Sign up to access "Laravel Teams" right now.

Let's just remind ourselves of what that looks like. So let's go over to our middleware here. And what this does is obviously it runs for every single web request. It will go ahead and as long as the user is authenticated, it will set the global team ID.

So every action that's taken within this web request will be in the context of that specific team. Now, what happens if for whatever reason the user does not belong to the team that has been set in the database? Now, nowhere within our code will that be set incorrectly. But if, for example, this data is accidentally updated within an admin panel or manually within the database,

it would be a good idea to just cut the request off at this point. Let me show you what this looks like and then we'll go ahead and fix it up. So at the moment, we've got Alex who has a personal team of 15 with the ID and Mabel with 16. What I mean is if this value gets changed for some reason to a team that Mabel doesn't belong to,

and I've gone ahead and cleared this out so only we belong to our own teams, then what's going to happen? Well, if we go over here and give this a refresh, you can see that sure enough, we are switched over to that team. Now, that's not much of a problem because we can't see any of this stuff because we don't have permission to view it. So it's not a problem in that respect, but we might still be able to see any confidential information that's posted as part of that team.

So let's go and write a test for this and get this fixed up. OK, so what do we need to do here? Well, in fact, let's go ahead and write the code out for this first of all, because it's probably quite easy to demo it this way, and then we'll just add a really simple test. So what we want inside of this, as long as the user is authenticated,

is just to check if their teams doesn't contain the team that we're trying to work with, which is the user's current team. So let's add that in there. Then let's go ahead and abort with a 403. We'll refactor this in a bit once we've written our test, but this should be enough now to just very basically solve the problem. So if we go over and switch Mabel back over to my team and give that refresh,

they just can't access this page or any of the pages while they're within that team context. Now, this will be kind of stuck in this state forever. So you might want to, instead of just aborting, go ahead and update to one of their other teams or something like that. I'm just going to abort it for now because it's highly unlikely that this is ever going to happen.

But you can go ahead and do whatever you want in here to get around this. OK, so we know that this is working. Let's go and just switch this user back over to 16 and we'll go and write a test for this. So let's go ahead and create our new test for this. So let's say PHP artisan test test. And although we're not directly testing the middleware, I'm going to put it under a middleware directory.

So it kind of makes sense. So let's say teams permissions test. And we can even write a test to make sure that this gets assigned properly as well. OK, so over in our test directory under features and middleware, let's go ahead and open this up and let's go ahead and test this. So we're going to say it aborts the request if the user does not belong to the team.

OK, let's go ahead and do the setup and get this working. So we're going to need a user who doesn't belong to a team that we're trying to access. So let's go ahead and create out a user in here. And they're going to have a personal team, but we can create another user in here that also has a personal team.

Let's go ahead and say user or we could create the other user first. Then we could manually set the current team ID while we're creating this user who doesn't belong to that team as the another user's current team ID. So exactly like what we've just done in the database. But of course, within our tests. OK, let's go ahead and run this test.

So tests and feature. Let's run middleware and teams permissions test. And yeah, that looks good. But obviously we haven't asserted anything. Now, like I said, we're not directly testing the middleware. We're just going to make a request to any of the pages on our site. So let's just remind ourselves we have some sort of homepage or we could use the dashboard in this case.

I think that's probably a good idea. So let's just name dashboard. So we're going to go ahead and say acting as this user. Let's make a request to. So let's go and just get the dashboard route. And we're going to assert that this is forbidden like we've done.

And I think that should be just about it. Let's go ahead and test this out. OK, so we do get a failure here and that isn't right because, of course, we've gone ahead and aborted with the 403 here. So let's have a look. OK, so what's happening here is we are setting the current team ID when we create the user. The user observer will be setting that afterwards. So we'll end up back in our own team.

So let's do this in a slightly different way. So let's grab the other users current team and let's just associate this in the same way. So let's say user current team and associate. Let's associate that with the other users team and then go ahead and save that. OK, so now that user should now be acting under that team and that should be saved to the database.

Let's go ahead and run that test again and we get green. Great. So let's just for clarity, get rid of this. And obviously that should fail. Brilliant. OK, let's go ahead and refactor this. So a much easier way to do this would be to say abort if and then go ahead and paste that in and then pass in the status code that we want. We still get a pass for that. Or in this case, it's probably a little bit clearer to say abort unless the team doesn't contain that or the team contains that.

So abort unless the users team contains the current team. It's entirely up to you which way round you do it. Either way, it is going to pass. OK, there we go. Perfect. So we've gone ahead and fixed that problem. And now we just get a 403 if the users ID for the current team has been set and they do not belong to that team. Like I said, this is probably very rare that this is ever going to happen, but it just adds an extra layer just in case.