'User->can()' get a wrong access

[lannodev]

I have 2 roles and 8 permissions:

/** Roles */
$roleAdmin = Role::create(['name' => 'admin', 'guard_name' => 'web']);
$roleStandard = Role::create(['name' => 'standard', 'guard_name' => 'web']);

 /** Users Permissions */
$UserCreate = Permission::create(['name' => 'users:create', 'guard_name' => 'web']);
$UserRead = Permission::create(['name' => 'users:read', 'guard_name' => 'web']);
$UserUpdate = Permission::create(['name' => 'users:update', 'guard_name' => 'web']);
$UserDelete = Permission::create(['name' => 'users:delete', 'guard_name' => 'web']);

/** Complaints Permissions */
$ComplaintCreate = Permission::create(['name' => 'complaints:create', 'guard_name' => 'web']);
$ComplaintRead = Permission::create(['name' => 'complaints:read', 'guard_name' => 'web']);
$ComplaintUpdate = Permission::create(['name' => 'complaints:update', 'guard_name' => 'web']);
$ComplaintDelete = Permission::create(['name' => 'complaints:delete', 'guard_name' => 'web']);

/** Admin Permissions */
$adminPermissions = [
  $UserCreate,
  $UserRead,
  $UserUpdate,
  $UserDelete,
  $ComplaintCreate,
  $ComplaintRead,
  $ComplaintUpdate,
  $ComplaintDelete,
];

$roleAdmin->syncPermissions($adminPermissions);
$roleStandard->syncPermissions([$ComplaintCreate, $ComplaintRead]);

The auth user have the 'standard' role. that have complaints:create and complaints:read.
If I try to access the users route that need an 'users:read' permission, the method Auth::user()->can('users:read') return true.

dd(
  Auth::user()->getPermissionsViaRoles()->pluck('name'),
  Auth::user()->can('users:read'),
  Auth::user()->hasPermissionTo('users:read')
);

Illuminate\Support\Collection {#1424 ▼ // app\Http\Controllers\UserController.php:20
  #items: array:2 [▼
    0 => "complaints:create"
    1 => "complaints:read"
  ]
  #escapeWhenCastingToString: false
  
  true // app\Http\Controllers\UserController.php:20
  true // app\Http\Controllers\UserController.php:20
}

This is only happens for users:read permission.

I try to debug hasPermissionTo function in vendor\spatie\laravel-permission\src\Traits\HasPermissions.php
I found that hasDirectPermission return true.
Inside this hasDirectPermission I make a dd($this->permissions) and discovery that aways shows users:read for any permission that I need to check

Illuminate\Database\Eloquent\Collection {[#1457 ▼](http://localhost:8000/users#sf-dump-2107747355-ref21457) // vendor\spatie\laravel-permission\src\Traits\HasPermissions.php:304
  #items: array:1 [▼
    0 => Spatie\Permission\Models\Permission {#1460 ▼
      #connection: "mysql"
      #table: "permissions"
      #primaryKey: "id"
      #keyType: "int"
      +incrementing: true
      #with: []
      #withCount: []
      +preventsLazyLoading: false
      #perPage: 15
      +exists: true
      +wasRecentlyCreated: false
      #escapeWhenCastingToString: false
      #attributes: array:5 [▼
        "id" => 2
        "name" => "users:read"
        "guard_name" => "web"
        "created_at" => "2023-04-14 13:40:50"
        "updated_at" => "2023-04-14 13:40:50"
      ]
      #original: array:8 [▶]
      #changes: []
      #casts: []
      #classCastCache: []
      #attributeCastCache: []
      #dateFormat: null
      #appends: []
      #dispatchesEvents: []
      #observables: []
      #relations: array:1 [▶]
      #touches: []
      +timestamps: true
      +usesUniqueIds: false
      #hidden: []
      #visible: []
      #fillable: []
      #guarded: array:1 [▶]
      -roleClass: null
      -permissionClass: null
      -wildcardClass: null
    }
  ]
  #escapeWhenCastingToString: false
}

I dont know if this is a bug.
I'm using Laravel 10 with Jetstreams.

[erikn69]

Seems like you have direct permission, do this

Auth::user()->revokePermissionTo('users:read');
dd(
  Auth::user()->permissions->pluck('name'),
  Auth::user()->getPermissionsViaRoles()->pluck('name'),
  Auth::user()->can('users:read'),
  Auth::user()->hasPermissionTo('users:read')
);

[lannodev]

Thank you very much 🥳