Policies always results in "This action is unauthorized"

Question

I'm trying to allow user to view the categories page in Laravel 8

CategoryPolicy.php

use App\Models\Category;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class CategoryPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any models.
     *
     * @param User $user
     * @return mixed
     */
    public function viewAny(User $user)
    {

        return true;
    }

}

Category.php Models

namespace App\Models;

use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;

class Category extends Model
{
    use HasFactory;

    protected $fillable = ['category_name','category_image', 'parent_category'];

     public function categories (): \Illuminate\Database\Eloquent\Relations\HasMany
     {
         return $this->hasMany(Category::class, 'parent_category');
     }


    public function parentCategory (): \Illuminate\Database\Eloquent\Relations\BelongsTo
    {
        return $this->belongsTo(Category::class, 'parent_category');
    }

}

registered policy in AuthServiceProvider.php

    protected $policies = [
        Category::class => CategoryPolicy::class
    ];

Routes

Route::group(['middleware' => 'auth'], function () {
    Route::get('/', [DashboardController::class, 'index']);
    Route::get('/admin', [DashboardController::class, 'index']);
    Route::get('/admin/categories', [CategoryController::class, 'categories'])->name('category.index');
    Route::get('/admin/get-categories', [CategoryController::class, 'allCategories'])->name('category.indexAjax');
    Route::get('/admin/get-all-categories', [CategoryController::class, 'getCategories'])->name('category.all');
    Route::post('/admin/category/new', [CategoryController::class, 'store'])->name('category.new');
    Route::delete('/admin/category/delete/{category}', [CategoryController::class, 'delete'])->name('category.delete');
});

CategoryController

class CategoryController extends Controller
{

    public function categories(Request $request)
    {
        $this->authorize('viewAny');
        return view('admin.categories.categories');
    }

    public function getCategories(Request $request)
    {
        $categories = Category::all();
        return Response::json([
            "success" => true,
            "data" => $categories
        ]);
    }


    public function allCategories(Request $request)
    {
        return DataTables::of(Category::with('parentCategory')->get())->addIndexColumn()->make(true);
    }
}

This always returns "403 This action is unauthorized."

My code should work... yeah well... it doesn't and it's driving me mad.

Thanks

Answer 1

You should send the model with authorize method

try this:

$this->authorize('viewAny', Category::class);

from documentation: https://laravel.com/docs/8.x/authorization#via-controller-helpers

Answer 2

I was also facing this issue. In my case, the error I made was to create the controller without specifying the model.

Before:

php artisan make:controller ItemController --resource

After:

php artisan make:controller ItemController --model=Item --resource

If you don't specify the model when creating the controller, the methods in it pass in a parameter called $id, but you needed the model itself instead:

public function show($id) // wrong
{
    //
}

VS

public function show(Item $item) // right
{
    //
}