Permissions on multi-tenancy app

[stylianospanagakos]

I have a 2 tier tenancy app where a system user can spin up client environments with their own db instances. Based on this implementation, I have created a combo of Role + Permission models on the App\Models and the App\Tenant\Models directories respectively. The two Role models are extensions of Spatie's Role implementation and the two Permission models are extensions of Permission implementation. The tenant models use ForTenants trait that defines the database connection as well as the $guard_name property. You can view the Role implementation below (similar approach is followed for Permission models).

namespace App\Models;

use App\Models\Shared\Role as Shared; // Spatie's Role Model

class Role extends Shared
{}

namespace App\Tenant\Models;

use App\Models\Shared\Role as Shared; // Spatie's Role Model
use App\Tenant\Traits\ForTenants;


class Role extends Shared
{
    use ForTenants;

    /**
     * @var string
     */
    protected $guard_name = 'tenant';
}

Based on the docs, I have to specify the model names in the permission.php config in order for the code to know which one to use. The problem as you might have guessed by now is that in order for my implementation to work, I need to support two different model versions depending on the guard and not lock the config by pointing to a specific model version i.e. system or tenant. A solution would have been to update the permission.models.permission and permission.models.role config values during runtime but that did not work:

namespace App\Policies;

use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    public function __construct()
    {
           $tenant = Auth::guard('tenant')->check();
           config([
            'permission.models.permission' => $tenant ? \App\Tenant\Models\Permission::class : \App\Models\Permission::class,
            'permission.models.role' => $tenant ? \App\Tenant\Models\Role::class : \App\Models\Role::class,
           ]);
    }

    /**
     * Determine if user can see all users.
     *
     * @param \App\Models\Shared\Admin $user
     * @return bool
     */
    public function viewAny($user)
    {
        return $user->can('manage own users');
    }

The weird thing is if I try to do a dd($user->hasPermissionTo('manage own users')); inside the viewAny Policy method, it will show me the following error:

There is no permission named `manage own users` for guard `tenant`.

and doing dd($user->permissions); I get an empty array, but if I do dd($user->getAllPermissions()); I can see a collection of the permissions attached to the user with the manage own users permission being part of it.

Am I missing some important step that I need to take into consideration in order for my approach to work or does the package restrict the usage of only one type of model in the config?

Thanks for the great package!

[drbyte]

It's been awhile. Did you come up with a solution to your issue?

[jonquintero]

I have the same problem, I am using the hyn tenancy package, when I consult the user and the role everything is fine, when I consult for the permissions of that user everything is fine, but when I search for a specific permission, and even when I pass the middleware of the permissions in the constructor, it generates the error

[hapidjus]

@jonquintero

I ran in to the same problem and solved it by creating my own Role and Permission models that extend Spaties models and added the UsesTenantConnection trait.

<?php

namespace App\Models;

use Spatie\Multitenancy\Models\Concerns\UsesTenantConnection;
use Spatie\Permission\Models\Permission as SpatiePermission;

class Permission extends SpatiePermission
{
    use UsesTenantConnection;
}

Then I changed the permission.php config to point to the new models.

'permission' => App\Models\Permission::class,
'role' => App\Models\Role::class,

[jonquintero]

@hapidjus

What about Permission and Role in SystemConnection? because you are overwriting permission.php models connection

[stylianospanagakos]

Just to let everyone know that I couldn't resolve this issue so I had to remove the role/permissions from the system level and only apply it only on the tenant level. Seems that no one else managed to find a solution to the problem... If there is any that is.

[erikn69]

@stylianospanagakos discussions 1782
That's my solution, it's not the best way to do it, but it's been working for me for years. Maybe that idea will help you