This action is unauthorized - even though user should be authed.

Published 11 months ago by skinnyvin

I have an AddressController that has your standard resource methods. I have validation via StoreAddressRequest and UpdateAddressRequest classes. I have implemented authorization via a model related policy class - AddressPolicy.

At present all of the resource methods are only accessible to the admin user via the AddressPolicy - checking this with an admin user and standard user shows that Index,Create,Store and Edit all work great.

However, when I try to update an address as an Admin user I get the following message:

Symfony \ Component \ HttpKernel \ Exception \ AccessDeniedHttpException
This action is unauthorized.

Checking debugbar reveals:


array:4 [▼
  "ability" => "update"
  "result" => false
  "user" => 1
  "arguments" => "[0 => Object(App\User)]"

This is the correct user. My session has not expired when making the request.

I am calling the policy in the same way as I do for index,show,create,store and edit eg:

$this->authorize('update', \Auth::user()); 

and then within AddressPolicy:

    public function update(User $user)

        if ($user->isSuperAdmin()) {
            return true;
        } else {
            return false;

I am not certain the update function is getting invoked, since, if I remove the 'update' method from the AddressPolicy I still get the same message. Also, I cannot dd() from within a method in the AddressPolicy.

Clearly I have messed up somewhere! Thanks for any pointers.

11 months ago (999,845 XP)

I would check the format of the post url and compare that to your routes.

Sounds like perhaps something else is grabbing the route?

You are not uploading a large file with the update?


Thanks @Snapey. Not uploading anything, simple update. All works fine if I remove the authorize helper from the controller method.

I am away from the machine I was working on so will re-check the post url etc again in the morning.


What does your isSuperAdmin() method look like on your model then? Can you dd($user->isSuperAdmin())? Maybe it's returning false.

Also do you have anything in a boot() method that could be automatically returning false for something on that policy (thus it won't even be checking the update function)

    public function isSuperAdmin()
        return (bool) $this->is_admin;

No boot method. I did previously have a before($user, $ability) method but even with this removed I still get the same issue.

It's strange though as it is only for the update policy (which has the same contents as the other policies). I can see in debugbar that the gate policies are reported correctly for all the other methods.

I have removed my 'UpdateAddressRequest' Request class to ensure it is not that causing it. If I dd(Route::currentRouteName()); before the auth call, I get the correct route returned also.

If I dd('something'); within any of the policy methods nothing is returned.

I am puzzled.


dd() in methods one of my other policies does work...hmm. Time for more poking about.

Please sign in or create an account to participate in this conversation.