Laravel Teams
This episode is for members only

Sign up to access "Laravel Teams" right now.

Get started
Already a member? Sign in to continue
Playing
22. Authorising team invitation creation

Episodes

0%
Your progress
  • Total: 4h 36m
  • Played: 0m
  • Remaining: 4h 36m
Join or sign in to track your progress
01. Introduction and demo
4m 49s
0%
02. Setup with Pest
4m 2s
0%
03. Building the user teams relations
6m 5s
0%
04. Creating a personal team when registering
6m 3s
0%
05. Leaving all teams when an account is deleted
3m 55s
0%
06. Tracking the current team
4m 50s
0%
07. Showing team details in the UI
2m 55s
0%
08. Switching to another team
7m 24s
0%
09. Authorising team switching
6m 53s
0%
10. Updating a team name
10m 48s
0%
11. Basic roles and permissions setup
5m 26s
0%
12. Team roles and permissions middleware
9m 18s
0%
13. Authorising current team updates
3m 43s
0%
14. Testing team permissions through HTTP requests
3m 58s
0%
15. Leaving a team
10m 50s
0%
16. Displaying team members
8m 42s
0%
17. Making team members look better
5m 3s
0%
18. Removing a team member
15m 18s
0%
19. Preventing self removal from a team
4m 7s
0%
20. Storing invitations
13m 31s
0%
21. Validating invitations
6m 38s
0%
22. Authorising team invitation creation
6m 22s
0%
23. Displaying invitations
3m 16s
0%
24. Revoking invitations
12m 46s
0%
25. Sending an invitation email
13m 6s
0%
26. Accepting an invitation
12m 22s
0%
27. Displaying a modal to change a member’s role
10m 31s
0%
28. Updating a member’s role
9m 5s
0%
29. More authorisation and checks for role changing
10m 14s
0%
30. Fixing up the email sending test details
49s
0%
31. Fixing and validating email addresses for invites
1m 32s
0%
32. Tidying up @can directive checks
3m 25s
0%
33. Detaching roles when removing users
5m
0%
34. Adding an extra layer of protection to the team middleware
6m 35s
0%
35. Getting related models through teams
5m 37s
0%
36. Building a helper to access the current team
10m 47s
0%
37. Getting all related models through all teams
7m 15s
0%
38. Creating new teams
13m 7s
0%

Transcript

00:00
Once again our permissions come into this so we need to make sure that the user who is within this team context can actually send invites. Now at the moment Mabel could not do that.
00:11
Let's go ahead and sign out and log in as Mabel and let's check this out. So if we go over to the team settings under Mabel you can see at the moment this is gone because we've already added that check but we need to write a test to make sure this is the case and at the moment she would be able to send an invite if she was manually sending this request. Okay let's go over and
00:33
yeah let's start with the test here so let's say it fails to send invite without permission something like that and let's go ahead and set this up and remember we need to take into account that middleware when we're writing this test so let's do that again. So let's go ahead and print out the user in here and what do we want to do? Well we want to attach this user or attach another
01:00
user to this user's teams. Let's go ahead and attach in another team here and again we're doing this manually so we have access to that team and now basically what we want to do is acting as that user that we've created out we want to go ahead and post through to the teams invite store taking in another team so we're basically trying to invite someone to another team whether that's
01:32
in our list of teams or not. Okay so let's go ahead and pass in an email address here it doesn't really matter what the email address is in the case of this test and we want to assert that this is forbidden. Okay let's go ahead and run this one just in isolation and let's take a look at what we get back. Okay so we get a failed let's just have a look here
02:00
and yeah sure enough we get a redirect so it is technically possible at the moment to invite someone to another team whether we're in that team or not. To give you an idea about this I could go ahead and pull this down here and just create out a random other team and it would still fail so let's just take a look you can see it still works so we could keep it like this and
02:21
not even have this user as part of this team it doesn't really matter. Okay so how do we get around this? Well again we've already created out our admin role for invite to team so we already have that in there let's go over to our team policy and let's create out another method in here. So we could just do one for this because remember that in the context of the current team we just
02:44
need to make sure that the user has permission to do that we don't necessarily need to check that the user exists within that team that they are trying to invite to although we could do. So let's say invite to team and let's grab the user that's currently authenticated and let's grab the team that we're trying to invite to and in here really all we need to do is just say user
03:07
can invite to team now we've passed the team in which we could add a check for so we could say something like this and we've done this elsewhere like this kind of check that doesn't necessarily work but can be included so we could say if the user teams doesn't contain that team then return false so basically this user needs to be in this team to be able to invite.
03:36
Now the only reason I would probably include these is if you wanted to specifically check this and show perhaps a specific message and you could pull these out of your policy to do that. It doesn't hurt to do this and we're not directly testing it this remember always takes the current team into context so they have to have this permission within the context of the team that
03:57
they belong to anyway so you know these checks can go in there but we're not directly testing for them and we'll probably never hit that. Okay let's go ahead and get rid of this for now because that's going to interfere with our test and we'll pull it back in in just a second and let's go back over to our team invite store request and we'll add in the authorize just here so this user can
04:18
invite to team and let's pass in this team. Okay let's go ahead and run our test and this should fail it does why does it fail well again because over in our controller when we are acting as this user we are set the permission the invite to team permission is always in the context of their current team so they're always going to have permission to do that so we need to do this
04:43
without that middleware again only for our test so let's say team permission and we're going to go ahead and manually set that they are currently within that team so that will be the other team and id. Okay let's go over and run that test again and yeah this passes so this now means if we just were to go over to our team members section and get rid of this can check temporarily
05:13
over on Mabel's account under this team I'm a team member I could go ahead and try and invite someone else and it wouldn't work obviously we are getting rid of that in here with can. Okay so if we come back over obviously that disappears and we now know based on our UI and our test that we can't invite team members to this team if we're only a team member let's go ahead and just bring
05:38
back if we just head over to our team policy let's bring this back now this will actually now stop this test from running because remember we're not part of that team but even if we changed it over to what we had before so if we said user teams and attach and we actually attach this team we are now part of that team but it's still going to fail because we still don't have permission
06:03
so whichever way around basically that we do this whether we are part of the team or not it's always going to fail so you can leave this either way you could even write out an entirely separate test to cases but we pretty much always know that this is going to fail because our permissions always come in the context of the team that we're currently in.

Episode summary

In this episode, we dive into how to handle authorizing team invitation creation. The focus is on making sure that only users with the right permissions in the context of a team are able to send out team invites. First, we double-check what happens when someone like Mabel, who shouldn’t have permission, tries to send an invite—especially if someone gets clever and tries to trigger the invite manually!

We write a test to make sure permission checks work as expected, including the edge case where a user tries to invite someone to a team they're not a part of. We look at different ways to write these checks both in our policy and the authorization logic and discuss how these interact with existing middleware, especially for testing.

Finally, we talk about the subtleties of testing these scenarios—like toggling permission checks, and when being part of the team matters (or doesn’t). Through this, you’ll see how authorization logic actually works in practice, both in code and in making sure it’s enforceable through tests and your app’s UI.

Episode discussion

No comments, yet. Be the first!