The logged in super admin can not pass a permission check

[iuriemalai]

1. To verify the (supposed) detected issue, after updating/upgrading Laravel and the Statamic installer, I performed a fresh installation of Statamic 6 (Solo) + Statamic Peak.

statamic new statamic-example.test studio1902/statamic-peak

2. As the Statamic documentation mentions in several places, Super Admin accounts are special accounts with access and permission to everything. Super users can always do everything, so no matter what you check for — whether it exists as an actual permission or not — it will always return true.

3. Given the mention in point 2 and being logged in with a super admin account, I expected to be able to pass the verification below without any problem. But it was not so. In order not to go into too many details, I will exemplify by putting my code in a closure based route. Even though the current installation is SOLO, the verification is oriented towards the future, when I will switch to Statamic PRO and eventually there will be more users.

use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Route;
use Statamic\Facades\User;

Route::statamic('example', 'example.show', function () {

    $user = User::current();

    if (! $user || ! $user->hasPermission('delete users')) {
        Log::warning('Blocked request due to missing permission.',
            [
                'user' => $user?->email()
            ]
        );

        return [];
    }

    return ['user' => $user?->email()];
});

[2026-01-31 11:05:35] local.WARNING: Blocked request due to missing permission. {"user":"example-account@example.com"}

4. Strange thing (for me), if I use $user->can('delete users') instead of $user->hasPermission('delete users') my code seems to work correctly. But I couldn't find anything in the Statamic documentation about $user->can(), only about $user->hasPermission(). I know about the User-can Tag ({{ user:can do="delete users" }}), but that's about Antlers, and my code is not Antlers.

I will appreciate any information, references about $user->can() and $user->hasPermission() and how they work/must be used in Statamic.

[duncanmcclean]

We made some changes to how super user authorization works in v6, see the "Super user authorization" section in the upgrade guide.

Super users can always do everything, so no matter what you check for — whether it exists as an actual permission or not — it will always return true.

Out of interest, where did you see "whether it exists as an actual permission or not"? We might need to tweak the docs slightly.

[iuriemalai]

Thanks, I'll read about those changes.

See this: https://statamic.dev/tags/user-can#super-users