Guest users in laravel authorization policies

laravel policies
laravel policy without model
laravel authorization tutorial
laravel policy viewany
laravel policy not working
laravel guest user
laravel user management
laravel check user logged in

I use policies for user authorization. How to use policies for guest users?

Here is my code:

In controller:

class PostController extends Controller
{
    public function index(Post $post)
    {
        $this->authorize($post);
        return $post->all();
    }
}

In policy:

class PostPolicy
{
    // This function executes only for authenticated users.
    // I want to use it for guest users too
    public function index(User $user)
    {            
        return $user->can('get-posts');
    }
}

I think the simpliest way is to protect with Auth middleware. or check if user is authenticated in policy

Authorization - Laravel, Laravel 5.7 Guest User Gates. In Laravel 5.6 and below authorization gates and policies automatically return false for unauthenticated users. New in Laravel 5.7, you can now allow guests to go through authorization checks by using a nullable type-hint or setting the default value as null: <? public function boot() { // Laravel policies only work if the user isn't null so for guest access we need to assign a dummpy user. // From now on to check for guest use is_null (Auth::user ()->getKey ()) if(!Auth::check()) { $userClass = config('auth.providers.users.model'); Auth::setUser(new $userClass()); } }

First make a new service provider:

php artisan make:provider GuestServiceProvider

Then edit GuestServiceProvider.php with this:

public function boot()
{
    // Laravel policies only work if the user isn't null so for guest access we need to assign a dummpy user.
    // From now on to check for guest use is_null(Auth::user()->getKey())
    if(!Auth::check()) {
        $userClass = config('auth.providers.users.model');
        Auth::setUser(new $userClass());
    }
}

Now Policies will work for guest users and in your policy you can check for the guest by doing:

if(is_null(Auth::user()->getKey())){
    // it's a guest
}

Which essentially means if the user doesn't have an id then its not a real user, hence must be a guest.

Laravel 5.7 Guest User Gates, // No authed user, so the policy check isn't even called (Auth::user() = null) Gate::​allows('view', $picture); class PicturePolicy { public function view  You might be familiar with Laravel Policies, this post is intended to help new users of Laravel. What is Laravel Policy? Laravel Policy is a class, where you can organize the authorization logic of your application. For example, you might have a blog application built in Laravel and want to protect that only users who own the blog post can delete it.

Laravel 5.7 now has this feature built in (with PHP >=7.1) See the docs on the new Gate. For anyone using older versions, here is my solution. Make a small helper to use the authorizeForUser method on Illuminate\Foundation\Auth\Access\AuthorizesRequests. It leaves all native functionality intact. Extend your controller:

use App\User;

public function authorizeAnyone($ability, $arguments = []) {
   list($ability, $arguments) = $this->parseAbilityAndArguments($ability, $arguments);
   return $this->authorizeForUser( auth()->user() ?? new User(), $ability, $arguments);
}

Then wherever you want the possibility of checking your policy against a guest, use

$this->authorizeAnyone();

instead of

$this->authorize();

If you don't want to extend your controller, you can also call (for example):

$this->authorizeForUser( auth()->user() ?? new User, 'index', $post );

Allow Anonymous / Guest policy checks · Issue #1222 · laravel/ideas , This PR allows gates and policies to allow "guest users" ( null ) to be boilerplate code, almost compete, along side Laravel's authorization. Thus, authentication involves checking the validity of the user credentials, and authorization involves checking the rights and permissions over the resources that an authenticated user has. Authorization Mechanism in Laravel. Laravel provides a simple mechanism for authorization that contains two primary ways, namely Gates and Policies.

[5.7] Allow Gates / Policies To Accept "Guests" · Issue #24576 , Laravel 5.1 Authorization - Guest users. Posted 4 years Perhaps use Policy-​based checks, and if there is no user, then treat them as guest? New in Laravel 5.7, you can now allow guests to go through authorization checks by using a nullable type-hint or setting the default value as null: By using a nullable type hint the $user variable will be null when a guest user is passed to the gate, and you can then make decisions about authorizing the action.

Laravel 5.1 Authorization - Guest users, In Laravel 5.6, there was a procedure where it used to return false for unauthenticated users. In Laravel 5.7, we can allow guests to go authorization checks by  The Guest User Gates feature is an add-on to the latest 5.7 version released in September 2018. This feature is used to initiate the authorization process for specific users. In Laravel 5.6, there was a procedure where it used to return false for unauthenticated users. In Laravel 5.7, we can allow guests to go authorization checks by using the specific nullable type hint within the specified controller as given below −.

Laravel - Guest User Gates, Case: I'm building a forum using Laravel's Authorization as a backbone using policies. Examples of checks I run are stuff like #can('view', $forum), and  Laravel provides two simple way to manage the authentications such as Gates and Policies. The basic difference between the gates and the policies, Gates provides a simple closure based approach to authorization and policies works around the particular model or resource. Today, we discuss how to implement the Gates in our Laravel Application.

Comments
  • I cant check it in policy because this function is not executed if user is not authenticated
  • Then protect route with Auth middleware.
  • Functionally this works, but I have concerns about using this in a team environment with multiple developers. It creates a pattern that developers have to somehow just know. They won't though, they'll go look up behavior in Laravel docs, see that if Auth::user() returns a user that the call is authenticated, and then they will do bad things.