Laravel Policies in API always 403 unauthorized

1
votes

I tried to authorize users in userController using Policies. I followed documentations and some tutorials and it doesn't seem to work anyways.

api.php

Route::resource('users', 'User\UserController', ['except' => ['create', 'edit']]);

UserController.php

namespace App\Http\Controllers\User;

use App\Http\Controllers\ApiController;
use Illuminate\Http\Request;
use App\User;
use App\Mail\UserCreated;
use App\Mail\UserEmailUpdated;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Gate;
class UserController extends ApiController
{
  public function __construct()
  {
    $this->middleware('can:view,user')->only('show');
    //$this->middleware('can:update,user')->only('update');
    //$this->middleware('can:delete,user')->only('destroy');
  }

    public function show(User $user)
    {
        //$this->authorize('view', $user);
        return $this->showOne($user);
    }

UserPolicy.php

namespace App\Policies;

use App\User;
use App\Traits\AdminPolicyTrait;
use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    public function view(User $user, User $model)
    {
        //return $user->id === $model->id
        return true;
    }
}

AuthServiceProvider.php

namespace App\Providers;

use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
use Laravel\Passport\Passport;
use Carbon\Carbon;

class AuthServiceProvider extends ServiceProvider
{

    protected $policies = [
        App\User::class => App\Policies\UserPolicy::class,
    ];

    public function boot()
    {
        $this->registerPolicies();
    }
}

Neither $this->middleware nor $this->authorize works. If I remove policy authorization from the controller, everything works fine. Also, I'm passing Personal Access token from Passport in the request and it works fine too. If I intentionally make a typo in the Policy file, the error gets thrown so the policy seems to be connected to the controller properly.

1
phplaravelauthorizationlaravel-passportpolicy
Welcome to SO ... unless you aliased the App namespace in your AuthServiceProvider you are referencing the wrong classes ... App\User::class would be referring to App\Providers\App\User, same for App\Policies\UserPolicy::classlagbox
I have app namespaces in every file, just haven't pasted them heremlotix

1 Answers

3
votes

You are most likely referencing the wrong classes there. The namespace for AutheServiceProvider is declared as App\Providers. Unless otherwise aliased all references (that are not Fully Qualified Class Names) are referenced from this namespace that is declared.

App\User::class     would be   'App\Providers\App\User'

You will need to alias the App namespace, alias these classes or use their FQCN.

use App;
...
App\User::class

Or

use App\User;
...
User::class

Or

\App\User::class

Or - less preferred (use the string for the FQCN)

'App\User'