Integrity constraint violation: 1048 Column 'team_id' cannot be null

[enaeim]

Hi.

I read all of the following issues carefully several times and applied them all to my project, but I still have the same problem:
https://spatie.be/docs/laravel-permission/v5/basic-usage/super-admin
https://spatie.be/docs/laravel-permission/v5/basic-usage/teams-permissions#working-with-teams-permissions
#1840
#1845
#1853
#1855
#1893

I think this problem is a bug Or that the spatie/laravel-permission document is incomplete.

please help me!

[erikn69]

Only when teams are enabled

team_id as the primary key of the relationships is always required

Read again https://spatie.be/docs/laravel-permission/v5/basic-usage/teams-permissions#defining-a-super-admin-on-teams

[haleyngonadi]

@erikn69 What if we want to set a Super Admin across the site, without having to set the super admin for every team.. what would you recommend?

[erikn69]

it is not a bug

what would you recommend?

you have to customize migration(#1980) and relation roles on User model with whereNull($teamField)->orWhere($teamField,getPermissionsTeamId()) instead of wherePivot, but that maybe breaks other things

laravel-permission/src/Traits/HasRoles.php

Lines 57 to 62 in 6a3ed62

	return $relation->wherePivot(PermissionRegistrar::$teamsKey, getPermissionsTeamId())
	->where(function ($q) {
	$teamField = config('permission.table_names.roles').'.'.PermissionRegistrar::$teamsKey;
	$q->whereNull($teamField)->orWhere($teamField, getPermissionsTeamId());
	});
	}

[AAllport]

We're also interested in this feature!
Creating a SASS project where there's a permission structure within each Customer (team) and a permission structure for support.
Such structure will mean we won't have to create a fake Customer to assign support permission roles

[PaolaRuby]

What if we want to set a Super Admin across the site, without having to set the super admin for every team.. what would you recommend?

@haleyngonadi just add a field on user's table like 'is_admin', and

Gate::before(function ($user, $ability) {
    return $user->is_admin ? true : null;
});

https://spatie.be/index.php/docs/laravel-permission/v5/basic-usage/super-admin

[inmanturbo]

I took this to be a bug at first simply because the behavior is not what you expect from this portion of the docs:

See #Roles Creating

When creating a role you can pass the team_id as an optional parameter

// with null team_id it creates a global role, global roles can be assigned to any team and they are unique
Role::create(['name' => 'writer', 'team_id' => null]);

// creates a role with team_id = 1, team roles can have the same name on different teams
Role::create(['name' => 'reader', 'team_id' => 1]);

// creating a role without team_id makes the role take the default global team_id
Role::create(['name' => 'reviewer']);

But when you attempt to assign the role you run into the error mentioned above.

However, if you read ahead a little further the docs explain that the team_id is always required on the relationship, and an example is provided as to how to use the boot method to hook into the created event and ensure that the proper id for the current team context is assigned.

[singleseeker]

Any update? Hope this could be fixed.

[erikn69]

Is a expected behaivor

[ninjasitm]

For anyone looking for a solution, not sure how this breaks the functionality as you'll need to ensure that you setPermissionsTeamId($id) where needed; however this solution allows me to find super admin and developer roles as needed. In your User class. Solved a huge headache for me where newly onboarded devs couldn't access our super admin portal for a client project:

    /**
     * A model may have multiple roles.
     */
    public function roles(): BelongsToMany
    {
        $relation = $this->morphToMany(
            config('permission.models.role'),
            'model',
            config('permission.table_names.model_has_roles'),
            config('permission.column_names.model_morph_key'),
            PermissionRegistrar::$pivotRole
        );

        if (!PermissionRegistrar::$teams) {
            return $relation;
        }

        $teamId = getPermissionsTeamId();
        if ($teamId) {
            return $relation->wherePivot(PermissionRegistrar::$teamsKey, $teamId)
                ->where(function ($q) use ($teamId) {
                    $teamField = config('permission.table_names.roles') . '.' . PermissionRegistrar::$teamsKey;
                    $q->whereNull($teamField)->orWhere($teamField, $teamId);
                });
        }
        return $relation;
    }

[marksparrish]

Seems like we should create a "Global Team". When you create a new user or when a user registers, this user would be assigned to the global team as well as a personal team. I know I was trying to figure out how to prevent a user from having a personal team but still see global assets. I think this would solve my issue. When the package is installed a question could be asked "Do you need a 'Global Team?" The global_team_id could be recorded in the permissions.php config file or as their personal team.

[lukebouch]

I'm running into the same issue. I need roles and permissions both at the team level and at the global level. In fact, I actually need roles at three different levels.

It would be great if this could be supported.

[erikn69]

@lukebouch you can overwrite everything you need

[lukebouch]

@erikn69 ok. I will try that.

You said it might break other things. What might it break?

[erikn69]

I would not be able to answer that, because you will have your own code, with a functionality that is not what was expected, only you could check that it was broken, maybe run the tests with your changes

[TechoLead]

[TechoLead]

@parallels999 I replicated what you said and it seems to be true, it runs into the RoleAlreadyExists. How would you accomplish this?

[erikn69]

// with null team_id it creates a global role, global roles can be assigned to any team and they are unique
Role::create(['name' => 'writer', 'team_id' => null]);

// creates a role with team_id = 1, team roles can have the same name on different teams
Role::create(['name' => 'reader', 'team_id' => 1]);

// creating a role without team_id makes the role take the default global team_id
Role::create(['name' => 'reviewer']);

Just follow documentation, so

setPermissionsTeamId(1); // needs team_id for session instance of user
// now we avoid `Integrity constraint violation: 1048 Column 'team_id' cannot be null`
// user has roles by team(always by team)
// roles can be global(same role for all teams), or especific role por team(could be duplicate on every team)
$user->assignRole(['super-admin', 'dev']); // it uses previus team_id (team_id=1)

[TechoLead]

user has roles by team(always by team)

@erikn69 Can't you get around this by setting setPermissionsTeamId(0); or does this cause some unforeseen issue?

roles can be global(same role for all teams)

roles can be global but roles assigned to users can never be assigned global.

[erikn69]

Can't you get around this by setting setPermissionsTeamId(0); or does this cause some unforeseen issue?

Maybe, but you have to override to add that functionality and test it, also you have to check your custom code on every upgrade(BC)

roles can be global but roles assigned to users can never be assigned global.

You are right on that, but you can handle it with creating event on models, look defining-a-super-admin-on-teams

For example, you could add a field on roles for set as assigned global on every user, so, on user's created event assign all roles with that field, and on role's created event, roles with that field will be assign to every user, you could do with sync directly for performance

[erikn69]

@TechoLead any feedback?

[yungifez]

Alright, so I came across a similar scenario. Since we are all for workarounds, here's what I did

Using multiple guards and assuming the admin area is different from the user area

To get 2 types of users, users with team roles and users with global roles,

1. I created a global guard ( in my case, it was actually system_user ), which users the users as its provider exactly like web but just a different name
2. I created a middleware that helps to set default guard and created an alias with name guard ( meaning to set default guard I do something like guard:global or guard:team
3. I created a trait and extended hasRoles, which I used in the user's table in place of the regular HasRoles
4. I extended the role function like this

`
public function roles()
{
$relation = $this->morphToMany(
config('permission.models.role'),
'model',

config('permission.table_names.model_has_roles'),
config('permission.column_names.model_morph_key'),
PermissionRegistrar::$pivotRole
);

    if (! PermissionRegistrar::$teams) {
        return $relation;
    }

    // return relations like normal spatie or relations with system user guard which are global roles
    // this implies that system user roles are global roles if and only if team id is null
    // if team id is not null then system user roles are treated normally
    return $relation->wherePivot(PermissionRegistrar::$teamsKey, getPermissionsTeamId())
        ->where(function ($q) {
            $teamField = config('permission.table_names.roles').'.'.PermissionRegistrar::$teamsKey;
            $q->whereNull($teamField)->orWhere($teamField, getPermissionsTeamId());
        })->orWhere(function ($q) {
            $teamField = config('permission.table_names.roles').'.'.PermissionRegistrar::$teamsKey;
            $q->whereIn('guard_name', ['global_guard'])->whereNull($teamField);
        });
}

`
This allows the roles to return global roles regardless of team id
( Note that team id must be null in the roles table, i.e., you must create it as a global role ).

This way, if you ever assign someone a global role with a team_id, you can check for permissions of that global role regardless of team_id set on model_has_roles table

I think I'm forgetting some things, and I did this just recently, so I've not totally tested it. But it shows promising results, though

If I see something I missed, I'll try my best to answer

If you have questions feel free to shoot.

And yes I know this approach isn't for everyone bit it's a good way to categorise roles

Checkout spatie multi auth part of the tutorial for drawbacks, which I my case proves to be an absolute win

[parallels999]

So, if you try to detach a user to a team using syncRoles([]), will it delete the global roles on all teams?
for me this would need a lot of tests

[yungifez]

So, if you try to detach a user to a team using syncRoles([]), will it delete the global roles on all teams?
for me this would need a lot of tests

It would detach all global roles a user has for all teams for global guard

But it wouldn't touch any of the global roles on team guard

This is because the only modification to behavior made here is fetching roles with global regardless of team id

[parallels999]

this is because the only modification to behavior made here is fetching roles with global regardless of team id

It's for the records, not everyone understands the change you're proposing, if someone copies it and doesn't know the behaviors they might have a problem

[yungifez]

this is because the only modification to behavior made here is fetching roles with global regardless of team id

It's for the records, not everyone understands the change you're proposing, if someone copies it and doesn't know the behaviors they might have a problem

Yeah that's the issue

Ive even shared this concern with my boss

Another downside is having to deal with guards even when you are technically using the same sets of users

That is why I offered to answer any questions anyone has

I understand your concern, and it is extremely valid

But I'd be greedy not to share a solution i found to a problem many people have

[Howaidamansour]

set teams by false in config\permission.php

'teams' => false,

[thahulive]

class User
{
    protected static function booted(): void
    {
        // Default team
        $team = Team::find(1);
        
        static::creating(function (User $user) use ($team) {
            // Set permissions team ID
            setPermissionsTeamId($team->id);
        });

        static::created(function (User $user) use ($team) {
            // Attach user to default team
            $team->members()->attach($user);
        });
    }
}