Laravel policies always return false

Question

I have created policy, and add method view:

public function view(User $user, Contact $contact)
{
    return $user->id === $contact->manager;
}

Then I have registered it:

protected $policies = [
    'App\Model' => 'App\Policies\ModelPolicy',
    Contact::class => ContactPolicy::class,
];

And then I have tried to use it with controller helper:

public function view($id)
{
    $contact = Contact::find($id);
    $user = Auth::user();

    $this->authorize('view', $contact);

    return view('contact.edit')->with('contact', $contact);
}

And middleware:

Route::get('/contact/edit/{id}', 'EditContactController@view')->middleware('can:view,contact');

But I always get 403 error. contact->manager and user->id are the same. Also, Contact table scheme:

CREATE TABLE `contacts` (
  `id` int(11) NOT NULL,
  `first_name` varchar(25) NOT NULL,
  `last_name` varchar(25) NOT NULL,
  `email` varchar(35) NOT NULL,
  `home_phone` int(10) DEFAULT NULL,
  `work_phone` int(10) DEFAULT NULL,
  `cell_phone` int(10) DEFAULT NULL,
  `best_phone` enum('home_phone','work_phone','cell_phone') NOT NULL,
  `address_1` varchar(100) DEFAULT NULL,
  `address_2` varchar(100) DEFAULT NULL,
  `city` varchar(35) DEFAULT NULL,
  `state` varchar(35) DEFAULT NULL,
  `zip` int(6) DEFAULT NULL,
  `country` varchar(35) DEFAULT NULL,
  `birth_date` date DEFAULT NULL,
  `manager` int(11) UNSIGNED NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

You have a strict operator, are you sure the data types of id and manager are the same? — Devon Bessemer, Nov 13 '18 at 16:29
Hook up a debugger or dump from ContactPolicy::view to see what values are being passed. — Devon Bessemer, Nov 13 '18 at 16:32
Sorry, I`m new and PHP and Laravel and have not worked with debugger, how I can do it? (Sorry for stupid question). — domanskyi, Nov 13 '18 at 16:38
That's a bit broad, I would highly recommend researching debugging techniques prior to even coding in a new language. — Devon Bessemer, Nov 13 '18 at 16:38

score 2 · Answer 1 · answered Sep 09 '19 at 09:07

2

I know this is an old question, but if anyone else runs across this, make sure you look at your controller to determine if the model is being declared in the function call

in the original poster's code, it should be

EditController.php

public function view(Contact $contact)

and the web.php

Route::get('/contact/edit/{contact}', 'EditContactController@view')->middleware('can:view,contact');

so that the dependency injection can work properly.

answered Sep 09 '19 at 09:07

Zombiesplat

943
8
19

Also, it's important to note, that the policy was never being called and thats why it always returned false. more than likely it was throwing a 403 and if you put a debug in the policy, it would never reach it because it never knew to try to look for the contact policy since it was just passing the id as an integer. – Zombiesplat Sep 09 '19 at 09:10
1

That's it, you saved my day. – Dariusz Chowański Aug 09 '21 at 17:06

score 0 · Accepted Answer · answered Nov 13 '18 at 16:58

0

I`ve just replaced

protected $policies = [
    'App\Model' => 'App\Policies\ModelPolicy',
    Contact::class => ContactPolicy::class,
];

with

protected $policies = [
    'App\Model' => 'App\Policies\ModelPolicy',
    'App\Contact' => 'App\Policies\ContactPolicy',
];

and now it works with $this->authorize('view', $contact);, but middleware still return 403

answered Nov 13 '18 at 16:58

domanskyi

701
1
6
19

That really shouldn't make a difference. `Contact::class` is just a constant that contains the full path of the class. So `Contact::class` should be equivalent to `App\Contact`. – Devon Bessemer Nov 13 '18 at 18:04
Hm, so why in this case all work fine? And, mb you know, why it works with authorize method, but middleware still returns 403? – domanskyi Nov 13 '18 at 18:14
Can't tell you that, you'll have to debug further. All I can tell you is that your supposed fix doesn't change anything. – Devon Bessemer Nov 13 '18 at 18:16
@domanskyi to be honest, changing this doesn't make send to me at all. – tisuchi Aug 05 '20 at 03:23

score 0 · Answer 3 · answered Jun 13 '19 at 03:08

0

Kindly check your route link to that method if it has your middleware if not you can set it like.

Route::get('/view', CONTROLLER@view)->middleware('YOUR-MIDDLEWARE');

Example:

Route::get('/view', UserController@view)->middleware('auth:user');

answered Jun 13 '19 at 03:08

Carl Angelo Orale

119
1
7

score 0 · Answer 4 · answered Nov 11 '19 at 09:11

You can check the pluralizations if you translate the model in your lang.

Let me explain:

Example: Model Pagamento

Url slugs: pagamenti

In my case using the check inside the functions works fine, but not works using constructor:

 public function edit(Pagamento $pagamenti)
  {

   $this->authorize('update', $pagamenti);
   //..

I changed:

public function __construct()
{

    //Abilita su tutto il resource
    //$this->authorizeResource(Pagamento::class,'pagamento'); // Not Works
    $this->authorizeResource(Pagamento::class,'pagamenti'); // Works

}

Now works fine ;)

Hope can help ;)

Laravel policies always return false

4 Answers4