Laravel Teams
This episode is for members only

Sign up to access "Laravel Teams" right now.

Get started
Already a member? Sign in to continue
Playing
19. Preventing self removal from a team

Episodes

0%
Your progress
  • Total: 4h 36m
  • Played: 0m
  • Remaining: 4h 36m
Join or sign in to track your progress
01. Introduction and demo
4m 49s
0%
02. Setup with Pest
4m 2s
0%
03. Building the user teams relations
6m 5s
0%
04. Creating a personal team when registering
6m 3s
0%
05. Leaving all teams when an account is deleted
3m 55s
0%
06. Tracking the current team
4m 50s
0%
07. Showing team details in the UI
2m 55s
0%
08. Switching to another team
7m 24s
0%
09. Authorising team switching
6m 53s
0%
10. Updating a team name
10m 48s
0%
11. Basic roles and permissions setup
5m 26s
0%
12. Team roles and permissions middleware
9m 18s
0%
13. Authorising current team updates
3m 43s
0%
14. Testing team permissions through HTTP requests
3m 58s
0%
15. Leaving a team
10m 50s
0%
16. Displaying team members
8m 42s
0%
17. Making team members look better
5m 3s
0%
18. Removing a team member
15m 18s
0%
19. Preventing self removal from a team
4m 7s
0%
20. Storing invitations
13m 31s
0%
21. Validating invitations
6m 38s
0%
22. Authorising team invitation creation
6m 22s
0%
23. Displaying invitations
3m 16s
0%
24. Revoking invitations
12m 46s
0%
25. Sending an invitation email
13m 6s
0%
26. Accepting an invitation
12m 22s
0%
27. Displaying a modal to change a member’s role
10m 31s
0%
28. Updating a member’s role
9m 5s
0%
29. More authorisation and checks for role changing
10m 14s
0%
30. Fixing up the email sending test details
49s
0%
31. Fixing and validating email addresses for invites
1m 32s
0%
32. Tidying up @can directive checks
3m 25s
0%
33. Detaching roles when removing users
5m
0%
34. Adding an extra layer of protection to the team middleware
6m 35s
0%
35. Getting related models through teams
5m 37s
0%
36. Building a helper to access the current team
10m 47s
0%
37. Getting all related models through all teams
7m 15s
0%
38. Creating new teams
13m 7s
0%

Transcript

00:00
Let's add another really quick test in here to check that we cannot remove ourself from the team. You might want to add that ability in a little bit later, but at least for now, we don't want to really handle that.
00:12
So let's go ahead and do this. It's an incredibly short test, and then we'll go ahead and do some manual testing in the UI. So let's go ahead and create our user and basically acting as this user, we're going to try and remove ourselves from the team, which at the moment will work, which is not great. So let's go over and send a request over to that team members destroy route.
00:32
Again, we're going to pass the current team in here and the user that we're trying to delete, which is ourselves. And we're going to assert that this is forbidden. Now, at the moment, if we just run our test here, that should fail. Yeah, we get a redirect, which is not great. So to do this, it's incredibly easy over in the team policy. Basically, just to make sure that the user that we're trying to delete doesn't equal the or the user that we are,
01:01
that ID doesn't equal the member that we're trying to delete. It's as simple as that. So let's go ahead and say if the user ID is equal to the member that we're trying to delete, then we're just going to return false. And that's pretty much it. I'll just not authorize that. Let's run our test. And yeah, we get great. OK, so now that we've done this,
01:19
let's just do a little bit of experimenting, because at the moment we're still going to see the option. So I can still click remove from team. Of course, it's not going to work. And we know that we've written tests, but it's not a good idea to display this. So let's go ahead back to the database and we'll add this user back into our team.
01:36
And we can even log in as them as well. They can have the same password. So let's go over to team user and let's add that user ID of five into here. A little bit annoying because we've not added the ability to invite yet, but there's that user. So I should be able to remove them from the team, but I shouldn't be able to remove myself from the team.
01:56
And vice versa, when we're logged in as this user, we shouldn't be able to remove me from the team because they're not an admin. In fact, we can even set up their role as well, just so this makes sense. So let's go and set that user ID of five, the current team of seven with a role ID of two, which is if we just take a look at our roles. Let's find our roles. That should be a role ID. Oh, yeah, we've missed the model type.
02:23
Let's send that in. OK, great. So that should now be a team member. OK, so let's go back to our UI and figure this out. So if we go back over to our team member item, let's go and add a condition around this. So this is basically if we can remove team member.
02:41
And remember, we need to pass all of this data in as well. So this is always going to be in the context of the current team that the user who is logged in as in. And then we're going to have the member that we're trying to apply this on. So let's go ahead and end that can just down here.
03:00
Just indent this and let's take a look. So there we go. That is now missing from here because I can't remove myself from the team, but I can remove Mabel from the team. I'm not going to click on that yet because I'm going to switch over to Mabel's account and I'm going to see if the reverse works. So let's log out here and let's go ahead and log in as that user that we just created.
03:22
And let's go over to Team Alex under team settings. Now, obviously, we have the list of team members. We can't see the edit stuff because we don't have permission to do this. We can't remove this user from the team. We can't remove ourselves from the team. So, again, that's kicked in, but we can also not remove this user as well because we're not an admin.
03:41
So I can't remove this user. OK, so you can change these fine grained permissions if you want to a little bit later with additional conditions like not being able to remove the owner of the team. You could add a flag in the database. You just want to add any of these conditions in your policy. And, of course, go ahead and write a test for that. But there we go. We now have the ability to remove team members, but also all of the conditions around this as well.

Episode summary

In this episode, we focus on making sure users can't remove themselves from a team, which is a handy safety check for most applications. First, we add a quick automated test to ensure trying to self-remove is actually blocked – right now, it would work, which isn't great. You’ll see how that test initially fails, and then we'll hop over to our team policy and add a simple check to prevent it.

Next up, we do a bit of manual testing in the UI: adding users back to the team, logging in as them, and checking that the "remove from team" button hides itself when it should (like if you're looking at your own account). We also play around with user roles a bit so different permission scenarios make sense.

Finally, we check everything from different user perspectives, just so we’re sure the right people see the right options. There's also a little discussion about how you might want to tweak these permissions down the line, like making sure no one can remove the team owner. So, by the end of this episode, you’ll have strong team member removal controls wired up, both in your backend policy logic and reflected in your frontend UI!

Episode discussion

No comments, yet. Be the first!