I have created a resource controller for an API endpoint. I have also created a corresponding policy for the model. If I do a per method authorization check using then it works as expected. But if I add the following to the construct, I always get a 403 forbidden. Not sure what I am missing as the following should apply

laravel authorizeResource always denies access

I have created a resource controller for an API endpoint. I have also created a corresponding policy for the model.

If I do a per method authorization check using

$this->authorize('delete', $asset);

JavaScript
​x
 
$this->authorize('delete', $asset);​

then it works as expected. But if I add the following to the construct, I always get a 403 forbidden. Not sure what I am missing as the following should apply the authorization for all methods.

$this->authorizeResource(Asset::class, 'asset');

JavaScript
 
$this->authorizeResource(Asset::class, 'asset');​

This is what my route looks like:

Route::group(['middleware' => ['auth:api']], function () {
    Route::Resource('asset', 'AssetsApiController');
});

JavaScript
 
Route::group(['middleware' => ['auth:api']], function () {    Route::Resource('asset', 'AssetsApiController');});​

My policy is registered like this:

protected $policies = [
    Asset::class => AssetPolicy::class,
];

JavaScript
 
protected $policies = [    Asset::class => AssetPolicy::class,];​

My policy method for deleting is

public function delete(User $user, Asset $asset)
{
    return true;
}

JavaScript
 
public function delete(User $user, Asset $asset){    return true;}​

The API controller constructor looks like this:

public function __construct()
{
    $this->authorizeResource(Asset::class,'asset');
}

JavaScript
 
public function __construct(){    $this->authorizeResource(Asset::class,'asset');}​

The API controller method is

public function destroy($assetID)
{
    $asset = Asset::findOrFail($assetID);
    $asset->delete();
}

JavaScript
 
public function destroy($assetID){    $asset = Asset::findOrFail($assetID);    $asset->delete();}​

And my routes are

| GET|HEAD  | api/asset              | asset.index   | AppHttpControllersAssetsApiController@index   | api,auth:api                      |
| POST      | api/asset              | asset.store   | AppHttpControllersAssetsApiController@store   | api,auth:api,can:create,AppAsset |
| GET|HEAD  | api/asset/create       | asset.create  | AppHttpControllersAssetsApiController@create  | api,auth:api,can:create,AppAsset |
| PUT|PATCH | api/asset/{asset}      | asset.update  | AppHttpControllersAssetsApiController@update  | api,auth:api,can:update,asset     |
| DELETE    | api/asset/{asset}      | asset.destroy | AppHttpControllersAssetsApiController@destroy | api,auth:api,can:delete,asset     |
| GET|HEAD  | api/asset/{asset}      | asset.show    | AppHttpControllersAssetsApiController@show    | api,auth:api,can:view,asset       |
| GET|HEAD  | api/asset/{asset}/edit | asset.edit    | AppHttpControllersAssetsApiController@edit    | api,auth:api,can:update,asset     |
| GET|HEAD  | assets                 |               | AppHttpControllersAssetsController@index      | web                               |

JavaScript
 
| GET|HEAD  | api/asset              | asset.index   | AppHttpControllersAssetsApiController@index   | api,auth:api                      || POST      | api/asset              | asset.store   | AppHttpControllersAssetsApiController@store   | api,auth:api,can:create,AppAsset || GET|HEAD  | api/asset/create       | asset.create  | AppHttpControllersAssetsApiController@create  | api,auth:api,can:create,AppAsset || PUT|PATCH | api/asset/{asset}      | asset.update  | AppHttpControllersAssetsApiController@update  | api,auth:api,can:update,asset     || DELETE    | api/asset/{asset}      | asset.destroy | AppHttpControllersAssetsApiController@destroy | api,auth:api,can:delete,asset     || GET|HEAD  | api/asset/{asset}      | asset.show    | AppHttpControllersAssetsApiController@show    | api,auth:api,can:view,asset       || GET|HEAD  | api/asset/{asset}/edit | asset.edit    | AppHttpControllersAssetsApiController@edit    | api,auth:api,can:update,asset     || GET|HEAD  | assets                 |               | AppHttpControllersAssetsController@index      | web                               |                                               ​

I guess I am missing something but I can’t see it, the gate is being shown as denied in Telescope. the only strange thing is that the serveNova middleware seems to be the source of the issue.

Time May 8th 2019, 10:51:37 AM (14m ago)
Hostname core-hosp
Ability delete
Result denied
Location /home/vagrant/code/nova/src/Http/Middleware/ServeNova.php:25
Request View Request
Tags Auth:1

Answer

I’ve described my lessons learn with this tiring problem here: https://github.com/laravel/framework/issues/22847#issuecomment-521308861. Maybe somebody will find it useful.

Advertisement

Answer