fix: capability-permission relationships not being synced in sync method (#42)

shavonn · web-flow · commit 5e0f8425001b · 2026-01-21T10:33:31.000-05:00
diff --git a/src/Mandate.php b/src/Mandate.php
@@ -9,6 +9,7 @@
 use Illuminate\Support\Collection;
 use OffloadProject\Mandate\CodeFirst\DefinitionCache;
 use OffloadProject\Mandate\CodeFirst\DefinitionDiscoverer;
+use OffloadProject\Mandate\CodeFirst\PermissionDefinition;
 use OffloadProject\Mandate\Concerns\HasRoles;
 use OffloadProject\Mandate\Contracts\Capability as CapabilityContract;
 use OffloadProject\Mandate\Contracts\FeatureAccessHandler;
@@ -690,7 +691,10 @@ public function sync(
         $capabilitiesCreated = 0;
         $capabilitiesUpdated = 0;
 
-        $syncAll = ! $permissions && ! $roles && ! $capabilities && ! $seedOnly;
+        // Sync all if no specific flags passed, or if seed is used with code-first enabled
+        // This ensures discovered permissions are synced before seeding assignments
+        $syncAll = ! $permissions && ! $roles && ! $capabilities
+            && (! $seedOnly || $codeFirstEnabled);
 
         // Determine what to sync (skip if seed-only mode)
         $syncPermissions = $codeFirstEnabled && ($syncAll || $permissions);
@@ -825,6 +829,9 @@ private function syncDefinitionsToDatabase(
                 ->where('guard', $definition->guard)
                 ->first();
 
+            /** @var Permission|Role|Capability|null $model */
+            $model = $existing;
+
             if ($existing) {
                 $needsUpdate = false;
                 $updates = [];
@@ -855,14 +862,45 @@ private function syncDefinitionsToDatabase(
                     $attributes['description'] = $definition->description;
                 }
 
-                $modelClass::query()->create($attributes);
+                $model = $modelClass::query()->create($attributes);
                 $created++;
             }
+
+            // Sync capability-permission relationships for permissions
+            if ($entityType === 'permissions' && $model instanceof Permission && $definition instanceof PermissionDefinition) {
+                $this->syncPermissionCapabilities($model, $definition->capabilities);
+            }
         }
 
         return ['created' => $created, 'updated' => $updated];
     }
 
+    /**
+     * Sync a permission's capability relationships.
+     *
+     * @param  array<string>  $capabilityNames
+     */
+    private function syncPermissionCapabilities(Permission $permission, array $capabilityNames): void
+    {
+        if (empty($capabilityNames) || ! $this->capabilitiesEnabled()) {
+            return;
+        }
+
+        /** @var class-string<Capability> $capabilityClass */
+        $capabilityClass = config('mandate.models.capability', Capability::class);
+
+        foreach ($capabilityNames as $capabilityName) {
+            /** @var Capability $capability */
+            $capability = $capabilityClass::query()
+                ->firstOrCreate(
+                    ['name' => $capabilityName, 'guard' => $permission->guard]
+                );
+
+            // Grant the permission to the capability (uses syncWithoutDetaching internally)
+            $capability->grantPermission($permission);
+        }
+    }
+
     /**
      * Seed role-permission and role-capability assignments from config.
      */
diff --git a/tests/Feature/Commands/SyncCommandTest.php b/tests/Feature/Commands/SyncCommandTest.php
@@ -316,5 +316,15 @@
 
         // user:delete should also have user-management (from class-level)
         expect($userManagement->hasPermission('user:delete'))->toBeTrue();
+
+        // Verify the pivot table actually has records
+        $pivotTable = config('mandate.tables.capability_permission', 'capability_permission');
+        $pivotCount = Illuminate\Support\Facades\DB::table($pivotTable)->count();
+        expect($pivotCount)->toBe(4); // user:view, user:edit, user:delete -> user-management (3) + user:delete -> admin-only (1)
+
+        // Also verify by loading permissions relationship
+        $userManagement->load('permissions');
+        expect($userManagement->permissions)->toHaveCount(3);
+        expect($userManagement->permissions->pluck('name')->toArray())->toContain('user:view', 'user:edit', 'user:delete');
     });
 });
diff --git a/tests/Feature/SyncMethodTest.php b/tests/Feature/SyncMethodTest.php
@@ -266,6 +266,60 @@
         expect($role->hasCapability('another-capability'))->toBeTrue();
     });
 
+    it('syncs capability-permission relationships from Capability attributes', function () {
+        $this->enableCapabilities();
+        config(['mandate.code_first.enabled' => true]);
+        config(['mandate.code_first.paths.permissions' => __DIR__.'/../Fixtures/CodeFirst']);
+
+        Mandate::sync(permissions: true);
+
+        $capabilityClass = config('mandate.models.capability');
+
+        // UserPermissions has class-level #[Capability('user-management')]
+        // So user:view, user:edit, user:delete should have user-management capability
+        $userManagement = $capabilityClass::where('name', 'user-management')->first();
+        expect($userManagement)->not->toBeNull();
+        expect($userManagement->hasPermission('user:view'))->toBeTrue();
+        expect($userManagement->hasPermission('user:edit'))->toBeTrue();
+        expect($userManagement->hasPermission('user:delete'))->toBeTrue();
+
+        // user:delete also has constant-level #[Capability('admin-only')]
+        $adminOnly = $capabilityClass::where('name', 'admin-only')->first();
+        expect($adminOnly)->not->toBeNull();
+        expect($adminOnly->hasPermission('user:delete'))->toBeTrue();
+
+        // Verify pivot table records
+        $pivotTable = config('mandate.tables.capability_permission', 'capability_permission');
+        $pivotCount = Illuminate\Support\Facades\DB::table($pivotTable)->count();
+        expect($pivotCount)->toBe(4); // 3 for user-management + 1 for admin-only
+    });
+
+    it('syncs all discovered permissions when using seed with code-first enabled', function () {
+        config(['mandate.code_first.enabled' => true]);
+        config(['mandate.code_first.paths.permissions' => __DIR__.'/../Fixtures/CodeFirst']);
+        config(['mandate.code_first.paths.roles' => __DIR__.'/../Fixtures/CodeFirst']);
+
+        // Only assign one permission, but all should be synced
+        config(['mandate.assignments' => [
+            'partial-role' => [
+                'permissions' => ['article:view'],
+            ],
+        ]]);
+
+        Mandate::sync(seed: true);
+
+        // All permissions from code-first should be synced, not just those in assignments
+        expect(Permission::where('name', 'article:view')->exists())->toBeTrue();
+        expect(Permission::where('name', 'article:create')->exists())->toBeTrue();
+        expect(Permission::where('name', 'article:edit')->exists())->toBeTrue();
+        expect(Permission::where('name', 'article:delete')->exists())->toBeTrue();
+
+        // But only article:view should be assigned to the role
+        $role = Role::where('name', 'partial-role')->first();
+        expect($role->hasPermission('article:view'))->toBeTrue();
+        expect($role->hasPermission('article:create'))->toBeFalse();
+    });
+
     it('respects guard filter when seeding', function () {
         config(['mandate.code_first.enabled' => false]);
 
