Extending authorizeResource to custom method

Posted 4 months ago by oliverbusk

Hi all

I have a resource controller called StreamController.php, that utilizes a policy called StreamPolicy.php.

In my controller, I have this:

     * Construct method.
    public function __construct()
        $this->authorizeResource(Stream::class, 'stream');

With above, all the RESTful endpoints is successfully "protected" using the policy.

However, I have added a new method to my controller, called documents(), like so:

Route::get('streams/{stream}/documents', '[email protected]');
     * Display the imported documents of the resource
     * @return \Illuminate\Http\Response
    public function documents(Stream $stream)
        return view('streams.documents', compact('stream'));

Now the problem is, if I visit the url:

example.com/streams/1 and I am not the owner of the stream, I get a 403 page - but if I go to: example.com/streams/1/documents and I am not the owner of the stream, I can still access the page.

What am I doing wrong? How can I make so my policy also covers the documents() methods in my controller?

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.