Laravel Policies Via blade template

Question

I got an error when i want to use Policies to limit users access, when user access the system as guest, the system won't show edit button vice versa if user as admin the system will show the edit button. But i got an error when user are logged in as Admin and no error when user are not logged in. This are my error messages

oo few arguments to function App\Policies\InverterPolicy::update(), 1 passed in /Applications/XAMPP/xamppfiles/htdocs/PROJECT/ta/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php on line 691 and exactly 2 expected

This are my blade

@can('update',App\Inverter::class)
    <a href="{{ route('inverters.edit',[$data->id]) }}"><button type="button" class="btn btn-warning" name="button">Edit</button></a>
@endcan

This are my Controllers

public function update(Request $request, Inverter $inverter)
{
  $this->authorize('update',$inverter);
  $data = $request->validate([
    'name'=>'bail|required|max:191',
    'warehouse_id'=>'bail|required|numeric',
    'company_id'=>'bail|required|numeric',
    'length'=>'numeric',
    'width'=>'numeric',
    'height'=>'numeric',
    'maxInputPower'=>'numeric',
    'maxInputVoltage'=>'numeric',
    'maxInputCurrent'=>'numeric',
    'MPPTOperatingRange'=>'numeric',
    'parallelInput'=>'numeric',
    'MPPTTrackers'=>'numeric',
    'nominalOutputPower'=>'numeric',
    'maxOutputPower'=>'numeric',
    'nominalOutputCurrent'=>'numeric',
    'maxOutputCurrent'=>'numeric',
    'ACFrequencyRange'=>'numeric',
    'THDI'=>'numeric',
    'efficiency'=>'numeric',
    'MPPTEfficiency'=>'numeric',
    'euroEfficiency'=>'numeric',
  ]);
  Inverter::find($inverter->id)->update($data);
  return redirect(action('InverterController@index'));
}

this are my policies

public function update(User $user, Inverter $inverter)
{
  return in_array($user->role,[
    'Admin',
  ]);
}

you are not passing a model instance so you have to define your policy differently, its in the docs, Methods without Models — lagbox, Nov 27 '19 at 07:12
did you read the section in the Authorization docs about Policies named "Methods without Models"? — lagbox, Nov 27 '19 at 07:17
@lagbox i did, but i think the problem are not on the policies nor controller, since i tried to update data when logged in and it's succeed and throw and 403 error when it's guest, but i'm still un able to show index page, and show page when i'm logged in — Martin Christopher, Nov 27 '19 at 07:22
in the blade template pass the instance of the model to the `can` call ... if you don't there is no instance to pass to the `update` method of the policy .... — lagbox, Nov 27 '19 at 07:27
@lagbox but i did ```@can('update',App\Inverter::class)``` if your talking ```$inverters``` as the model it work but even though i'm logged in the button still not visible, and when i go to show page it still throw the same error messages — Martin Christopher, Nov 27 '19 at 07:32
pass the model instance as the second argument ... not a string — lagbox, Nov 27 '19 at 07:35
@lagbox at this moment i'm not sure what do you mean since i'm not good at english.... as far as i know it's not a string... — Martin Christopher, Nov 27 '19 at 07:42
`App\Inverter::class` returns a string, not an instance of a Model, it is not an object — lagbox, Nov 27 '19 at 07:43

score 2 · Accepted Answer · answered Nov 27 '19 at 07:56

2

When you call the can() method on a User using, as the second parameter, the class name instead of an instance, you're actually calling the method without the second parameter at all. Just make the $inverter nullable in your policy and it should be fixed:

public function update(User $user, Inverter $inverter = null)
{
  return in_array($user->role,[
    'Admin',
  ]);
}

answered Nov 27 '19 at 07:56

Alessandro Benoit

903
10
19

It worked, but i still don't understand what happened, but thanks a lot – Martin Christopher Nov 27 '19 at 08:00
1

By default generated Laravel policies assumes that you'll pass an instance of the object, not its name. So the can method would expected for a given Inverter instance `$inverter = Inverter::find(1)` to be passed to it as following: `@can('update', $inverter)`. In your specific case you're calling the policy using the class name (a string) instead: `@can('update', 'App\Inverter')`. Hope that this clarifies it. – Alessandro Benoit Nov 27 '19 at 08:06

Laravel Policies Via blade template

1 Answers1