This package can be installed via composer:
composer require "spatie/laravel-multitenancy:^2.0"
##Publishing the config file
You must publish the config file:
php artisan vendor:publish --provider="Spatie\Multitenancy\MultitenancyServiceProvider" --tag="multitenancy-config"
This is the default content of the config file that will be published at config/multitenancy.php
:
<?php
use Illuminate\Broadcasting\BroadcastEvent;
use Illuminate\Events\CallQueuedListener;
use Illuminate\Mail\SendQueuedMailable;
use Illuminate\Notifications\SendQueuedNotifications;
use Spatie\Multitenancy\Actions\ForgetCurrentTenantAction;
use Spatie\Multitenancy\Actions\MakeQueueTenantAwareAction;
use Spatie\Multitenancy\Actions\MakeTenantCurrentAction;
use Spatie\Multitenancy\Actions\MigrateTenantAction;
use Spatie\Multitenancy\Models\Tenant;
return [
'tenant_finder' => null,
'tenant_artisan_search_fields' => [
'id',
],
'switch_tenant_tasks' => [
],
'tenant_model' => Tenant::class,
'queues_are_tenant_aware_by_default' => true,
'tenant_database_connection_name' => null,
'landlord_database_connection_name' => null,
'current_tenant_container_key' => 'currentTenant',
'actions' => [
'make_tenant_current_action' => MakeTenantCurrentAction::class,
'forget_current_tenant_action' => ForgetCurrentTenantAction::class,
'make_queue_tenant_aware_action' => MakeQueueTenantAwareAction::class,
'migrate_tenant' => MigrateTenantAction::class,
],
'queueable_to_job' => [
SendQueuedMailable::class => 'mailable',
SendQueuedNotifications::class => 'notification',
CallQueuedListener::class => 'class',
BroadcastEvent::class => 'event',
],
];
##Protecting against cross tenant abuse
To prevent users from a tenant abusing their session to access another tenant, you must use the Spatie\Multitenancy\Http\Middleware\EnsureValidTenantSession
middleware on all tenant-aware routes.
If all your application routes are tenant-aware, you can add it to your global middleware in app\Http\Kernel.php
protected $middlewareGroups = [
'web' => [
\Spatie\Multitenancy\Http\Middleware\NeedsTenant::class,
\Spatie\Multitenancy\Http\Middleware\EnsureValidTenantSession::class,
]
];
If only some routes are tenant-aware, create a new middleware group:
protected $middlewareGroups = [
'tenant' => [
\Spatie\Multitenancy\Http\Middleware\NeedsTenant::class,
\Spatie\Multitenancy\Http\Middleware\EnsureValidTenantSession::class,
]
];
Then apply the group to the appropriate routes:
Route::middleware('tenant')->group(function() {
});
This middleware will respond with an unauthorized response code (401) when the user tries to use their session to view another tenant. Make sure to include \Spatie\Multitenancy\Http\Middleware\NeedsTenant
first, as this will handle any cases where a valid tenant cannot be found.
##Next steps
If you prefer to use just one glorious database for all your tenants, read the installation instructions for using a single database.
If you want to use separate databases for each tenant, head over to the installation instructions for using multiple databases.