feat: PR-3 - Tenant Middleware & RBAC Wiring #55
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Install and configure spatie/laravel-permission with teams support - Configure tenant_id as team_foreign_key for multi-tenancy - Create SetTenant middleware extracting tenant from path/header - Validate tenant existence and set PermissionRegistrar team ID - Register middleware alias in bootstrap/app.php - Add 9 comprehensive PEST tests for middleware functionality - Test tenant isolation, missing tenant, invalid tenant scenarios - Configure PHPStan ignores for vendor migration and test methods Resolves #50 (PR-3: Tenant Middleware & RBAC Wiring) Quality checks: ✅ PSR-12 compliant (Pint) ✅ PHPStan level max (0 errors) ✅ 39 tests passing (89 assertions) ✅ 593 LOC (under 600 limit)
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements multi-tenancy support using the Spatie Permission package's team feature. The changes introduce tenant-based permission isolation through middleware that validates and sets the tenant context for each request.
Key changes:
- Added
SetTenantmiddleware to extract and validate tenant IDs from request paths or headers - Configured Spatie Permission with team-based permissions using
tenant_idas the team foreign key - Added comprehensive test coverage for the middleware functionality including edge cases
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| app/Http/Middleware/SetTenant.php | New middleware that extracts tenant ID from path/header, validates tenant existence, and sets Spatie Permission team context |
| bootstrap/app.php | Registers the 'tenant' middleware alias |
| config/permission.php | Spatie Permission configuration with teams enabled and tenant_id as team foreign key |
| database/migrations/2025_11_01_185152_create_permission_tables.php | Spatie Permission migration with tenant support (vendor-generated file) |
| phpstan.neon | Added error suppressions for vendor migration and Pest test methods |
| tests/Feature/SetTenantMiddlewareTest.php | Comprehensive test suite for SetTenant middleware behavior |
- Replace broad Feature/* suppressions with targeted method patterns - Only ignore known Laravel TestCase HTTP methods (getJson, etc.) - Only ignore known Laravel assertion methods (assertStatus, etc.) - Add detailed comment explaining PEST framework PHPStan limitations - Addresses Copilot review feedback for narrower suppressions
kevalyq
added a commit
that referenced
this pull request
Nov 1, 2025
- Add DDEV detection in preflight.sh to run PHP checks in container - Run Pint, PHPStan, and tests via 'ddev exec' when DDEV is available - Fallback to host execution with warning when DDEV not detected - Fixes pre-push hook failures due to missing database connection - Ensures consistent environment between local dev and CI Resolves pre-commit outside DDEV issue from PR #55
This was referenced Nov 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR-3: Tenant Middleware & RBAC Wiring
Resolves #50 (PR-3)
Summary
Implements tenant context extraction middleware and wires up Spatie Permission package for multi-tenant RBAC isolation.
Changes
✅ Published and configured
spatie/laravel-permissionwith multi-tenancy supporttenant_idasteam_foreign_keyconfig/permission.php(208 lines)database/migrations/2025_11_01_185152_create_permission_tables.php(140 lines)✅ Implemented
SetTenantmiddleware (app/Http/Middleware/SetTenant.php, 79 lines)tenant_idfrom route parameter (priority) orX-Tenantheader (fallback)PermissionRegistrar::setPermissionsTeamId()for RBAC isolationtenant_idin request attributes for controller access✅ Registered middleware alias in
bootstrap/app.php✅ Comprehensive PEST test coverage (
tests/Feature/SetTenantMiddlewareTest.php, 148 lines)✅ PHPStan configuration for vendor code (
phpstan.neon, 15 lines added)Quality Checks
ddev exec ./vendor/bin/pest)Notes
ddev exec ./vendor/bin/pestTesting