Team's hasTeamPermission behaviour differs for Web and API users

[SeanBourke]

• Jetstream Version: 0.6.4
• Laravel Version: 8.0 (dev)
• PHP Version: 7.94

Description:

Attempting to inherit team permissions to enable users to perform actions on behalf of a team, however this is prevented due to $user->tokenCan taking precedence in HasTeams.php.

Where permissions are listed in $user->teamPermissions array, a request to $user->hasTeamPermission($teams, 'existingPermission') will always return false.

Steps To Reproduce:

1. Add user to team with Administration Permission (inheriting all team permissions)
2. Update TeamPolicy.php to enable functions based on team permissions

public function addTeamMember(User $user, Team $team)
    {
        return $user->ownsTeam($team) || $user->hasTeamPermission($team, 'create');
    }

3. Authenticate as user and note that permission is not inherited. Die and dump of $user->hasTeamPermission($team, 'create') will return false, whereas 'create' is included in $user->teamPermissions($team) array.
4. Comment out code block in HasTeams.php

/*if (in_array(HasApiTokens::class, class_uses_recursive($this)) &&
            ! $this->tokenCan($permission)) {
            return false;
        }*/

5. Authenticate as user and note that permission is now inherited. Die and dump of $user->hasTeamPermission($team, 'create') now returns true.

[SeanBourke]

Validated that hasTeamPermission is returning the correct value where the Team Permissions are overlapped in the API permissions and the Team permissions and is requested via a generated Sanctum API token. Any requests for the same user via inertia or livewire will return false for the same check.

API
Route:

Response:

Web

dd('Permissions:' . implode($user->teamPermissions($team)) . PHP_EOL . 'Can Create:' . ($user->hasTeamPermission($team, 'read') ? 'true' : 'false'));

Response: