#Laravel Policy- Allow Unauthenticated or Authenticate users to perform requests using Middleware

6 messages · Page 1 of 1 (latest)

modest marlin
#

I just wanted to perform a request while the user is Authorized and Not Authorized. If a user logged in then I will check if the Post is enabled or not using $post-> status. If the user is a viewer then he will see the Forbidden error. If the user is Super-Admin then he can perform the action. But if I have an unauthenticated user same role will follow as the Viewer Following the unauthenticated user can not see the Post whose status is disabled(0). But If the $post-> status is 1 or enable then an unauthenticated user can be able to view the Post without seeing an unauthorized error.

the shown Code only works for Authenticate users.

role: 1

BlogPolicy

public function view(?User $user, Blog $post)
{

if ($post->status) {
    return true;
}
if ($user === null) {
    return false;
}
if ($user->hasAnyRole(["super-admin", "admin"])) {
    return true;
}

}
BlogController

public function __construct()

{
$this->middleware(['auth:api'], ['except' => []]);
}
public function show($id)
{
$post = Blog::findOrFail($id);
$this->authorize("view", $post);
return response($post);
}
the shown Code only works for unauthenticated users.

role: 2

BlogController

public function __construct()

{
// $this->authorizeResource(Blog::class);
$this->middleware(['auth:api'], ['except' => ["show"]]);
}
In here if I use the ['except' => ["show"]] It can't check if the user is super-admin or viewer but the unauthenticated user can see enable the post and while they try to see disable the post they got 403 what I expected Is it possible to use the policy if the user is authenticated or not?

I just wanted to combine them if the user is authenticated then follow the rules 1 if not then follow the rules 2 or instructions or something like that

Super-Admin-Login.png Super-Admin-Response-Return.png Super-Admin-Response-Return-2.png Unauthenticated-User-Response.png Unauthenticated-User-Response-2.png Viewer-Login.png Viewer-Response-Return.png Viewer-Response-Return-2.png
grizzled ore
#

I'm pretty sure the problem is the auth:api is needed to log the user in when you're using an API key/bearer auth. Since it's not done via cookies, you don't have a session to be automatically revived. Therefore, when you remove the middleware, the user isn't logged in.
I'd suggest using two different endpoints, one for auth'ed users and one for guests.

gilded pivot
#

Hello @modest marlin,

Can you fix your code format using:

```php

```

gilded pivot
#

I think you need to make sure the web or api middleware is used. The you can, if I recall correctly, use the following code to verify if a user is authenticated.

Auth::check():

Small tip:

If you have a super admin, you may intercept all authorizations instead of admin your "hasAnyRole" inside your policy with this : https://laravel.com/docs/9.x/authorization#intercepting-gate-checks

Laravel - The PHP Framework For Web Artisans

Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.

modest marlin
#

I solved this problem with help of using a 2nd auth Middleware . which actually help me to check if the current user is logged in or not. if logged in then the policy will let the super-user see the status=0 post. if the user is not a super-admin but a viewer or a guest then they will see the status=1 post. i just create an extra auth middleware and removed the old one only for that route.