Laravel action is not authorized

Question

I'm trying to delete a post that belongs to the user who made it, however i get this error(this was in the network log by the way)

"/Applications/MAMP/htdocs/eli42/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php" line : 201 message : "This action is unauthorized." trace : [{,…},…]

I'm utilizing laravel 5.5 policy not sure if im doing this right, i registered it in my AuthServiceProvider within $protected policies

Post::class => PostPolicy::class,

Route

Route::delete('auth/post/{id}', 'PostController@destroy');

PostPolicy.php

<?php

namespace App\Policies;

use App\User;
use App\Post;

use Illuminate\Auth\Access\HandlesAuthorization;

class PostPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function view(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can create posts.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function create(User $user)
    {
        //
    }

    /**
     * Determine whether the user can update the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function update(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can delete the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function delete(User $user, Post $post)
    {
        //

        return $user->id === $post->user_id;

    }

PostController.php (there is more code to this file but i wanted to highlight the delete function)

<?php

namespace App\Http\Controllers;

use App\Post;
use App\User;
use App\Policies\TaskPolicy; 


use Illuminate\Http\Request;
use Illuminate\Http\Response;

class PostController extends Controller
{

    public function destroy($id, Post $post)
    {
        $mypost = $this->authorize('delete',$post);

        if($mypost){
             Post::destroy($id);

        }




    }
}

Main.js to delete post

$scope.deletePost = function(post){
    var index = $scope.myposts.indexOf(post);

    if(index != -1){
        $scope.myposts.splice(index, 1);
    }

    $http.delete('auth/post/' + post.id);

};

html

   <button ng-click="deletePost(post)">x</button>

before

after

Answer 1

You don't need to retrieve the post, let Laravel does that for you.

Edit your route to be like this:

Route::delete('auth/post/{post}', 'PostController@destroy');

Note that the post between curly brackets will be the variable name assigned to the post if found by Laravel. If no post found, Laravel will return Not Found 404.

Then in your controller, you have to tell Laravel that you'r expecting a post coming through the route:

The method signuture will be like this: destroy(Post $post). $post is the as {post} in your route.

Finally, for authorization, you will not get the post returned from authorize method. You pass the $post found by Laravel to the authorize method.

Here is the full method:

public function destroy(Post $post)
{
    $this->authorize('delete', $post);

    if ($post->delete()) {
        return response()->json(['message' => 'deleted']);
    };

    return response()->json(['error' => 'something went wrong'], 400);
}