Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

cooperino's avatar

Query works from Request but not from Policy

In my Custom Request authorize I have the following query:

ItemsList::query()->whereIn('id', $lists)
->where('account_id', '!=', $this->user()->account_id)->doesntExist();

but when I try to pass the parameters to a Policy instead, it always returns false. This is how I pass it from the authorize method to the Policy:

    // in the Request file    
    public function authorize()
    {
        $this->user()->can('access', $lists) // $lists is an array of ids
    }

and then passing it to the Policy's access method:

    public function access(User $user, array $itemsLists)
    {
        return ItemsList::query()->whereIn('id', $itemsLists)
            ->where('account_id', '!=', $user->account_id)->doesntExist();
    }
0 likes
6 replies
Nakov's avatar

@cooperino you having fun just opening new threads for the same question, right? :D

Are you sure that the policy method is called at all? How did you registered the policy?

Is it a UserPolicy do you have it registered in your AuthServiceProvider ?

Try passing it in an array for the additional context like here: https://laravel.com/docs/8.x/authorization#supplying-additional-context

$this->user()->can('access', [User::class, $lists]) // $lists is an array of ids

change the User::class to whatever model this policy is registered to.

1 like
cooperino's avatar

@Nakov Haha no I just felt that although it's related to the same code, the issues were different :D

Yes, I did register in AuthServiceProvider but forgot to specify the policy! will try again

cooperino's avatar

Thank you.

And if I passed a model, used the pre-defined view method for example, I would not need to use context? for example if I did $item = ItemMode::find(1) and then pass it as $this->user()->can('view', $item), Laravel would do that context automatically?

Sinnbeck's avatar

How is laravel supposed to guess what policy to use?

1 like
cooperino's avatar

@Sinnbeck You're right it does look like I haven't specified that. Just didn't see this in the docs so skipped that.

Assuming my policy is registered like so: ItemsList::class => ItemsListPolicy::class, what is the correct way then to call the policy using can in the authorize method?

Please or to participate in this conversation.