This action is unauthorized - even though user should be authed.

Published 1 month ago by skinnyvin

I have an AddressController that has your standard resource methods. I have validation via StoreAddressRequest and UpdateAddressRequest classes. I have implemented authorization via a model related policy class - AddressPolicy.

At present all of the resource methods are only accessible to the admin user via the AddressPolicy - checking this with an admin user and standard user shows that Index,Create,Store and Edit all work great.

However, when I try to update an address as an Admin user I get the following message:

Symfony \ Component \ HttpKernel \ Exception \ AccessDeniedHttpException
This action is unauthorized.

Checking debugbar reveals:

error

array:4 [▼
  "ability" => "update"
  "result" => false
  "user" => 1
  "arguments" => "[0 => Object(App\User)]"
]

This is the correct user. My session has not expired when making the request.

I am calling the policy in the same way as I do for index,show,create,store and edit eg:

$this->authorize('update', \Auth::user()); 

and then within AddressPolicy:

    public function update(User $user)
    {

        if ($user->isSuperAdmin()) {
            return true;
        } else {
            return false;
        }
    }

I am not certain the update function is getting invoked, since, if I remove the 'update' method from the AddressPolicy I still get the same message. Also, I cannot dd() from within a method in the AddressPolicy.

Clearly I have messed up somewhere! Thanks for any pointers.

Snapey
Snapey
1 month ago (683,015 XP)

I would check the format of the post url and compare that to your routes.

Sounds like perhaps something else is grabbing the route?

You are not uploading a large file with the update?

skinnyvin

Thanks @Snapey. Not uploading anything, simple update. All works fine if I remove the authorize helper from the controller method.

I am away from the machine I was working on so will re-check the post url etc again in the morning.

mcstepp

What does your isSuperAdmin() method look like on your model then? Can you dd($user->isSuperAdmin())? Maybe it's returning false.

Also do you have anything in a boot() method that could be automatically returning false for something on that policy (thus it won't even be checking the update function)

skinnyvin
    public function isSuperAdmin()
    {
        return (bool) $this->is_admin;
    }

No boot method. I did previously have a before($user, $ability) method but even with this removed I still get the same issue.

It's strange though as it is only for the update policy (which has the same contents as the other policies). I can see in debugbar that the gate policies are reported correctly for all the other methods.

I have removed my 'UpdateAddressRequest' Request class to ensure it is not that causing it. If I dd(Route::currentRouteName()); before the auth call, I get the correct route returned also.

If I dd('something'); within any of the policy methods nothing is returned.

I am puzzled.

skinnyvin

dd() in methods one of my other policies does work...hmm. Time for more poking about.

Please sign in or create an account to participate in this conversation.