Teams Multi-Tenancy: Add “Team Admin” to Manage Users
Povilas Korop
Founder of QuickAdminPanel
By default, in our Team Multi-Tenancy module, every member of the team sees all entries of their team, and team users are managed only by the system administrator. Customers were asking us how to add a new role of “Team Admin” to manage users of their own team. So we created a demo-project with a repository.
As a starting position, I assume that you have already generated the adminpanel with Multi-Tenancy module and chose “Team” multi-tenancy, not “User”.
Next, I will show you the actions in 6 steps, how to add “team admin”.
Step 1. Add new field in User model
We won’t add a new role to the existing ones (Admin & User), we will just add a field: users.team_admin – you can add it in QuickAdminPanel as a checkbox, or after download as “boolean” field in migrations and app/User.php.
Default should be false.
Schema::table('users', function (Blueprint $table) {
$table->boolean('team_admin')->default(0)->nullable();
});
Step 2. User Model: Is Team Admin – Attribute
Let’s add another attribute to app/User.php that would check if user is system admin or team admin:
// That method exists by default in QuickAdminPanel
public function getIsAdminAttribute()
{
return $this->roles()->where('id', 1)->exists();
}
// That is new method
public function getIsTeamAdminAttribute()
{
return $this->is_admin || $this->team_admin;
}
After doing that, we will be able to check it from anywhere, like $user->is_team_admin or auth()->user()->is_team_admin. And we will do exactly that, in the next step.
Step 3. Menu: show Users for Team Admin
By default, only System Administrator sees Users Management menu item in the left sidebar. Let’s change it.
We will use the new is_team_admin attribute, see below.
@can('user_management_access')
@if(auth()->user()->is_team_admin)
<li class="nav-item nav-dropdown">
<a class="nav-link nav-dropdown-toggle" href="#">
<i class="fa-fw fas fa-users nav-icon">
</i>
{{ trans('cruds.userManagement.title') }}
</a>
{{-- ... other sub-menu items --}}
</li>
@endif
@endcan
Also, we need to allow user_management_access to all users then. So we need to edit database/seeds/PermissionRoleTableSeeder.php:
Old:
$user_permissions = $admin_permissions->filter(function ($permission) {
return substr($permission->title, 0, 5) != 'user_'
&& substr($permission->title, 0, 5) != 'role_'
&& substr($permission->title, 0, 11) != 'permission_';
});
Now:
// Simple can't manage roles/permissions/teams, but can manage users now
$user_permissions = $admin_permissions->filter(function ($permission) {
return substr($permission->title, 0, 5) != 'role_'
&& substr($permission->title, 0, 11) != 'permission_'
&& substr($permission->title, 0, 5) != 'team_';
});
Step 4. Additional Security in Controller
Of course, it’s not enough to show/hide menu items. We need to make sure that non-team-admins wouldn’t access user management.
app/Http/Controllers/Admin/UsersController.php:
public function index()
{
// Old version:
// abort_if(Gate::denies('user_access'), Response::HTTP_FORBIDDEN, '403 Forbidden');
// New version:
abort_if(Gate::denies('user_access') || !auth()->user()->is_team_admin, Response::HTTP_FORBIDDEN, '403 Forbidden');
And you need to repeat that change in all of UsersController methods.
Step 5. User model is Multi-Tenant now
By default, users don’t have multi-tenancy but now they should. So we make these changes in app/User.php – see in bold:
use App\Traits\MultiTenantModelTrait;
class User extends Authenticatable
{
use SoftDeletes, Notifiable, HasApiTokens, MultiTenantModelTrait;
// ... other model's code
Step 6. User Create/Edit Form: Change Visible Fields
Finally, we need to change which role sees what fields in user form.
– Administrator can choose a role, team admin can’t (role is hardcoded as Simple User then);
– Administrator can choose a team, team admin operates only within their own team.
For that, we make changes in resources/views/admin/create.blade.php and same folder edit.blade.php. These are too big files to add here inline, so here’s a link to the repository commit.
See here – team administrator doesn’t see the role and the team choices.
And that’s it. By then, your Team Admin users will be able to add/edit other users of the same team.
Full code with repository changes: LaravelDaily/QuickAdminPanel-Team-Admin-Demo