Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

JeroenKg's avatar

Transferring authorization tests to Nova

We are currently moving over to using Nova from an older laravel application. This application manages users.

This application framework is only accessible to users who have the superadmin role. Previously we would test the routes using a superadmin and a normal user to determine wether the middleware would keep the routes safe.

Now with Nova we want to replicate these tests to make sure that only superadmin's have access to the back-end. To try and achieve this, the following code was written:

    Auth::login(User::where('email', '<superadmin email>')->first());

        $response = $this->withExceptionHandling()->get('/nova/resources/companies');

        $response->assertStatus(200);

The same test was written where we would try to get the following url: /nova-api/companies.

Both of these requests will return a 403 forbidden, regardless of the fact that the user that's being used is a superadmin.

It seems that the session data that should be saved after Auth::login gets lost on Nova routes.

The weird part in this is that the application works proper in the browser but when writing tests we can't manage to reach any of the routes being logged in as a super admin.

Does anyone know how we can do a get request on a Nova route , being logged in as a user, as shown above, to be able to test wether the logged in user may actually access these routes.

As test results I am expecting:

  • A normal user should get either 401 unauthenticated or 403 forbidden.
  • A superadmin should get a 200 OK.
0 likes
4 replies
francoboy7's avatar

Hey guys not sure if that will help but in NovaServiceProvider.php you got the gate function. I changed it to :

protected function gate()  
{  
     Gate::define('viewNova', function ($user) {  
      return true;  
     });
 }

This is set to true to allow any user to access the dashboard (I then restrict resources access via the Resource file ) and it also allows testing nova (preventing 403 forbidden)

Explanation that I've gathered: On APP_ENV local, nova is always accessible, but when testing, APP_ENV is set to "testing", Nova then checks the gate restriction which would normally contain condition that checks for a user roles to make sure that user can access nova.

So either set your gate to true or comment out the following line in `phpunit.xml (unsure what are the impacts of doing so on other things though)

<server name="APP_ENV" value="testing"/>
1 like

Please or to participate in this conversation.