HasAccess function return false if a user have multiple roles and different permission

AjithGigsboard commented 3 years ago

Your Environment

OS and Version: windows 10
PHP Version: 8.0.2
Sentinel Version: 5.1.0

Description

A user have multiple roles and permissions. Permissions are defined at role level not at user level.

//Customer
$customerRole = Sentinel::findRoleBySlug('customer');

$customerRole->permissions = [
    'teams.index' => false,
    'teams.create' => false,
    'teams.store' => false,
    'teams.show' => false,
    'teams.edit' => false,
    'teams.update' => false,
    'teams.destroy' => false,

    'proposal.initiate' =>false,
    'proposal.store' => false,
    'proposal.assigned_components' => false,

    'openjobs' => false,
];

$customerRole->save();

//Customer PM
$cus_prmRole = Sentinel::findRoleBySlug('cus_prm');

$cus_prmRole->permissions = [
    'teams.index' => true,
    'teams.create' => true,
    'teams.store' => true,
    'teams.show' => true,
    'teams.edit' => true,
    'teams.update' => true,
    'teams.destroy' => true,

    'proposal.initiate' =>true,
    'proposal.store' => true,
    'proposal.assigned_components' => true,

    'openjobs' => true,
];

$cus_prmRole->save();

and User 1 have both customer and cus_prm roles. When try to authorize user using Sentinel::hasAccess() for cus_prm role,

Expected behaviour

The user should be authorize to do the action (or Sentinel::hasAccess() should return true.

Actual behaviour

Getting false.

Steps to reproduce

create two roles like above
assign it to a single user
in controller try to authorize the user

brunogaspar commented 3 years ago

Are you trying to use the hasAccess method to determine if the user has the cus_prm role set?

Or are you using the hasAccess to determine if one of the roles permissions are allowed?

From what you wrote, seems the first one, but i don't know exactly what you're trying to achieve as the steps to reproduce is unclear.

AjithGigsboard commented 3 years ago

Or are you using the hasAccess to determine if one of the roles permissions are allowed?

yes.

the user have cus_prm and customer roles. I want to check if the cus_prm is allowed to access the team.index. team.show URI and customer not allowed to access the URIs

brunogaspar commented 3 years ago

Ok, i think the "issue" is that, if one of those permissions are denied, Sentinel will use those, which is by default.

You can change the behaviour, but you need to implement your permissions logic by creating a Permissions class and tell Sentinel to use it on the config file or at runtime (should work too) or set those specific permissions at user level.

Don't believe it's a bug or an issue, it's a design feature more or less for security.

AjithGigsboard commented 3 years ago

Ok. Understood. But It will be better if we can specify which role to be considered for checking the permission on the hasAccess method.

brunogaspar commented 3 years ago

Don't believe that's possible/doable on default behavior, you probably need to create your own logic for this.

AjithGigsboard commented 3 years ago

Okay.

brunogaspar commented 3 years ago

We are open to pull requests, so you're more than welcomed to submit a pull request that adds such functionality if you feel like it :)

AjithGigsboard commented 3 years ago

We are open to pull requests, so you're more than welcomed to submit a pull request that adds such functionality if you feel like it :)

Okay

cartalyst / sentinel