Extending authorizeResource to custom method

Posted 2 months ago by oliverbusk

Hi all

I have a resource controller called StreamController.php, that utilizes a policy called StreamPolicy.php.

In my controller, I have this:

//StreamController.php
    /**
     * Construct method.
     */
    public function __construct()
    {
        $this->middleware('auth');
        $this->authorizeResource(Stream::class, 'stream');
    }

With above, all the RESTful endpoints is successfully "protected" using the policy.

However, I have added a new method to my controller, called documents(), like so:

//web.php
Route::get('streams/{stream}/documents', '[email protected]');
//StreamController.php
 /**
     * Display the imported documents of the resource
     *
     * @return \Illuminate\Http\Response
     */
    public function documents(Stream $stream)
    {
        return view('streams.documents', compact('stream'));
    }

Now the problem is, if I visit the url:

example.com/streams/1 and I am not the owner of the stream, I get a 403 page - but if I go to: example.com/streams/1/documents and I am not the owner of the stream, I can still access the page.

What am I doing wrong? How can I make so my policy also covers the documents() methods in my controller?

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.