Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm upgrading a Laravel 5.1 project written 5 years ago by another developer to Laravel 6. There are some API authentication issues and I don't fully understand Policies. There is the following for an PUT update:
public function authorize()
{
return $this->user()->can('update', [$this->route('event'),
$this->request ]);
}
I'm having trouble finding clear documentation but am I correct in understanding that can() will be calling the update() method in the associated policy? Here is the policy:
public function update(User $user, Event $event, ParameterBag $requestParams)
{
return ! $event->eventType->isLocked() &&
$this->eventModificationAuthorized($user,$event,$requestParams) &&
$this->subModificationAuthorized($user,$requestParams);
}
Initial problem is that the policy never gets called. Get an immediate 403 Forbidden. If I pass the the Event model instance as the second arg in can() it will get to the policy where there are some other issues down the rabbit hole. It seems that the in the Laravel 5.1 version the $event is a model instance through route model binding while it is not happening in Laravel 6.
Any insight would be great.
An issue that I have found concerning the Event model is that:
Laravel 6:
When using WEB authentication $this->route('event') returns an Event model. When using API authentication $this->route('event') returns an Event Id.
Laravel 5.1: Both return an Event Model.
Both routes have 'event' as an id. Web and API controllers are using the same trait calling $this->route('event').
Why would this be?
Looks like adding 'bindings' to the API middleware in api.php may have resolved this.
Please or to participate in this conversation.