Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I want to exempt a show method in a controller from both authentication and authorization checks.
I have an API resource which uses Laravel's default auth:api middleware, set in its controller's constructor:
$this->middleware('auth:api')->except('show');
$this->authorizeResource(Thing::class);
and the policy for this controller returns true for the show method.
But I'm still getting a 403. Where else should I be looking to permit unauth access to this?
@synchro If you use authorizeResource then it’s still going to invoke a policy method for your show action. Policies check permissions against the authenticated user, so if you don’t have one then the policy is going to immediately fail.
If unauthenticated users can view any “thing” without authenticating, then you can make the user in your corresponding policy method optional: https://laravel.com/docs/8.x/authorization#guest-users
Perfect, thanks. Allowing $user to be null in the policy fixed it, and I understand why that works!
Please or to participate in this conversation.