Laravel Policy with Spatie Permission check gives 403 for client credentials API request

Question

I'm using Laravel Policy and checking for permissions created using Spatie's Laravel-Permissions package. For an API call with client credentials, the authorizeResource() in the Controller constructor returns 403. If this is removed, it returns the expected results.

NpoPolicy.php

public function view(User $user, Npo $npo)
{
    return $user->can('npo.view');
}

NpoController.php

public function __construct()
{
    $this->authorizeResource(Npo::class);
}

api.php

Route::middleware('client')->resource('/npo', 'NpoController');

API Request
URL: https://my-app.dev/api/npo/1
Method: GET

When I comment out the authorizeResource method in the controller constructor, I get the result as expected:

{
    "npos": {
        "id":1,
        "name":"Bailey and Sons",
        "contact_person_name":"Mr. Davion Mayert",
        "created_at":"2019-06-13 17:39:25",
        "updated_at":"2019-06-13 17:39:25"
    }
}

I'm aware that a Laravel policy requires a User model object and that is why the policy is returning 403 response in my case. Is there a general practice to handle API requests (with client credentials) in these cases?

score 0 · Answer 1 · answered Jul 04 '19 at 22:19

0

You have missed the second parameter at authorizeResource function so, at the NpoController.php change the authorizeResource to:

$this->authorizeResource(Npo::class, 'npo');

answered Jul 04 '19 at 22:19

Mohamed Wagdy

51
5

Laravel Policy with Spatie Permission check gives 403 for client credentials API request

1 Answers1