Teams Middleware and Testing

[mojowill]

I'm struggling with getting this to work as expected when using teams.

First up is the creation of custom middleware as detailed here https://spatie.be/docs/laravel-permission/v5/basic-usage/teams-permissions#working-with-teams-permissions

I have created the middleware but am not sure my implementation in Kernel.php is correct. I have added the middelware to $middlewarePriority as suggested but is it in the right place?

protected $middlewarePriority = [
        \Illuminate\Cookie\Middleware\EncryptCookies::class,
        StartSession::class,
        ShareErrorsFromSession::class,
        AuthenticatesRequests::class,
        ThrottleRequests::class,
        ThrottleRequestsWithRedis::class,
        AuthenticateSession::class,
        SubstituteBindings::class,
        TeamsPermission::class, // my custom middleware
        Authorize::class,
    ];

It only seems to work however if I also register my middleware in the $middlewareGroups:

protected $middlewareGroups = [
        'web' => [
            EncryptCookies::class,
            AddQueuedCookiesToResponse::class,
            StartSession::class,
            // \Illuminate\Session\Middleware\AuthenticateSession::class,
            ShareErrorsFromSession::class,
            VerifyCsrfToken::class,
            SubstituteBindings::class,
            TeamsPermission::class, // my custom middleware
            CheckIsSuspended::class
        ],

Any additional guidance would be appreciated.

Secondly testing.....

I am running my seeds during SetUp() however we need to test roles during some of our tests, generally in a test we use setPermissionsTeamId() to set to the appropriate team and then assign a role to the user, however this doesn't appear to work consistently or as expected, in some cases tests pass, in others they don't with 403 errors when not expected. When debugging I can see that the role is assigned but the session('team_id') (which is what we use to track and set teams) isn't always in-sync with app(PermissionRegistrar::class)->getPermissionsTeamId().

I am assuming that perhaps my second point is related to my first and our middleware isn't correct?

Paging @erikn69 as he seems to be the legend when it comes to team permissions 😉

[erikn69]

It only seems to work however if I also register my middleware in the $middlewareGroups:

Yes, it must be on $middlewareGroups(important), but you can make your team_id setter by other ways
$middlewarePriority is opcional, but when you use other middleware could be needed, here is mine: #1906 (reply in thread)

---

in some cases tests pass, in others they don't with 403 errors when not expected

Maybe you aren't using tests correctly, but i can't know that
#1894 https://laravel.com/docs/8.x/database-testing#persisting-models
maybe RefreshDatabase?

UPDATE:
Also your middleware maybe don't work on testing, use setPermissionsTeamId(), and before test $user->load('roles','permissions'); for sync with the setted team_id, example:

laravel-permission/tests/TeamHasRolesTest.php

Lines 25 to 27 in 08cc9bd

	$this->setPermissionsTeamId(1);
	$this->testUser->load('roles');
	$this->testUser->assignRole('testRole', 'testRole2');

[erikn69]

when you create the role admin, do you set team_id to null?

[mojowill]

Yes all roles in the seeder are set with team_id null as they are global roles

[erikn69]

I did make a little test and i think i found the problem

setPermissionsTeamId(1);
$user->unsetRelation('roles')->unsetRelation('permissions');
$this->actingAs($user)
    ->withSession(['team_id' => 3])
    ->get('tokens/test-success')
    ->assertForbidden();

Using unsetRelation lets the middleware do his work

Other tip, did you add team_id to recreate session on remember-me functionality?

[mojowill]

will test the unsetRelation as for the team_id no I haven't added it elsewhere/.... 😖

[erikn69]

Ok thanks that works but I experiencing the same issues as the other tests the team id and getPermissionsId do not always match?

everything checked, i can't replicate your issue, i can't do more

/** This is permitted */
public function test_WebSuccess()
{
    $user = $this->prepare();
    setPermissionsTeamId(2);
    $user->unsetRelation('roles')->unsetRelation('permissions');
    $this->actingAs($user)
        ->withSession(['team_id' => 1])
        ->get('tokens/test-success')
        ->assertOk();
    $this->assertEquals(1, app(PermissionRegistrar::class)->getPermissionsTeamId());
}

/** This is forbidden */
public function test_WebFailed()
{
    $user = $this->prepare();        
    setPermissionsTeamId(1);
    $user->unsetRelation('roles')->unsetRelation('permissions');
    $this->actingAs($user)
        ->withSession(['team_id' => 2])
        ->get('tokens/test-success')
        ->assertForbidden();
    $this->assertEquals(2, app(PermissionRegistrar::class)->getPermissionsTeamId());
}

PHPUnit 9.5.10 by Sebastian Bergmann and contributors.
..                                                                  2 / 2 (100%)
Time: 00:00.326, Memory: 28.00 MB
OK ( 2 tests, 14 assertions)

[mojowill]

Perhaps I'm being dumb, which is entirely possible. But getPermissionsTeamId doesn't appear to be working for me as I would expect?

I created a simple test to just test roles and permissions were working as I expected without the rest of the app following the example you provided, when I add a test to check the value of getPermissionsTeamId it comes back as null?

public function test_that_the_team_id_is_set_correctly_via_the_middleware()
    {
        setPermissionsTeamId($this->team->id);
        $this->user2->load('roles');
        $this->user->assignRole('admin', 'manager');
        
        $this->actingAs($this->user)
            ->withSession(['team_id' => $this->team->id])
            ->get(route('dashboard'));

        $this->assertEquals($this->team->id, getPermissionsTeamId());
    }

[erikn69]

that is another problem to be resolved #1944

[IMPORTANT] Fixed missing return on getPermissionsTeamId() helper

laravel-permission/src/helpers.php

Lines 37 to 40 in 1c9304a

	function getPermissionsTeamId()
	{
	app(\Spatie\Permission\PermissionRegistrar::class)->getPermissionsTeamId();
	}

use app(PermissionRegistrar::class)->getPermissionsTeamId() for the moment, authors not responding

[mojowill]

Ok thanks that works but I experiencing the same issues as the other tests the team id and getPermissionsId do not always match?

?

[erikn69]

setPermissionsTeamId($this->team);

You can set $this->team directly, not ->id needed

[mojowill]

So I think i fixed the issue in my Permissions test (I was getting the roles for a different team in my dashboard and not resetting setPermissionsTeamId back to what it should be)

However my original test is still showing the same issues where sometimes it passes and sometimes it fails

[mojowill]

I think my main issue is how I've implemented a method to return the users roles for a given team (ie what roles have been assigned to the user for the given team).

Is there a cleaner way to do this?

/**
     * Returns the Roles associated with the current user for the given team
     *
     * @param  User  $user
     * @param  int  $teamId
     * @return Collection|mixed|Role[]
     */
    public function getTeamRoles(self $user, int $teamId)
    {
        $originalTeam = app(PermissionRegistrar::class)->getPermissionsTeamId();
        app(PermissionRegistrar::class)->setPermissionsTeamId($teamId);

        $user->load('roles');

        setPermissionsTeamId($originalTeam);

        return $user->roles;
    }

[erikn69]

return Role::whereHas('users', function ($query) use ($user, $teamId) {
    $query->where(config('permission.column_names.model_morph_key'), $user->getKey())
        ->where(PermissionRegistrar::$teamsKey, $teamId);
})->get();

[mojowill]

Pure gold thanks! Just like that the issues are resolved!

[erikn69]

#1948