Permission middleware not correctly preventing access

[aullah]

Description

Using $this->middleware('permission:update teams') for example (in a controller's __construct method) still allows all users access, even if they don't have the 'update teams' permission. This also applies even if we're using the middleware in a route too.

I've assigned all permissions to a role, the role is then assigned to the user. I've debugged this further and I can see in vendor/spatie/laravel-permission/src/Middleware/PermissionMiddleware.php in the handle() method, the use of $user->canAny($permissions) allows almost all permissions to return true.

This is the RolesAndPermissionSeeder:

<?php

namespace Database\Seeders;

use Illuminate\Database\Console\Seeds\WithoutModelEvents;
use Illuminate\Database\Seeder;
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

class RolesAndPermissionsSeeder extends Seeder
{
    /**
     * Run the database seeds.
     */
    public function run(): void
    {
        /*
        |--------------------------------------------------------------------------
        | Reset Cache
        |--------------------------------------------------------------------------
        |
        | Reset cached roles and permissions.
        |
        */
        app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions();

        /*
        |--------------------------------------------------------------------------
        | Define Permissions
        |--------------------------------------------------------------------------
        |
        | Define all our custom permissions for our application here.
        |
        */
        // Teams
        Permission::firstOrCreate(['name' => 'create teams']);
        Permission::firstOrCreate(['name' => 'update teams']);
        Permission::firstOrCreate(['name' => 'delete teams']);

        // Users
        Permission::firstOrCreate(['name' => 'read users']);
        Permission::firstOrCreate(['name' => 'update users']);
        Permission::firstOrCreate(['name' => 'update developer']);
        Permission::firstOrCreate(['name' => 'delete users']);

        /*
        |--------------------------------------------------------------------------
        | Update cache
        |--------------------------------------------------------------------------
        |
        | Update cache to know about the newly firstOrCreated permissions
        | (required if using WithoutModelEvents in seeders)
        |
        */
        app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions();

        /*
        |--------------------------------------------------------------------------
        | Define Roles
        |--------------------------------------------------------------------------
        |
        | Define all our roles for our application and sync our defined
        | permissions (defined above) to them.
        |
        */
        $developer = Role::firstOrCreate(['name' => 'developer'])
                    ->syncPermissions(Permission::all());

        $manager = Role::firstOrCreate(['name' => 'manager'])
                    ->syncPermissions([
                        'read users',
                        'update users',
                    ]);
    }
}

If the $permission variable in the PermissionMiddleware is an empty array, it does then return false. However, whenever we call $this->middleware('permission:update teams'), the variable/array is never empty as the defined permission is inside the array.

Steps To Reproduce

Adding the following in a TeamsController for example still allows a user to pass through permissions, even if they don't have those permissions assigned to their role.

    public function __construct()
    {
        $this->middleware('permission:update teams|delete teams');
    }

However, using role works perfectly fine.

    public function __construct()
    {
        $this->middleware('role:developer');
    }

The issue is with using permission. The same also applies for routes. For example:

    Route::group(['middleware' => ['permission:lorem']], function () {
        Route::get('test-permission', function () {
            return 'Hello world!';
        });
    });

Still allows the route to be accessed, even if the permission lorem does not exist. Testing based on the role also does work once again.

Version of spatie/laravel-permission package:

6.9

Version of laravel/framework package:

10.48.20

PHP version:

8.3.9

Database engine and version:

MySQL 8.0

OS: Windows/Mac/Linux version:

No response

[parallels999]

Route::group(['middleware' => ['permission:lorem']], function () {
   Route::get('test-permission', function () {
       return 'Hello world!';
   });
});

[aullah]

Thank you for confirming it works on your end. The issue still seems to persist on mine after continuing to trial. I'll continue to debug and see if I can find anything. Thank you.

[aullah]

I have been able to resolve this issue. I've had to make a minor modification for it work seamlessly.

1. I've moved vendor/spatie/laravel-permission/src/Middleware/PermissionMiddleware.php to App\Http\Middleware\PermissionMiddleware.php.
2. Update line 35 where if (!$user->canAny($permissions)) { to if (!$user->hasAnyPermission($permissions)) {
3. Update app/Http/Kernel.php to use the new class in $middlewareAliases:

'permission' => \App\Http\Middleware\PermissionMiddleware::class,

Now the permission middleware works as expected. 😊

[parallels999]

That makes me understand that you made some incorrect modification in the gate check.
For example: canAny is used for "Super Admin" check(basic-usage/super-admin), hasAnyPermission ignores that check
Maybe $middlewarePriority?