scopePermission returns all models when no role/permission assigned

[iamlasse]

Description

When I use the scope permission, if I have no permissions assigned to a role, it returns all models. Expected would be no models. This is in use along with TightenCo Parental.

Steps To Reproduce

Reporter::query()->permission(Permission::IMPERSONATE)->toRawSql()

"select * from "users" where (exists (select * from "permissions" inner join "model_has_permissions" on "permissions"."id" = "model_has_permissions"."permission_id" where "users"."id" = "model_has_permissions"."model_id" and "model_has_permissions"."model_type" = 'user' and "permissions"."id" in (32)) or exists (select * from "roles" inner join "model_has_roles" on "roles"."id" = "model_has_roles"."role_id" where "users"."id" = "model_has_roles"."model_id" and "model_has_roles"."model_type" = 'user' and "roles"."id" in (2, 3, 18, 16, 6, 17, 19, 1, 7, 8, 4, 5, 9, 10, 11, 12, 13, 14, 15, 20, 21, 22, 23, 24))) and "users"."deleted_at" is null and "users"."type" = 'reporter' and not "type" = 'system'"

Permission 32 is not assigned to any role.

Example Application

No response

Version of spatie/laravel-permission package:

6.16.0

Version of laravel/framework package:

11.44.0

PHP version:

8.3

Database engine and version:

Postgres 16/17

OS: Windows/Mac/Linux version:

Mac os Sequoia 15

[iamlasse]

With further investigation, Permission::find(32)->roles returns correct result, however when called inside the scope it does not, and returns all roles...

[iamlasse]

        $rolesWithPermissions = is_a($this, Role::class) ? [] : array_unique(
            array_reduce($permissions, function ($result, $permission) {
                return  array_merge($result, $permission->roles()->get()->all());
            }, [])
        );

This seems to fix the issue of roles