Laravel Nova authorization using Policy is not working

Question

I am developing a web application using Laravel. I am using Nova for admin panel. What I am doing now is I am authorizing my resource using policies as mentioned in the documentation. But seems like it is not working. This is what I have done so far. I have created a nova resource like this.

class Item extends Resource
{
    /**
     * The model the resource corresponds to.
     *
     * @var string
     */
    public static $model = \App\Models\Item::class;

    /**
     * The single value that should be used to represent the resource when being displayed.
     *
     * @var string
     */
    public static $title = 'id';

    /**
     * The columns that should be searched.
     *
     * @var array
     */
    public static $search = [
        'id',
    ];

    /**
     * Get the fields displayed by the resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return array
     */
    public function fields(Request $request)
    {
        return [
            ID::make()->sortable(),
        ];
    }

    /**
     * Get the cards available for the request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return array
     */
    public function cards(Request $request)
    {
        return [];
    }

    /**
     * Get the filters available for the resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return array
     */
    public function filters(Request $request)
    {
        return [];
    }

    /**
     * Get the lenses available for the resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return array
     */
    public function lenses(Request $request)
    {
        return [];
    }

    /**
     * Get the actions available for the resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return array
     */
    public function actions(Request $request)
    {
        return [];
    }
}

Then I created a Laravel Model class for that resource with the name Item.

Then I created policy.

class ItemPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user)
    {
        return true;
    }

    public function view(User $user, $item)
    {
        return true;
    }


    public function create(User $user)
    {
        return false;
    }

    public function update(User $user, $item)
    {

        return false;
    }

    public function delete(User $user, $item)
    {
        return false;
    }

    public function restore(User $user, $item)
    {
        return false;
    }

    public function forceDelete(User $user, $item)
    {
        return false;
    }
}

I register the policy in the in AuthServiceProvider.

protected $policies = [

    Item::class => ItemPolicy::class,
];

When I see the list of item in the nova admin panel, I can still create the item. What is wrong? The option for creating an item should be hidden.

Double check if the class namespace is correct under `AuthServiceProvider` class. `AuthServiceProvider` doesn't throw any exception even if the model/ policy class doesn't exists. — Saumini Navaratnam, Nov 09 '18 at 09:45
@Wai Yan Hein, Have you resolved this issue? I am also getting the same problem. — Sarath TS, May 13 '20 at 06:56

score 3 · Answer 1 · answered Dec 15 '18 at 01:29

3

Add the following to your Nova resource class:

public static function authorizable()
{
    return true;
}

answered Dec 15 '18 at 01:29

mike.bronner

1,203
1
20
39

score 1 · Answer 2 · answered Jan 07 '19 at 23:20

1

Check AuthServiceProvider once again.

where you define the policy mapping array:

protected $policies = [
    Item::class => ItemPolicy::class,
];

The Item - should be your Model, not Nova Resource

answered Jan 07 '19 at 23:20

draev

126
1
5

score 0 · Answer 3 · edited Dec 30 '18 at 09:34

0

Remove the viewAny() method from the ItemPolicyPolicy class

edited Dec 30 '18 at 09:34

Bugs

4,491
9
32
41

answered Dec 30 '18 at 03:25

Massimo Simonini

365
3
7

score 0 · Answer 4 · answered May 02 '20 at 14:51

Using rolePolicy or permissionPolicy method to define policy

// in app/Providers/NovaServiceProvider.php

// ...

public function tools()
{
    return [
        // ...
        \Vyuldashev\NovaPermission\NovaPermissionTool::make()
            ->rolePolicy(RolePolicy::class)
            ->permissionPolicy(PermissionPolicy::class),
    ];
}

score 0 · Answer 5 · answered Sep 16 '20 at 20:49

0

Your registered your policy wrong

/**
 * The policy mappings for the application.
 *
 * @var array
 */
protected $policies = [
    // 'App\Model' => 'App\Policies\ModelPolicy',
    'App\Item' => 'App\Policies\ItemPolicy',
];

answered Sep 16 '20 at 20:49

keizah7

649
4
18

score -1 · Answer 6 · answered Oct 31 '18 at 23:34

-1

Maybe because you are missing model type in method arguments

Add Item $item in all methods where passing $item, like this:

public function update(User $user, Item $item)
{
    return false;
}

Also you can exclude all methods you want to be unavailable and by default them will be disabled

answered Oct 31 '18 at 23:34

r00t

468
3
10

No. I put the Type to every method. But it is still displaying the option to create. For example, I just want to hide the create option. But it is still displaying even if I returned false from the create method. – Wai Yan Hein Nov 01 '18 at 10:11

Laravel Nova authorization using Policy is not working

6 Answers6