Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

movepixels's avatar

Laravel authorize() not doing anything

I have a form request and wanted to make it fail so I did this:

public function authorize()
{
    // var_dump(\Auth::user()->id); // to be sure its hitting and confirmed. Yep I see the id so its getting here
    return \Auth::user()->id == 456wer456erw; // no such so fail
}

And simple

public function authorize()
{

    return false;
}

But still the FormRequest continues on as per usual. No 403 error is thrown

Any ideas? Seems pretty straight forward for it not to work.

0 likes
9 replies
jove's avatar
public function authorize()
{
    return \Auth::user()->id == "456wer456erw"; // <-- This needs to be a string
}

Can we see your controller?

Snapey's avatar

possibly you are not using the form request? can you just dd('here') in there instead

movepixels's avatar

What I have is a base app\Http\Request\request.php file which has the:

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;


abstract class Request extends FormRequest {
...
}

Then all my other generated "FormRequest" files extend off the base request.php from above.

Example:

<?php 

namespace App\Http\Requests\Profiles;

use App\Http\Requests\Request;
use App\Http\Requests\Response;

use Illuminate\Support\Facades\Auth;


class UpdateBioRequest extends Request{
....
}

But it does not like the 'extends Request' as from what I can guess is not running / catching the authorize() as intended.

I have shared functions / methods in my Request.php that I use in quite a few other FormRequest files so thats the reason for this set up.

Example:

'name' => parent::_webSafeCharacters(parent::_stripSpaces($this->name)),

But open to better ideas.

If I use extends FormRequest in the "FormRequest" file it works as expected, but not if I extend off the Request.php which extends off FormRequest.

If that make sense.

movepixels's avatar

Using dd('here');

class UpdateBioRequest extends Request //Request extends FormRequest
{
  public function authorize()
  {
    \Log::info('DD BELOW');
    dd('here');

  }
...
}

Theses are all AJAX requests. Results in: [2019-09-27 11:05:43] local.INFO: DD BELOW

And thats it. Dev tools shows 200 OK, but no response or anything on submit.

movepixels's avatar

Oddly enough this semi-works

class UpdateBioRequest extends Request
{


  public function authorize()
  {
    return false;
  }
}

Request.php has the callback when authorize() fails failedAuthorization

public function failedAuthorization() {

    \Log::info('failedAuthorization');

    $response = array(
        'message' => array(
            'title' => 'Security Alert',
            'text' => 'You have attempted to perform or access something you do not have permission for.')
    );

    return response()->json($response, 403);

}

Log shows [2019-09-27 11:12:54] local.INFO: failedAuthorization But the request continues to process the request as normal. No 403, no json response.

So still hoping for some ideas / suggestions.

Thanks

Snapey's avatar

Seems confusing to call your extension Request? Why don't you call it something else to save confusion?

movepixels's avatar

Ok I did just that.

Now called BaseRequest.php

class UpdateBioRequest extends BaseRequest
{
  public function authorize()
  {
    \Log::info('DD BELOW');
    dd('here');
    // return false;
  }
}

Same result, Log shows: [2019-09-27 15:58:20] local.INFO: DD BELOW and nothing else

Dev tools shows same 200 OK, but no response.

If I change public function authorize() to simply return false, the log shows same as earlier with [2019-09-27 16:01:52] local.INFO: failedAuthorization as its hitting that method in BaseRequest but even though its set to return a 403 the UpdateBioRequest still continues on with the request.

movepixels's avatar

This is the BaseRequest that my requests now extend off of, with everything but failedAuthorization removed:

<?php 

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;

use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;


abstract class BaseRequest extends FormRequest {

  public function failedAuthorization() {

    \Log::info('failedAuthorization'); // get logged if child request authorize() returns false
      
      $response = array(
        'message' => array(
          'title' => 'Security Alert',
          'text' => 'You have attempted to perform or access something you do not have permission for.')
        );
        
      return response()->json($response, 403);

  }
}
movepixels's avatar

I just stuck with my original setup and when I use authorize() in specific requests I needed to add in:

public function failedAuthorization() {
    parent::failedAuthorization();
}

And just throw my own Exception for this situation to throw a 403 error

I found a comment somewhere on a forum where they say what I was getting, error thrown yet controller keeps going.

"I noticed if you throw AuthorizationException($message) in a policy using Laravel's exception it jumps you out of the policy, but continues execution in the controller, "

Please or to participate in this conversation.