Security fix

app/Http/Controllers/TenantController.php

@@ -35,7 +35,9 @@ public function getMyTenants()
         /** @var \App\Subject */
         $user = Auth::user();
 
-        return Tenant::whereIn('id', Role::whereIn('id', $user->getRoles())->pluck('tenant_id'));
+        $tenant_ids = Role::withoutGlobalScopes()->whereIn('id', $user->getRoles()->toArray())->pluck('tenant_id');
+
+        return Tenant::withoutGlobalScopes()->whereIn('id', $tenant_ids);
     }
 
     public function index()

app/Policies/TenantPolicy.php

@@ -29,6 +29,8 @@ public function manage(SubjectInterface $subject)
             'subject:can_manage:'.$subject->id.':'.$current,
             10,
             function () use ($subject) {
+                // this relies on the fact that Role is scoped to the current tenant
+                // display sql for Role::whereIn('id',$subject->getRoles())
                 return Role::whereIn(
                     'id',
                     $subject->getRoles()

app/Scopes/TenantScope.php

@@ -2,7 +2,6 @@
 
 namespace App\Scopes;
 
-use App\Role;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Scope;
@@ -18,9 +17,8 @@ public function apply(Builder $builder, Model $model)
     {
         //TODO: This is a non-ideal check. Used to make the job runner work
         if (resolve('App\Tenant') == null && app()->runningInConsole()) {
-        } elseif (resolve('App\Tenant')->master && $model instanceof Role) {
         } else {
-            $builder->where($model->getTable().'.tenant_id', '=', resolve('App\Tenant')->id);
+            $builder->where($model->getTable() . '.tenant_id', '=', resolve('App\Tenant')->id);
         }
     }
 }

app/Subject.php

@@ -10,15 +10,18 @@
 use App\Stats\StatableTrait;
 use Exception;
 use Idaas\OpenID\Entities\ClaimEntityInterface;
+use Illuminate\Contracts\Auth\Access\Authorizable as AccessAuthorizable;
 use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Foundation\Auth\Access\Authorizable;
 use Illuminate\Support\Str;
 use Laravel\Passport\HasApiTokens;
 
-class Subject extends Model implements Authenticatable, StatableInterface, SubjectInterface
+class Subject extends Model implements Authenticatable, AccessAuthorizable, StatableInterface, SubjectInterface
 {
     use HasApiTokens;
     use StatableTrait;
     use TenantTrait;
+    use Authorizable;
 
     protected $user = null;
 
@@ -83,7 +86,7 @@ public function getSubject()
     public function getUser()
     {
         if ($this->user == null) {
-            $this->user = User::find($this->getUserId());
+            $this->user = User::withoutGlobalScopes()->find($this->getUserId());
         }
 
         return $this->user;
@@ -241,7 +244,7 @@ public function getRoles()
         $user = $this->getUser();
 
         if ($user != null) {
-            $this->roles = $user->roles->pluck('id');
+            $this->roles = $user->roles()->pluck('roles.id');
         } elseif ($this->getSubject() != null) {
             $this->roles = $this->getSubject()->getRoles();
         }

app/User.php

@@ -2,6 +2,7 @@
 
 namespace App;
 
+use App\Scopes\TenantScope;
 use App\Scopes\TenantTrait;
 use App\Stats\StatableInterface;
 use App\Stats\StatableTrait;
@@ -75,7 +76,7 @@ public function roles()
     {
         //Allow a user to get roles from other tenants ...
         //wherePivot('tenant_id', resolve('App\Tenant')->id)->
-        return $this->belongsToMany('App\Role')->using('App\TenantPivot');
+        return $this->belongsToMany('App\Role')->withoutGlobalScope(TenantScope::class)->using('App\TenantPivot');
     }
 
     public function groups()