Question 15756 in Laravel Question posted in
The official Laravel Documentation can be found here.

How to get Laravel Auth Policies working with API Controller, and Form Requests

I have a boilerplate Laravel 9 app, with a model generated with the cli command php artisan make:model Post -a --api to make an API controller, with form request and policies.

The Laravel Policy Authorisation docs doesn’t seem to make it clear what to do with both a Policy and FormRequest. Do I call the policy class inside the FormRequest? Or ignore the policies for store/update?

How do I use auth policies with FormRequests for my API controller?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Docs didn't make it clear, posting incase anyone else is struggling. Example for User model, UserPolicy and UserController.

    First, add the Policy class in AuthServiceProvider.

    AppProvidersAuthServiceProvider

    /**
     * The policy mappings for the application.
     *
     * @var array<class-string, class-string>
     */
    protected $policies = [
        User::class => UserPolicy::class,
    ];

    Second, use authorizeResources in the controller to auto map policies to the api controller. See here for what the policy -> controller maps to

    // AppHttpControllersUserController

use AppModelsUser;
use IlluminateHttpRequest;
use AppHttpRequestsStoreUserRequest;
use AppHttpRequestsUpdateUserRequest;

class UserController extends Controller
{
    /**
     * Create the controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        // Sets up user policy for this controller
        $this->authorizeResource(User::class, 'user');
    }
...
}

    Last, DELETE the authorize section from the FormRequests

    // AppHttpRequestsUpdateUserRequest

class UpdateUserRequest extends FormRequest
{
    // DELETE the auth part below, otherwise it'd mess up using policies. 
    // I'm pretty sure this takes precedence over policies
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    //public function authorize()
    //{
        //return true;
    //}
}

    Now the policies set in UserPolicy will be used as auth guards for the User Controller.


  2. 0

    Although its not told directly in the docs. You can use the policy inside the authorize() method in a Form Request :

    Authorization Using Model

    class UpdatePostRequest extends FormRequest
{
    public function authorize() : bool
    {
        return $this->user()->can(
            'update', $this->post
        );
    }
}

    Controller

    class PostController
{
    public function update(UpdatePostRequest $request, Post $post)
    {
        // your code here
    }
}

    So Instead of using $this->authorize('update', $post) inside the controller you can directly put it inside the FormRequest.

    Hope it helps : )

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search