Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Custom message on Laravel policy authorization

Tags:

authorization

laravel

laravel-5

policy

laravel-5.8

In my Laravel 5.8 project I am implementing a reputation system similar to Stack Exchange's one: for example, users can reply to a discussion only if they have "Level 3" reputation.

I wanted to use Laravel's policies system to build the permissions logic like so in my DiscussionPolicy file:

public function reply(User $user)
{
    $result = true;
    if ($user->current_level < 3) {
        $result = false;
        //I want to inject a custom error message here
    }
    return $result;
}

Everything works, but users get a 403 page without any explanation, and I wanted to find an elegant way to tell them that they cannot perform that action because they don't have Level 3.

Can you please suggest a way to inject somehow this message, to show it in my custom 403.blade.php page? I've been able to do this by flashing a variable in the session, but I don't think it's elegant, I would like to use something like a MessageBag (Illuminate\Support\MessageBag).

LARAVEL 8.x : check this answer.

like image 210
Marco Cazzaro Avatar asked Jun 06 '19 08:06

Marco Cazzaro

2 Answers

Answer was given in comments, put here for reference:

Laravel provides this functionality through the deny() function in the HandlesAuthorization trait. The deny() function throws an UnauthorizedException but allows you to specify a message instead of throwing a plain exception.

Replace the return false with it and you can send custom messages to render in the exception handler.

Example:

public function reply(User $user)
{
    if ($user->current_level < 3) {
        $this->deny('Sorry, your level is not high enough to do that!');
        // Laravel 6+ requires you to return the deny(), see following line
        // return $this->deny('Sorry, your level is not high enough to do that!');
    }
    return true;
}
like image 177
Loek Avatar answered Nov 09 '22 09:11

Loek

I thought I'd add this answer as I arrived here searching for how to return messages from policy methods as the code I'm maintaining only returns false when an action is not allowed.

The current documentation says to return an Illuminate\Auth\Access\Response instance from your policy method:

...
use Illuminate\Auth\Access\Response;

public function update(User $user, Post $post)
{
    return $user->id === $post->user_id
                ? Response::allow()
                : Response::deny('You do not own this post.');
}
like image 5
Tony Avatar answered Nov 09 '22 08:11

Tony
Sign in to Comment

Related questions

Force the write database connection on Laravel relationships
Laravel set timestamp timezone
Laravel: How to access config/Mail variables
How to get underlying class name from Facade name in Laravel
Laravel 5.4 update all records in table without using where clause
UnexpectedValueException Could not parse version constraint when trying to instal laravelcollective
Laravel - Trying to get property of non-object on ::first()
Delete file from a specific directory in Laravel local storage
How to implement vuetify in laravel?
View [layouts.app] not found. Laravel Framework 5.4.36
laravel Installation failed, deleting ./composer.json
Laravel mix Uncaught ReferenceError: jQuery is not defined
Using Vuepress within a Laravel project
Uncaught Exception: Unable to locate Mix file
PDOException::("PDO::__construct(): Unexpected server respose while doing caching_sha2 auth: 109") with MySQL 8 / PHP 7.2 / Laravel
Laravel - Refactoring User Permission "Gate::Define" Code Into Easier to Read Code
Laravel 5.6: Migration from a specific folder
Where do I put my custom classes and functions in Laravel
Laravel: how to get direct config value in blade template?
Laravel Mock with Mockery has error "no expectations were specified"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!