("parent_id")->references("id")->on("roles");
        $table->foreign("child_id")->references("id")->on("roles");
    });

Everything works well except methods like

\App\Models\Department::withCount('children')

and so on: it always returns parent_count = 0.

The reason of this behavior is in overriding of method getTable in Spatie\Permission\Models\Role.

When extending Illuminate\Database\Eloquent\Model:

echo \App\Models\Department::withCount('children')->toSql();
/**
SELECT `roles`.*, (
SELECT COUNT(*)
FROM `roles` AS `laravel_reserved_0`
INNER JOIN `department_hierarchy` 
    ON `laravel_reserved_0`.`id` = `department_hierarchy`.`child_id`    <-- look at laravel_reserved_0
WHERE `roles`.`id` = `department_hierarchy`.`parent_id`) AS `children_count`
FROM `roles`

When extending \Spatie\Permission\Models\Role:

echo \App\Models\Department::withCount('children')->toSql();
/**
SELECT `roles`.*, (
SELECT COUNT(*)
FROM `roles` AS `laravel_reserved_0`
INNER JOIN `department_hierarchy` 
    ON `roles`.`id` = `department_hierarchy`.`child_id`    <------ laravel_reserved_0 != roles
WHERE `roles`.`id` = `department_hierarchy`.`parent_id`) AS `children_count`
FROM `roles`

withCount() uses Model::table field to temporary store alias name (laravel_reserved_0).

And when (in Illuminate\Database\Eloquent\Model) method Model::getTable() returns $this->table or magic name from class basename, your version returns only pre-configurated table name (config('permission.table_names.roles')) or, if configuration not found, Model::getTable(). So if permission.table_names.roles is configured, it has no change to return $this->table.

I would recommend to rewrite this method like this:

    public function getTable()
    {
        return $this->table ?? config('permission.table_names.roles', parent::getTable());
    }

or for best practice remove method Role::getTable() and replace it with

    public function __construct(array $attributes = [])
    {
        $attributes['guard_name'] = $attributes['guard_name'] ?? config('auth.defaults.guard');

        parent::__construct($attributes);

        $this->guarded[] = $this->primaryKey;

        $this->table = config('permission.table_names.roles', parent::getTable()); // <---------------
    }

Before creating a new bug report Please check if there isn't a similar issue on the issue tracker or in the discussions.

Describe the bug In my project there have multiple guard, I also create seeder file and try to seeding permission for different guard, but I got this error.

The given role or permission should use guard web instead of vendor.

at D:\Client\Laravel\courier-management-system\courier-management-system\vendor\spatie\laravel-permission\src\Exceptions\GuardDoesNotMatch.php:12 8▕ class GuardDoesNotMatch extends InvalidArgumentException 9▕ { 10▕ public static function create(string $givenGuard, Collection $expectedGuards) 11▕ { ➜ 12▕ return new static("The given role or permission should use guard {$expectedGuards->implode(', ')} instead of {$givenGuard}."); 13▕ } 14▕ } 15▕

1 D:\Client\Laravel\courier-management-system\courier-management-system\vendor\spatie\laravel-permission\src\Traits\HasPermissions.php:464 Spatie\Permission\Exceptions\GuardDoesNotMatch::create("vendor", Object(Illuminate\Support\Collection))

2 D:\Client\Laravel\courier-management-system\courier-management-system\vendor\spatie\laravel-permission\src\Traits\HasPermissions.php:340 Spatie\Permission\Models\Role::ensureModelSharesGuard(Object(Spatie\Permission\Models\Permission)) PS D:\Client\Laravel\courier-management-system\courier-management-system>

Versions You can use composer show to get the version numbers of:

• spatie/laravel-permission package version:
• illuminate/framework package

PHP version: 8.1 Database version: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.1.12 Database client version: libmysql - mysqlnd 8.1.12 PHP extension: mysqli Documentation curl Documentation mbstring Documentation PHP version: 8.1.12

To Reproduce Steps to reproduce the behavior:

Here is my example code and/or tests showing the problem in my app: permission table