Rotario
1 month ago
283
4
Laravel

API Nested shallow resource policy not registering correctly?

Posted 1 month ago by Rotario

Hi All, I've got an API nested resource like so:

api.php

Route::apiResource('sites.machines', 'API\MainMachineController')->shallow();

and the controller uses: API/MainMachineController.php

public function __construct()
    {
        $this->authorizeResource(MainMachine::class);
    }

to register its policy. Now the POST to /sites/1/machines is authorized as expected, but when I instead try to PUT to /machines/1 to update the resource, I get a forbidden error, even if I just stick a return true; in the corresponding update method in the policy function like so: MainMachinePolicy.php

    public function update(User $user, MainMachine $mainMachine)
    {
        return true;
    }

Now looking at php artisan route:list It seems as if the model isn't registered correctly on the policy on the non-nested routes. I think this may be a bug?

|        | POST      | api/sites/{site}/machines   | sites.machines.store | App\Http\Controllers\API\[email protected]                   | api,auth:sanctum,can:create,*App\MainMachine*  |
|        | GET|HEAD  | api/sites/{site}/machines   | sites.machines.index | App\Http\Controllers\API\[email protected]                   | api,auth:sanctum,can:viewAny,*App\MainMachine*

|        | PUT|PATCH | api/machines/{machine}      | machines.update      | App\Http\Controllers\API\[email protected]                  | api,auth:sanctum,can:update,*main_machine*     |
|        | GET|HEAD  | api/machines/{machine}      | machines.show        | App\Http\Controllers\API\[email protected]                    | api,auth:sanctum,can:view,*main_machine*       |
|        | DELETE    | api/machines/{machine}      | machines.destroy     | App\Http\Controllers\API\[email protected]                 | api,auth:sanctum,can:delete,*main_machine*     |

Please sign in or create an account to participate in this conversation.