SecPal · kevalyq · Nov 9, 2025 · Nov 9, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- **Permission System Guard Migration** - Migrated from 'web' to 'sanctum' guard (#126, #127, #128, #129)
+  - Fixed `RoleApiTest.php` - Added explicit `guard_name='sanctum'` to all Permission and Role creation
+  - Fixed `PersonApiTest.php` - Changed `guard_name` from 'web' to 'sanctum' for person permissions
+  - Added `$guard_name = 'sanctum'` property to User model for Spatie Laravel-Permission
+  - Resolves 403 Forbidden errors caused by guard mismatch between sanctum authentication and web permissions
+  - All 40 tests now passing (146 assertions)
+
 ### Added
 
 - **Git Conflict Marker Detection** - Automated check for unresolved merge conflicts

diff --git a/app/Models/User.php b/app/Models/User.php
@@ -19,6 +19,14 @@ class User extends Authenticatable
     /** @use HasFactory<\Database\Factories\UserFactory> */
     use HasApiTokens, HasFactory, HasRoles, Notifiable;
 
+    /**
+     * The guard name for Spatie Laravel-Permission.
+     * Must match the authentication guard used in routes (sanctum).
+     *
+     * @var string
+     */
+    protected $guard_name = 'sanctum';
+
     /**
      * The attributes that are mass assignable.
      *

diff --git a/tests/Feature/PersonApiTest.php b/tests/Feature/PersonApiTest.php
@@ -28,8 +28,8 @@
     $this->token = $this->user->createToken('test-device')->plainTextToken;
 
     // Create global permissions (not team-scoped for this test)
-    Permission::create(['name' => 'person.write', 'guard_name' => 'web']);
-    Permission::create(['name' => 'person.read', 'guard_name' => 'web']);
+    Permission::create(['name' => 'person.write', 'guard_name' => 'sanctum']);
+    Permission::create(['name' => 'person.read', 'guard_name' => 'sanctum']);
 });
 
 afterEach(function (): void {

diff --git a/tests/Feature/RoleApiTest.php b/tests/Feature/RoleApiTest.php
@@ -35,12 +35,12 @@
     $this->targetUser = User::factory()->create();
 
     // Create test role
-    $this->role = Role::create(['name' => 'manager']);
+    $this->role = Role::create(['name' => 'manager', 'guard_name' => 'sanctum']);
 
     // Create permissions (global, not team-scoped)
-    Permission::create(['name' => 'role.assign']);
-    Permission::create(['name' => 'role.revoke']);
-    Permission::create(['name' => 'role.read']);
+    Permission::create(['name' => 'role.assign', 'guard_name' => 'sanctum']);
+    Permission::create(['name' => 'role.revoke', 'guard_name' => 'sanctum']);
+    Permission::create(['name' => 'role.read', 'guard_name' => 'sanctum']);
 });
 
 afterEach(function (): void {