A very quick update to help someone else who comes across this issue.
When using Laravel Resource Controller with a Policy targeting the User::class
model, it's incredibly important to update $this->authorizeResource(...)
to use the name of the policy attribute name rather than the name of the controller attribute.
An example is given down below:
Do not do the following if you're implimenting a UserPolicy.php
. This is dangerous as it's the default in the Laravel docs:
class UserController extends Controller
{
/**
* Create the controller instance.
*
* @return void
*/
public function __construct()
{
$this->authorizeResource(User::class, 'user');
}
class UserPolicy
{
use HandlesAuthorization;
public function view(User $user, User $model)
{
return $user->uuid === $model->uuid ||
$user->isAdmin();
}
Instead use the following:
This is due to the fact that your Policy's target Model is labelled User $model
instead of User $user
.
class UserController extends Controller
{
/**
* Create the controller instance.
*
* @return void
*/
public function __construct()
{
$this->authorizeResource(User::class, 'model');
}
Hopefully it saves someone an hour or more ❤️