0

I have a policy that checks if the authenticated user can delete a consultant.

Unfortunately, the response is always unauthorised, and I'm unsure why!

Policy function (ClinicConsultantPolicy):

 public function delete(User $user, Consultant $consultant)
    {
        $consultant_clinic_id = $consultant->clinic_id;
        return $user->clinic->id === $consultant_clinic_id;

    }

Controller calling the above function (ClinicConsultantController):

public function destroy($id)
  {
      $consultant = Consultant::find($id);
      $this->authorize('delete', $consultant);

      Consultant::find($id)->delete();

      return redirect('clinic/consultants');
  }

If I output the two variables the policy is trying to match (user's clinic ID and the consultant's clinic id), both are equal to 2.

However, clearly one of them is either not 2, or perhaps undefined, when it reaches the policy, but I'm unsure why? Many thanks for your help.

  • 1
    Have you registered the policy? Try adding `dd($user->clinic->id, $consultant->clinic_id)` in the delete policy to verify it's being called and to check the values. – Sandeesh Jun 02 '17 at 17:53
  • You were quite right, I forgot to register the policy! Such an oversight! Many thanks @Sandeesh. –  Jun 03 '17 at 10:47

1 Answers1

0

To me it looks like a model relationship issue when calling $user->clinic->id. It would be very helpful if you would provide the relationship implementation. I can only suggest writing $user->clinic()->first()->id if your relationship is set as one to many. Cheers