Level 55
Hi @mystic please, show as your policy and controller where you check permissions.
Aug 3, 2020
15
Level 1
Unauthorized action
I am a beginner with Laravel. I am working on policy, I created different profiles for different users. They can all update their profiles but I realised there was some security breach so I decided to use policy so that only users whose id is equal to their profile user_id can only update their profile. Now each time the register user signs in to their account and try to update their profile they keep getting an unauthorized action exception. Please help me how can I solve this
Level 1
For my policy dis is it
class ProfilePolicy {
public function update(User $user, Profile $profile) {
return $user->id === $profile->user_id ;
}
}
And myProfileController looks like dis
class ProfileController extends Controller {
public function edit(User $user){
$user = User::findorfail($user);
$this->authorize('update',$user->profile);
return view('profile.edit',[
'user'=>$user
]);
}
}
Level 75
I would advise watching https://laracasts.com/series/laravel-6-from-scratch
He has several free videos on authentication and authorization (policies and gates).
Level 1
ok
Level 55
@mystic if it's related to new registered users, possible profile not exists yet?
Level 1
ok tanks
Level 1
but i already have a function that creates profile for new registered user
protected static function boot() {
parent::boot();
static::created(function($user){
$user->profile()->create([
'title'=> $user->username,
]);
});
}
Level 55
@mystic hmm...
- Did you check in the database that profile really created after registration?
- try to update your policy to non-strict comparison (possible something wrong with type casting...)
public function update(User $user, Profile $profile) {
return $user->id == $profile->user_id;
}
If it still not working, try to dump the data here:
public function update(User $user, Profile $profile) {
dd($user, $profile);
return $user->id === $profile->user_id;
}
and show us your output
Level 1
I have dd the data but it seems it never got to call the update method in the policy class as I got no response.... it was still showing the action unauthorized exception
Level 1
Also I checked the database to see if d profile was created ....and I saw a table for d profile but what baffles me is that the database name does not list out d name of this table unless I click on it ....but it lists out all other tables name as drop down.. and in my view I am also using a value I saved in the profile table when user registers and it shows the value in the view..
Level 55
@mystic If policy method never called, possible you do not follow directory structure for model and policy (so, it was not discovered automatically). Can you give full class name (with namespace) for your model and policy?
Level 1
The policy class
namespace App\Policies;
use App\User;
use App\Profile;
use Illuminate\Auth\Access\HandlesAuthorization;
class ProfilePolicy
{
public function update(User $user, Profile $profile){
return $user->id === $profile->user_id ;
}
}
Also for the Model class it looks like dis
namespace App;
use Illuminate\Database\Eloquent\Model;
class Profile extends Model
{
protected $fillable = ['title','description','image'];
public function user(){
return $this->belongsTo(User::class);
}//
public function profileImage(){
if($this->image){
return '/storage/'.$this->image;
}else{
return '/storage/profile/DkOHCbAYaHjML0u16H3ulFFIGNeRUp6Vy0yNwJfr.png';
}
}
}
Level 1
I just found out that there is no user_id in my profile model $fillable array and there is user_id in my table column for the profile in d database......anyways I expect dis to throw mass assignment error if it was responsible for d problem .....could dis be the problem
Level 55
Level 55
I think it's not a problem, because you create profile via relation. By the way, you can look in the database and check if user_id filled for new registered users
Please or to participate in this conversation.