Wrong database when checking permissions

[krand-dsa]

Hi,

I'm using

• laravel/framework 11.15.0
• filament/filament 3.2.93
• spatie/laravel-permission 6.9.0
• spatie/laravel-multitenancy 4.0.0 (but the behavior was the same with 3.2.0)

In laravel-multitenancy I use separate databases for landlord and tenants.

In laravel-permission I created roles and permissions with the respective guard_names of landlord and tenants. These are available in the respective databases. There also permissions are assigned to roles.
In all databases exists a user "Active User" which holds the role "User". The role "User" has - amongst others - the permission to 'list.users'.

In Filament I use two panels. One for the landlord, one for the tenants. In each of them I set up a UserResource to manage the respective users. Landlord panel and tenant panel each have their own code (User Resource, policies) and models. The models use the respective database-traits for landlord and tenants.

In the landlord panel everything works fine. The Active User gets access to the UserResource according to the set permissions (e.g. list and view, but not edit and delete). When I change the permissions the panel responds to the changes as expected.

In the tenant panel however access to the UserResource is declined, although in the tenant database the appropriate permission is set for the role User and the Active User has the role User. Adding a direct permission to the user didn't change anything. When I remove the UserPolicy of the tenant, access is granted and the correct tenant-database is used (which can be judged based on the content).

In order to investigate the problem I activated the UserPolicy again.
There viewAny() checks if $user->can('list.users'); This returns false, although the permission exists in the tenant database (with the 'tenants' guard name) and the role has the permission:
Log::debug('user->can returns: ', [$user->can('list.users')]);
[2024-07-25 06:29:09] local.DEBUG: user->can returns: [false] {"tenantId":1}

Next I checked if in viewAny() the correct tenant-user is known. This is the case:
Log::debug('User is: ', [$user]);
[2024-07-25 06:29:09] local.DEBUG: User is: [{"App\\Models\\tenants\\User":{"id":2,"name":"Active User","email":"[email protected]","email_verified_at":"2024-07-24T18:24:35.000000Z","created_at":"2024-07-24T18:24:35.000000Z","updated_at":"2024-07-24T18:24:35.000000Z","active":1,"roles":[{"id":2,"name":"User","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"role_id":2}}],"permissions":[{"id":11,"name":"list.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"permission_id":11}}]}}] {"tenantId":1}

Next I checked for the permissions of the user knonw at viewAny(). list.users is amongst them:
Log::debug('User has getAllPermissions: ', [$user->getAllPermissions()]);
[2024-07-25 06:29:09] local.DEBUG: User has getAllPermissions: [{"Illuminate\\Database\\Eloquent\\Collection":[{"id":1,"name":"list.permissions","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":1}},{"id":3,"name":"view.permissions","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":3}},{"id":6,"name":"list.roles","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":6}},{"id":8,"name":"view.roles","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":8}},{"id":11,"name":"list.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"permission_id":11}},{"id":13,"name":"view.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":13}}]}] {"tenantId":1}

So far there seems to be no reason, why access to the user list should be declined. But still $user->can('list.users') returns false.
Next I tried in viewAny() to directly ask if the user has the permission to list.users.
Log::debug('user->hasPermissionTo list.users returns: ', [$user->hasPermissionTo('list.users')]);
This returned a PermissionDoesNotExist exception (There is no permission named list.users for guard tenants.), although the permission exists in the tenant database.

As it turned out $user->hasPermissionTo('list.users') queries the landlord database instead of the tenant database. The list.users permission that exists there is bound to the landlord guard_name and therefore does not match. When I add the same permission with the tenants guard_name in the landlord database, the exception disappears, but access is still declined. If I add this new tenant-permission to the User role int the landlord database, access is granted.
At this stage the Log:debugs() mentioned above return the following:
[2024-07-25 06:30:08] local.DEBUG: user->can returns: [true] {"tenantId":1} [2024-07-25 06:30:08] local.DEBUG: User is: [{"App\\Models\\tenants\\User":{"id":2,"name":"Active User","email":"[email protected]","email_verified_at":"2024-07-24T18:24:35.000000Z","created_at":"2024-07-24T18:24:35.000000Z","updated_at":"2024-07-24T18:24:35.000000Z","active":1,"roles":[{"id":2,"name":"User","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"role_id":2}}],"permissions":[{"id":11,"name":"list.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"permission_id":11}}]}}] {"tenantId":1} [2024-07-25 06:30:08] local.DEBUG: User has getAllPermissions: [{"Illuminate\\Database\\Eloquent\\Collection":[{"id":1,"name":"list.permissions","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":1}},{"id":3,"name":"view.permissions","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":3}},{"id":6,"name":"list.roles","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":6}},{"id":8,"name":"view.roles","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":8}},{"id":11,"name":"list.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"model_type":"App\\Models\\tenants\\User","model_id":2,"permission_id":11}},{"id":13,"name":"view.users","guard_name":"tenants","created_at":"2024-07-24T18:24:34.000000Z","updated_at":"2024-07-24T18:24:34.000000Z","pivot":{"role_id":2,"permission_id":13}}]}] {"tenantId":1} [2024-07-25 06:30:08] local.DEBUG: user->hasPermissionTo list.users returns: [true] {"tenantId":1}

So, for any reasons that I do not understand, $user->getAllPermissions() returns the correct result from the tenant-database while $user->hasPermissionTo() and $user->can() return an incorrect result from the landlord-database, while acknowledging in the log that "tenantId":1 is active. All of this happens immediately one after the other in viewAny() in the UserPolicy.

Honestly, I have no idea why this happens and how to investigate it further.
Do you have any hints for me?

Thanks in advance!
krand

[krand-dsa]

A longer Xdebug-Session confirmed, that the two methods of the HasPermission trait (part of laravel-permissons) getAllPermissions() and hasPermissionTo() use the tenant- and the landlord-database respectively. That $user->can() declines access is a result of hasPermissionTo(), which is in the call-chain of can().

I still did not find the cause of this behaviour and opened a discussion at laravel-permissions that points to this discussion in case the root-cause is to be found there.

[krand-dsa]

A solution has been found. The laravel-permission config needs to be made tenant-aware with a switch-task: spatie/laravel-permission#2699 (comment)