Jump to content

Laravel: Policy - Always returning 403 on view()


maxudaskin
 Share

Recommended Posts

<?php
// FlightEntryController.php

...

class FlightEntryController extends Controller
{
    public function __construct()
    {
        $this->authorizeResource(FlightEntry::class);
    }

    /**
     * Display the specified resource.
     *
     * @param  int  $id
     * @return \Illuminate\Http\Response
     */
    public function show(FlightEntry $flight)
    {
        dd($flight);
    }
...
}

// FlightEntryPolicy.php

class FlightEntryPolicy
{
    use HandlesAuthorization;
  
  	...
      
    

    /**
     * Determine whether the user can view the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\FlightEntry  $flightEntry
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function view(User $user, FlightEntry $flightEntry)
    {
        dd($user);
        if($user->hasPermissionTo('view flights not owned')) { // Spatie
            return Response::allow();
        }

        if($user->id === $flightEntry->user_id) {
            return Response::allow();
        }

        return Response::deny(null, 404);
    }
  ...
}

// AuthServiceProvider.php

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
         App\Models\FlightEntry::class => App\Policies\FlightEntryPolicy::class,
    ];
...
}

// routes/web.php
Route::resource('/flights', FlightEntryController::class)->middleware('auth');
    

With the policy not attached, everything works fine.

When I attach the policy, index (viewAny) works, but show (view) does not. It throws a 403 and does not run the dd inside.

 

I'm going crazy. Any suggestions?

Link to comment
Share on other sites

Route::resource is rarely what you want in the long run, as it magically routes to a lot of methods your controller may not have.

With that said, start with the output of php artisan route:list

What is it showing you?

There are alternatives to what you are trying to do like moving the middleware to your FlightEntryController constructor. 

$this->middleware('auth');

// Or to except certain routes
$this->middleware('auth')->except(['index']);

 

Other standard configuration route based options differ depending on your version of Laravel, but typically involve using a route group to wrap the resource.  Something like:

//change routes/web.php to this 
Route::group(['middleware' => 'auth'], function()
{
    Route::resource('flights', 'FlightEntryController');
});

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.