I define a Gate and the code never gets called, always denies authorization

[s6joui]

• Laravel Version: 5.4
• PHP Version: 7.0

Description:

In my Laravel 5.4 application users can create Projects and then Posts inside those projects.

I'm trying to prevent users from creating or editing posts inside a project they don't have access to.
To do this I implemented a Gate as explained here: https://laravel.com/docs/5.4/authorization#gates

Steps To Reproduce:

The gate checks if a user is the owner of the project.

    Gate::define('create-post', function ($user, $project) {
        Log::info($project) // !!! Never gets called
        return $project->owner_id == $user->id;
    });

On the PostController I call Gate::denies passing the project as an argument

    if (Gate::denies('create-post', $project)) {
        abort(403);
    }

The problem is the code I defined for the gate never gets called. Instead it always returns false and goes to the 403 error.
However, the code does get called if I don't pass the project as an argument but that makes it useless.

I also want to add that in this case I cannot use a Policy because the create method only takes one argument ($user) and if I try to pass the $project it fails the same way it does with the Gate.

Is this a bug? Is there another, better way to implement this funcionality? Thanks.

[Hell4Ge]

Gate::define('create-post', function ($user, $project) {
Log::info($project) // !!! Never gets called
return $project->owner_id == $user->id;
});

You didn't put a semicolon after Log::info($project), which can cause error that won't be displayed for some reason. Check logs

[stevebauman]

I also want to add that in this case I cannot use a Policy because the create method only takes one argument ($user) and if I try to pass the $project it fails the same way it does with the Gate.

You can pass as many arguments you would like to a policy method. You must use an array to do this:

PostPolicy
{
    public function create($user, $project)
    {
        return $project->owner_id == $user->id;
    }
}

public function store(Post $post)
{
    $project = Project::find(1);

    $this->authorize('create', [$post, $project]);
}

The first argument will be used to locate the correct policy, the others will be added to the arguments of the function call.

[browner12]

do you have a policy defined for User? if you do the policy takes priority over everything else

[themsaid]

Closing for lack of activity from the original author.

Thanks everyone who tried to help, but I don't think it's an issue with the core since we got no complains on this.

[browner12]

my guess is he has a Policy defined for Projects, and that is taking authority over the gate. I ran into this confusing operation in the past. The Policies are incredibly greedy, and I have addressed this in a PR to the master branch #19120

[enriqg9]

@browner12 I am having this issue on L5.8, Project policy taking over.

[mennorenkens]

Just had the same issue because I forgot to add the auth:api middleware on the route. It meant that there was no authenticated user in the request, and hence the gates were never called.