Vapor uploads can't pass optional ?User to Gate, bug or intentional?

The /vapor/signed-storage-url for file uploads in Vapor core authorizes like so:

// Laravel\Vapor\Http\Controllers\SignedStorageUrlController.php

Gate::authorize('uploadFiles', [
            $request->user(),
            $bucket = $request->input('bucket') ?: $_ENV['AWS_BUCKET'],
        ]);

When unauthenticated (guest) calls this, it will always fail before getting to the UserPolicy. So you can't pass ?User to the uploadFiles() method.

I am curious if this is a bug or intentional? I guess allowing guests access to a file upload end point is bad practice, so maybe it's intentional??

P-James

4 years ago

Level 12

If anyone comes across this in the future: You cannot pass an optional ?User to the UserPolicy, which makes sense.

The problem is that vapor enforces the User Policy. So for Vapor users that want guest uploads, you can either:

handle the upload to S3 yourself (don't use vapor-js package).
extend and overwrite the SignedStorageUrlController@store method

Please or to participate in this conversation.