Only view policy method not being authorized correctly?

[renejpeter]

I have this weird issue where my controller's index, create and update methods are authorized correctly via the policy, but my show method doesn't seem to be using the Policy. When viewing the requests in Telescope, switching to the Gate tab, I can see the proper permissions being validated for all routes except the show route. It just denies the initial check.

UsersController Index Route

UsersController Show Route

The user is authenticated via Sanctum for each of the requests, so it's not an authentication issue. I can't figure out why only the show method isn't authorizing. Below are the steps I used to set everything up.

Seeded some permissions

$models = ['role', 'permission', 'user', 'currency', 'tax', 'tag', 'vendor', 'account'];
$actions = ['create', 'update', 'view', 'list', 'delete'];
$permNames= ['view-acp'];

foreach ($models as $model) {
    foreach ($actions as $action) {
        $permNames[] = "{$action}-{$model}";
    }
}

foreach ($permNames as $name) {
    Permission::create(['name' => $name]);
}

Seeded some roles and assigned permissions to them

$acp = Permission::where('name', 'view-acp')->firstOrFail();
$allPerms = Permission::orderBy('name')->get();

$arr = ['user', 'staff', 'admin'];
foreach ($arr as $n) {
    $r = Role::create(['name' => $n]);

    if ($n === 'staff') {
        $r->givePermissionTo($acp);
    }

    if ($n === 'admin') {
        $r->givePermissionTo($allPerms);
    }
}

Seeded some users and assigned a role to one

$local = config('app.env') === 'local';

$arr = [];
if ($local) {
    User::factory()->count(78)->create();
    $arr[] = ['email' => 'email@email.com', 'password' => 'password'];
}

$arr[] = ['email' => 'staff@example.com', 'password' => 'password', 'profile' => ['first_name' => 'Staff', 'last_name' => 'User']];

foreach ($arr as $index => $default) {
    $u = User::create(['email' => $default['email'], 'password' => $default['password']]);

    if ($index >= ($local ? 1 : 0)) {
        $u->syncRoles(['staff', 'admin', 'user']);
        $u->profile()->update([
            'first_name' => $default['profile']['first_name'],
            'last_name' => $default['profile']['last_name'],
        ]);
    }
}

Checked the database after seeding and everything checks out. Users are created, the staff user has the required roles, and the roles have the required permissions assigned.

Created some resource controllers via artisan for each model

php artisan make:controller --resource Api/UsersController

[...]

Created some policies for each controller via artisan

php artisan make:policy UserPolicy --model=User

[...]

Added a constructor to each controller to tell it to use the policies

// App/Http/Controllers/Api/UsersController.php

/**
 * New instance.
 */
public function __construct()
{
    $this->authorizeResource(User::class);

    parent::__construct();
}

In the Policy, update the methods to use the custom permissions created earlier

namespace App\Policies;

use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any models.
     *
     * @param  \App\Models\User  $user
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function viewAny(User $user)
    {
        return $user->can('list-user');
    }

    /**
     * Determine whether the user can view the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\User  $model
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function view(User $user, User $model)
    {
        return $user->can('view-user');
    }

    /**
     * Determine whether the user can create models.
     *
     * @param  \App\Models\User  $user
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function create(User $user)
    {
        return $user->can('create-user');
    }

    /**
     * Determine whether the user can update the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\User  $model
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function update(User $user, User $model)
    {
        return $user->can('update-user');
    }

    /**
     * Determine whether the user can delete the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\User  $model
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function delete(User $user, User $model)
    {
        return $user->can('delete-user');
    }

    /**
     * Determine whether the user can restore the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\User  $model
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function restore(User $user, User $model)
    {
        return $user->can('delete-user');
    }

    /**
     * Determine whether the user can permanently delete the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\User  $model
     * @return \Illuminate\Auth\Access\Response|bool
     */
    public function forceDelete(User $user, User $model)
    {
        return $user->can('delete-user');
    }
}

Added resource routes to routes/api.php

Route::middleware('auth:sanctum')->group(function () {
    Route::resource('roles', RolesController::class)->except(['create', 'edit']);
    Route::resource('permissions', PermissionsController::class)->except(['create', 'edit']);
    Route::resource('users', UsersController::class)->except(['create', 'edit']);
    Route::resource('accounts', AccountsController::class)->except(['create', 'edit']);
    Route::resource('tags', TagsController::class)->except(['create', 'edit']);
    Route::resource('taxes', TaxesController::class)->except(['create', 'edit']);
    Route::resource('currencies', CurrenciesController::class)->except(['create', 'edit']);
    Route::resource('vendors', VendorsController::class)->except(['create', 'edit']);
});

Added the policies to AuthServiceProvider

I haven't changed anything in the permission.php config file.
Everything seemed to have worked except the show method on the resource controllers.

// App/Http/Controllers/Api/UsersController.php

/**
 * Display the specified resource.
 *
 * @param \Illuminate\Http\Request $request
 * @param string $id
 * @return \Illuminate\Http\JsonResponse|\App\Http\Resources\UserResource
 */
public function show(Request $request, string $id): JsonResponse|UserResource
{
    try {
        $id = User::hashidToId($id);
    } catch (InvalidHashidException $exception) {
        return response()->json(['message' => 'Resource not found. Invalid ID.'], 404);
    }

    try {
        $model = User::findOrFail($id);
    } catch (ModelNotFoundException $exception) {
        return response()->json(['message' => 'Resource not found.'], 404);
    }

    SearchUtility::loadMissingRelations($model, $request);

    return UserResource::make($model);
}

Have I forgotten to do something somewhere? Did I mess up somewhere? I just can't seem to figure out why only that method doesn't authorize correctly. Keep in mind, this happens for each resource controller, not just the UsersController. The show method on each controller repeats this behaviour.

[erikn69]

Put php after ``` for readability (```php), example

/**
 * Determine whether the user can show the model.
 *
 * @param  \App\Models\User  $user
 * @param  \App\Models\User  $model
 * @return \Illuminate\Auth\Access\Response|bool
 */
public function show(User $user, User $model)
{
    return $user->can('view-user');
}

[erikn69]

Did yout try adding show method?

[renejpeter]

I used the original controller methods set by artisan make:controller and also the default policy method names. In the Laravel Authorization Documentation, it says that those methods will be mapped correctly, so I left it as-is.

I did try to rename the view policy method to show, as well as add an additional show policy method, but it still didn't work.

[erikn69]

I'm not using policies

could you create a minimal Laravel app that demonstrates the issue? Or maybe create a failing tests for autors to look at? example

If you find the solution make a PR