Laravel Policies: Is there a bug? a cache? how to solve?

1
votes

I see the very same problem here: Laravel policies : code change is ignored. Is there any policy cache to clear? and here: Laravel Policy bug

I'm writing a new policy, the easiest one, over mode User to check if the logged user is the same user in the database so he can edit his profile, so...

I create the policy file:

> php artisan make:policy UserPolicy

I register the policy in AuthServiceProvider.php:

...
protected $policies = [
    // 'App\Model' => 'App\Policies\ModelPolicy',
    User::class => UserPolicy::class,
];
...

In UserPolicy.php I create the edit function:

public function edit(User $authUser, User $user) {
    return $authUser->id === $user->id;
}

In UserController.php I have edit:

public function edit($id)
{
    //
    $user     = User::findOrFail($id);

    $this->authorize($user);

    return view('user.edit', compact('user'));
}

See somwthing wrong? Me neither, because it worked... the first time. Then I wanted to change the policy, the User model has a level attribute, 1 for normal users, 5 for admins, 99 for superuser and so on. So I wanted that the admins or superuser would be able to change the user data, so I rewrote the UserPolicy.php's editfunction as:

public function edit(User $authUser, User $user) {
    return ($authUser->id === $user->id) || ($user->level > 1);
}

Of course I made a mistake here, I should've checked for $authUser and nor $user. When I checked in the browsser, function returned false, and server gave me a 403 This action is unauthorized., which is okay. Now the wierd thing. I correct the fuction:

public function edit(User $authUser, User $user) {
    return ($authUser->id === $user->id) || ($authUser->level > 1);
}

it returns 403...

public function edit(User $authUser, User $user) {
    return true;
}

It returns 403...

I delete the function from the file... It returns 403...

I delete the register from AuthServiceProvider... Ir returns 403...

No, I'm not using Gates, or some other thing, the Laravel app is almost virgin. I have had this problem in the past, that came out of the blue, and went the same way as it came. I have no idea where to look for, what to look for... I thought that would be some interaction that I didn't grasped, so I wanted to start with the policies from the beggining of this project.

EDIT:::::::::::::::::::::::::::: This is even more absurd... If I check using can() in tinker, this /#&)"# thing does what it is supposed to do:

> php artisan tinker
>>> $user = App\User::find(1)
>>> $user->can('edit', $user)
true
>>> $user2 = App\User::find(2)
>>> $user->can('edit', $user2)
false

So, problem is here????

$this->authorize($user);

EDIT 2 ::::::::::::: SOLVED ::::::::::::::::::::::

I swear this used to work as I posted above (at least it used to work in 5). I had to change

$this->authorize($user);

for

$this->authorize('edit', $user);

Solution came from this article

1
phplaravel
Let's start with simple steps. Let's clear config php artisan config:clear and cache php artisan cache:clear. Do you see any update?Digvijay
No, still giving 403. I even reverted to a previous branch on git, write all again from scratch and still giving 403luisfer
In this second time I'm just returning "true"luisfer
Try to add a Log::info() to your policy method. Just to make sure that at least it is being called.Digvijay
Strange thing is, as I said, it worked as intended the first time, so I guess it was called, but next times, I even deleted the method, the registry and still gave me false (403), it was until I completely delete UserPolicy.php that the program broke and told me the file was missingluisfer

1 Answers

0
votes

I swear this used to work as I posted above (at least it used to work in 5). I had to change

$this->authorize($user);

for

$this->authorize('edit', $user);

Solution came from this article