Laravel Teams
This episode is for members only

Sign up to access "Laravel Teams" right now.

Get started
Already a member? Sign in to continue
Playing
33. Detaching roles when removing users

Episodes

0%
Your progress
  • Total: 4h 36m
  • Played: 0m
  • Remaining: 4h 36m
Join or sign in to track your progress
01. Introduction and demo
4m 49s
0%
02. Setup with Pest
4m 2s
0%
03. Building the user teams relations
6m 5s
0%
04. Creating a personal team when registering
6m 3s
0%
05. Leaving all teams when an account is deleted
3m 55s
0%
06. Tracking the current team
4m 50s
0%
07. Showing team details in the UI
2m 55s
0%
08. Switching to another team
7m 24s
0%
09. Authorising team switching
6m 53s
0%
10. Updating a team name
10m 48s
0%
11. Basic roles and permissions setup
5m 26s
0%
12. Team roles and permissions middleware
9m 18s
0%
13. Authorising current team updates
3m 43s
0%
14. Testing team permissions through HTTP requests
3m 58s
0%
15. Leaving a team
10m 50s
0%
16. Displaying team members
8m 42s
0%
17. Making team members look better
5m 3s
0%
18. Removing a team member
15m 18s
0%
19. Preventing self removal from a team
4m 7s
0%
20. Storing invitations
13m 31s
0%
21. Validating invitations
6m 38s
0%
22. Authorising team invitation creation
6m 22s
0%
23. Displaying invitations
3m 16s
0%
24. Revoking invitations
12m 46s
0%
25. Sending an invitation email
13m 6s
0%
26. Accepting an invitation
12m 22s
0%
27. Displaying a modal to change a member’s role
10m 31s
0%
28. Updating a member’s role
9m 5s
0%
29. More authorisation and checks for role changing
10m 14s
0%
30. Fixing up the email sending test details
49s
0%
31. Fixing and validating email addresses for invites
1m 32s
0%
32. Tidying up @can directive checks
3m 25s
0%
33. Detaching roles when removing users
5m
0%
34. Adding an extra layer of protection to the team middleware
6m 35s
0%
35. Getting related models through teams
5m 37s
0%
36. Building a helper to access the current team
10m 47s
0%
37. Getting all related models through all teams
7m 15s
0%
38. Creating new teams
13m 7s
0%

Transcript

00:00
Okay, let's go ahead and fix up a tricky issue that I came across while I was using this system. And that is when we remove members from a team, we don't detach their roles. Now that's a pretty simple thing to fix, but let's go ahead and look at the consequences of this first.
00:15
And of course, we'll go ahead and update our tests to make sure that these get removed. Okay, so I've gone ahead and just cleared everything out of the database. I've got two users, Alex and Mabel, both just with their own personal teams. The first thing I'm going to do is go ahead and invite Mabel to this team.
00:31
So let's go ahead and pull her in and send an invite. Let's go over to our email client, grab the invitation link here and go ahead and paste it in. And everything looks good. Mabel is a member of this team and she is a team member. Now, if we go ahead and remove her from this team, so let's go ahead and remove her from this team.
00:50
In fact, the consequence of this is if we change her role to an admin and hit save, then we go ahead and remove her from this team. She is removed, so she no longer has access. But let's say a little bit later on, we want to go ahead and add her back in.
01:04
Let's do that now. So let's add her back into the team. And we're kind of expecting her to just be added as a member as we've set up and written in our test. So let's go ahead and do this again and grab the new invite, grab the link and paste that into her account. She's now part of that team. But look what's happened.
01:23
She is a team member, but also a team admin. So remember, we can have multiple roles per user, although we're just kind of sticking with single roles. And of course, you can adjust that. OK, so the consequence of this is if a member is added again, who was previously an admin, but you just wanted them to be a member or another role,
01:42
then this is just going to keep adding roles on as long as they're unique. OK, let's go ahead and write a test for this just so we can get this to fail. And then we will go ahead and fix this up. So we come over to our team member controller test. Let's go and have a look. It can remove a member from the team.
02:00
This should, once we run this test, get rid of their team member role. Now, we can't really test roles in here at the moment because we haven't set a current team. So what we can do up here is go ahead and set the permissions team ID within our test to the user's current team ID. So that will do all of the adding of roles and everything that we need in the context of the team that we are testing.
02:25
And then we can go ahead and obviously acting as that user, delete that user from the test. We want to make sure, as well as all of this stuff, that they don't have that role. So we can say and member and we can grab them fresh out the database roles and count. Or we could say roles to have count. It's up to you. So to have count.
02:49
And we just want them to have a zero count role. We don't want them to have a role within the context of this team. Let's just go ahead and die dump on this first, just so we can make sure that we are heading in the right direction. So let's go ahead and grab the count from here first of all. And let's go ahead and run this test in isolation. So let's go ahead and say pest filter and can remove a member from the team.
03:11
We get zero. Now, let's just have a look. Right. OK. So the reason we get zero is because we didn't assign a role to this user. Remember, with our tests, we're not hitting an end point to add the user. So we're not getting the benefit of all of this stuff that would normally happen. So let's go and attach this user with a role and then make sure it's deleted as part of that request.
03:33
Of course, what you could do as well is as part of your test, you could make a separate HTTP request to add the user first. Or you could do all of this set up manually within your test. I prefer doing this set up manually so I can adjust things, but it's entirely up to you. So we're going to go ahead and say assign role and we're going to assign the team admin role to start with.
03:53
And then we're going to make sure that team admin role is is gone. So let's go ahead and run that test again and we get one. So at this point here, we should have detached the role, but it's still the count of one. So you could do your test however you want. You could say that you want them to have zero roles or you could say that you want to make sure they don't have a specific role.
04:12
It's entirely up to the way you're building this. But the main point is when we run this, this fails because their role is hanging around still. So all we need to do is come over to our team member controller. And we need to when we remove them, we want to detach all of their roles. So to do that, we just need to say user roles and detach and should be good.
04:41
Let's go over and run our test again. And sure enough, we get green. So I'm not going to go through the whole UI flow again here. But we now know that when a team member is removed from the team, their roles get detached, which means that when they're re-added, they're not going to end up with any of the previous roles that they had hanging around.

Episode summary

In this episode, we tackle a sneaky bug in our team management feature: when you remove a user from a team, their roles don't get detached. That means if you add the same person back in later, they end up collecting roles they shouldn't have (like both 'member' and 'admin'), which definitely isn't what we want!

We start off by demonstrating the problem step-by-step, inviting a user to a team, changing their role, removing them, and then re-adding them. Sure enough, their previous role sticks around, which could cause all kinds of permission headaches.

Next, we write a test to capture this scenario—making sure that when a user is removed, their roles within that team are wiped out too. We play around with different ways to set up the test, using manual setup so we've got total control over what roles get assigned before and after removal.

To fix things, it's just a small change in our controller: when removing a team member, we also detach all their roles. After running our updated tests, everything goes green—problem solved! So now, users get a clean slate each time they're added back to a team, preventing any ghost roles from haunting your permissions.

Episode discussion

No comments, yet. Be the first!