HttpException in Handler.php line 107: This action is unauthorized

Question 1

HttpException in Handler.php line 107: This action is unauthorized

laravel-5 policy authorize

Truong Van Hoc · Jul 24, 2016 · Viewed 6.9k times · Source

Answer

Answer

In your Request file set

  public function authorize()
{
    return true;
}

Question 2

I'm learning Laravel 5. I have finished the document's Quickstart - intermediate. I want to apply the authorize check for Task's actions to the User's. I want to check whether the target user is the current logged in user in order to use user's edit action. However, browser keeps telling me when I try to access http://myfirst.app/users/2/edit:

FatalThrowableError in UsersPolicy.php line 20:
Type error: Argument 1 passed to App\Policies\UsersPolicy::edit() must be an instance of Illuminate\Http\Request, instance of App\User given

Routes.php

Route::get('/users/{user}', 'UsersController@view');
Route::get('/users/{user}/edit', 'UsersController@edit');
Route::patch('/users/{user}', 'UsersController@update');

AuthServiceProvider.php

protected $policies = [
    'App\Model' => 'App\Policies\ModelPolicy',
    'App\Task' => 'App\Policies\TaskPolicy',
    'App\User' => 'App\Policies\UsersPolicy',
];

UsersPolicy.php

namespace App\Policies;

use App\User;
use Illuminate\Http\Request;
use Illuminate\Auth\Access\HandlesAuthorization;

class UsersPolicy
{
    use HandlesAuthorization;

    public function edit(Request  $request, User $user)
    {
        return $request->user()->id === $user->id;
    }

    public function update(Request  $request, User $user)
    {
        return $request->user()->id === $user->id;
    }
}

UsersController.php

namespace App\Http\Controllers;

use App\User;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;

class UsersController extends Controller
{

    protected $user;

    public function __construct() {
        $this->middleware('auth');
    }

    public function view(Request $request, User $user)
    {    
        if($request->user()->id == $user->id){
            return view('users.view', ['user' => $user]);
        }
        return redirect('/tasks');
    }

    public function edit(Request $request, User $user)
    {
        $this->authorize('edit', $user);
        return view('users.edit', compact('user'));
    }

    public function update(Request $request, User $user)
    {
        $this->authorize('update', $user);        
        $user->update($request->all());    
        return redirect('/users/'.$user->id);
    }
}

In the Document's TaskController's delete function, $user isn't passed into $this->authorized('destroy', $task) in order to allow TaskPolicy's destroy function to use $user:

TaskController.php

public function destroy(Task $task)
{
    $this->authorize('destroy', $task);
    $task->delete();
    return redirect('/tasks');

}

TaskPolicy.php

public function destroy(User $user, Task $task)
{
    return $user->id === $task->user_id;
}

Anyway, I followed the exception and added $request to UsersController's edit function's parameter

$this->authorize('edit', $request, $user);

And I get

HttpException in Handler.php line 107:
This action is unauthorized.

What should I do?

HttpException in Handler.php line 107: This action is unauthorized

Answer

Related questions