Laravel 5.6 Authorizing actions using policies

laravel policy
laravel policy without model
laravel policy not working
laravel policy viewany
laravel policy custom method
laravel authorization tutorial
laravel 6 policies
laravel authentication

I am trying to implement a policy to block the edit functionality of a resource.

My route:

Route::resource('imagerequests', 'ImageRequestController');

My ImageRequestPolicy

class ImageRequestPolicy
{
    use HandlesAuthorization;

    const STATUS_EXECUTING = "executing";

    public function edit(ImageRequest $imageRequest)
    {
        return $imageRequest->status !== self::STATUS_EXECUTING;
    }
}

But I can still access the ´imagerequests/{id}/edit´ route

EDIT
/**
 * The policy mappings for the application.
 *
 * @var array
 */
protected $policies = [
    ImageRequest::class => ImageRequestPolicy::class,
];

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    $this->registerPolicies();

    //
}

ImageRequest Model

class ImageRequest extends Model

Edit ImageRequestController method

public function edit($id, ImageRequest $imageRequest)
{
    $this->authorize('edit', $imageRequest);

    $imageRequest = ImageRequest::findOrFail($id);
    $requestTypes = RequestType::all();
    $attachments = $this->imageRequestRepository->getAttachmentsListOfImageRequestById($id);

    return view('imagerequest.edit', compact('imageRequest', 'requestTypes', 'attachments'));
}

Your edit method is wrong, it's first argument must be the user:

public function edit(User $user, ImageRequest $imageRequest)
{
    return $imageRequest->status !== self::STATUS_EXECUTING;
}

Add to your ImageRequestController, edit method:

public function edit(ImageRequest $imageRequest) {

$this->authorize('edit',$imageRequest);

...

}

The $user argument is automaticaly added by laravel.

Also you need to register the policy in AuthServiceProvider.

protected $policies = [
    ImageRequest::class => ImageRequestPolicy::class,
];

And ImageRequest must extend Model class. Is it a model or a illuminate\http\request ?

There's something wrong with your controller. You sair your route is:

/imagerequests/26/edit

In your controller you are injecting a new, blank ImageRequest, maybe that's why it's passing the authorize test. Try this:

public function edit($id, ImageRequest $imageRequest)
{
    $imageRequest = ImageRequest::findOrFail($id);

    $this->authorize('edit', $imageRequest);

    $requestTypes = RequestType::all();
    $attachments = $this->imageRequestRepository->getAttachmentsListOfImageRequestById($id);

    return view('imagerequest.edit', compact('imageRequest', 'requestTypes', 'attachments'));
}

Laravel 5.6 Authorizing actions using policies, Your edit method is wrong, it's first argument must be the user: public function edit​(User $user, ImageRequest $imageRequest) { return  Like authentication, Laravel's approach to authorization is simple, and there are two primary ways of authorizing actions: gates and policies. Think of gates and policies like routes and controllers. Gates provide a simple, Closure based approach to authorization while policies, like controllers, group their logic around a particular model or resource.

use middleware for protecting routes.

use App\Post;
Route::put('/post/{post}', function (Post $post) {
    // The current user may update the post...
})->middleware('can:update,post');

Hope this will help.

Laravel 5.6 Authorizing actions using policies, I am trying to implement a policy to block the edit functionality of a resource. My route: Route::resource('imagerequests', 'ImageRequestController');. Using Policy in Controller. Now we will use the same policy in our PostController to authorize the delete functionality like so: public function delete(Post $post) { $this ->authorize ( 'delete', $post); // The current user can delete the post } Laravel policies provide extra control on the authorization.

There is a difference between gates and policies that is somewhat hard to grasp from the documentation. Gates are used to authorize controller methods while resources are responsible to authorize actions regarding models, i.e. actual database records.

So in your case, you should be using gates and not policies. You can still use your existing policy class, but you have to register it differently. Instead of using

/**
 * The policy mappings for the application.
 *
 * @var array
 */
protected $policies = [
    ImageRequest::class => ImageRequestPolicy::class,
];

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    $this->registerPolicies();
}

you should be using

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    $this->registerPolicies();

    Gate::resource('imageRequests', App\Policies\ImageRequestPolicy::class);
}

For further reference, have a look at the documentation on gates.

Laravel Policies, and want to protect that only users who own the blog post can delete it. Introduction In addition to providing authenticationservices out of the box, Laravel also provides a simple way to authorize user actions against a given resource. Like authentication, Laravel's approach to authorization is simple, and there are two primary ways of authorizing actions: gates and policies.

authentication guard - Authentication - Laravel, while policies, like controllers, group their logic around a particular model or resource. We will cover a few differences here, but you should refer to the full Laravel documentation for additional details. Differences From Laravel Defining Abilities. The primary difference when using authorization in Lumen compared to Laravel is in regards to how abilities are defined.

How to use laravel policies via middleware in 5.6?, application. After migrating your database, navigate your browser to http://your-app.test/register or any other URL that is assigned to your application. laravel documentation: Authorizing Actions with Gates. Example. To use the example above on a blade template to hide content from the user, you would typically do something like this:

Authorization 5.6 Laravel, Policies are classes that organize authorization logic around a to authorize user actions such as creating or updating posts. If this directory does not exist in your application, Laravel will create it for you: It tells Laravel to call the corresponding policy method to authorize the CRUD action. You also need to register the policies using the registerPolicies method, as we've done in the boot method. Moving further, let's create a couple of custom routes in the routes/web.php file so that we can test our Policy methods there.

Comments
  • take a look at laravel.com/docs/5.6/validation#authorizing-form-requests you can authorize form request
  • @RomanBobrik I first need to prevent them from even accessing the form.
  • Show your controller@edit code.
  • @ArthurSamarcos Edited OP with controller@edit code
  • I don't use the User argument, why do I need to put it there?
  • It's added automatically by laravel. If you don't use it, will get an error.
  • whats the status of that imagerequest?
  • I registered the policy in AuthServiceProvider (edited OP) and ImageRequest already extends Model
  • Status is 100% "executing"
  • I can't use this because I have a resource route look at my question
  • you can use it in your controller constructor.