Getting an Error when using AssetPolicy on AssetController.

@Sinnbeck Unfortunately I tried that and it didn't work.

@silentviolent can you show the whole AssetPolicy? Format your code by adding ``` on the line before and after your code

@silentviolent did you register the policy? https://laravel.com/docs/9.x/authorization#registering-policies

@Sinnbeck Yes I registered the policy. Showing the whole AssetPolicy shortly.

@Sinnbeck

<?php

namespace App\Policies;

use App\Asset;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class AssetPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any models.
     *
     * @param  \App\User  $user
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function viewAny(User $user)
    {
        $current_tenant = tenant();

        return $user->isAbleTo('manage-users', $current_tenant);
    }

    /**
     * Determine whether the user can view the model.
     *
     * @param  \App\User  $user
     * @param  \App\Asset  $asset
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function view(User $user, Asset $asset)
    {
        $current_tenant = tenant();

        if ($user->isAbleTo('manage-users', $current_tenant) || $asset->owner->id === $user->id) {
            return true;
        }

        return false;
    }

    /**
     * Determine whether the user can create models.
     *
     * @param  \App\User  $user
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function create(User $user)
    {
        return $user->tenant->id === tenant()->id;
    }

    /**
     * Determine whether the user can update the model.
     *
     * @param  \App\User  $user
     * @param  \App\Asset  $asset
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function update(User $user, Asset $asset)
    {
        $current_tenant = tenant();

        if ($user->isAbleTo('manage-users', $current_tenant) || $asset->owner->id === $user->id) {
            return true;
        }

        return false;
    }

    /**
     * Determine whether the user can delete the model.
     *
     * @param  \App\User  $user
     * @param  \App\Asset  $asset
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function delete(User $user, Asset $asset)
    {
        $current_tenant = tenant();

        if ($user->isAbleTo('manage-users', $current_tenant) || $asset->owner->id === $user->id) {
            return true;
        }

        return false;
    }

    /**
     * Determine whether the user can restore the model.
     *
     * @param  \App\User  $user
     * @param  \App\Asset  $asset
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function restore(User $user, Asset $asset)
    {
        $current_tenant = tenant();

        return $user->isAbleTo('manage-users', $current_tenant);
    }

    /**
     * Determine whether the user can permanently delete the model.
     *
     * @param  \App\User  $user
     * @param  \App\Asset  $asset
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function forceDelete(User $user, Asset $asset)
    {
        //
    }
}

@silentviolent what if you just return true?

public function viewAny(User $user)
    {
        
        return true;
    } 

@Sinnbeck still getting the same error when I just return true.

"message": "This action is unauthorized.",
    "exception": "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException",
    "file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
    "line": 379,

@silentviolent apart from the first mistake, it looks correct. Can you show how you registered it?

And do you have any interceptions? https://laravel.com/docs/9.x/authorization#intercepting-gate-checks

@Sinnbeck

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        Application::class => ApplicationPolicy::class,
        User::class => UserPolicy::class,
        Chat::class => ChatPolicy::class,
        Message::class => MessagePolicy::class,
        JobProfile::class => JobProfilePolicy::class,
        Asset::class => AssetPolicy::class,
    ];

    /**
     * Register any authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();

        //
    }
}

I don't have any interceptions. Also other methods on the AssetController are working apart from the index one.

@silentviolent what version of laravel are you using? Do you use viewAny on any of your other policies?

Can you also show the controller after you cleaned it up?

@Sinnbeck I'm using laravel 8. Below is the rest of the controller.

<?php

namespace App\Http\Controllers;

use App\Asset;
use App\Http\Requests\StoreAssetRequest;
use App\Http\Requests\UpdateAssetRequest;
use App\User;
use App\Tenant;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class AssetController extends Controller
{
    /**
     * Display a listing of the resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function index(Request $request, Tenant $tenant, User $user, Asset $asset)
    {
        $this->authorize('viewAny', $user, Asset::class);
        
        $user = Auth::User();

        return ['data' => $user->assets];
    }

    /**
     * Show the form for creating a new resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function create()
    {
        //
    }

    /**
     * Store a newly created resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function store(StoreAssetRequest $request, Tenant $tenant, User $user, Asset $asset)
    {
        $this->authorize('create', Asset::class);

        $validated = $request->validated();

        $validated['tenant_id'] = $tenant->id;
        $validated['owner_id'] = auth()->user()->id;
        $validated['assignee_id'] = $user->id;

        return [
            'data' => $asset->create($validated),
        ];
    }

    /**
     * Display the specified resource.
     *
     * @param  \App\Asset  $asset
     * @return \Illuminate\Http\Response
     */
    public function show(Request $request, Tenant $tenant, User $user, Asset $asset)
    {
        $this->authorize('view', $user, Asset::class);

        return ['data' => $asset];
    }

    /**
     * Show the form for editing the specified resource.
     *
     * @param  \App\Asset  $asset
     * @return \Illuminate\Http\Response
     */
    public function update(UpdateAssetRequest $request, Tenant $tenant, User $user, Asset $asset)
    {
        $this->authorize('update', $user, Asset::class);

        $validated = $request->validated();

        return [
            'data' => $asset->update($validated),
        ];

        return ['data' => $asset];
    }

    /**
     * Remove the specified resource from storage.
     *
     * @param  \App\Asset  $asset
     * @return \Illuminate\Http\Response
     */
    public function destroy(Request $request, Tenant $tenant, User $user, Asset $asset)
    {
        $this->authorize('delete', $user, Asset::class);

        $asset->delete();

        return response()->noContent();
    }
}

@silentviolent you never removed $user?

$this->authorize('viewAny', Asset::class); 

Just a tip. No need to inject what you don't need

    public function index(Request $request)
    {
        $this->authorize('viewAny', Asset::class);
        
        $user = Auth::User();

        return ['data' => $user->assets];
    }

@Sinnbeck Oh alright, I put it back after testing and it failed but I got it. Thanks for the tip.