Laravel Authorize() confusion

Question

I'm currently migrating a project from CodeIgniter to Laravel5.

I saw in Laracasts that you can use the Request::authorize() method to authorize access before the controller is called, and it returns true or false.

This would (I think) be the ideal solution as I can contain permission checks within the request, rather than pollute the controller with permission checks and redirections / responses.

The only problem is, when I return false from authorize() , it simply loads an empty white page with forbidden written, and I can't find any documentation on laravel.com on how to template it (either there is no documentation, or I'm overlooking it)

I know I can edit the 404 page in errors/404.blade.php , but I can't work out how to customize the 403 page, which I've tried to add a custom 403.blade.php page, which doesn't get displayed. ( https://mattstauffer.co/blog/laravel-5.0-custom-error-pages )

Is placing these permission checks in the Request a good idea? Or am I missing something?

Update I ran a backtrace from authorize() , and it looks like it throws an UnauthorizedException , which extends RuntimeException . I've tried catching both in the routes.php file, which doesn't work either.

I've also tried to create middleware, and call the middleware from a method, which doesn't work either, since the middleware's not even called at all.

Update 2 Ok, so I found out that I can only call $this->middleware() from the constructor, not individual methods, which is progress, I guess.

Answer 1

What i do is add a forbiddenResponse() method to Request abstract class. You can return a response object from that method to render a human readable error.

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Http\JsonResponse;

abstract class Request extends FormRequest {

    public function forbiddenResponse()
    {
        return new JsonResponse('Unauthorized', 403);
        // or return Response::make('Unauthorized', 403);
    }
}

Answer 2

Check the app\\Exceptions\\Handler.php file. That's where you can customize your exception handling.

The 403 error launches a HttpException . By default, Laravel will look under your resources\\views\\errors\\ directory and try to find a view that corresponds to the same status code. Since you already said that you've created a file called 403.blade.php inside that folder, it should render this page for 403 errors.

One last thing, remember to check inside your web server config file ( httpd.conf for Apache, sites-available\\your-host for Nginx), if you have a default behavior for any error. If you're using Homestead, you can check the Nginx config file for anything like error_page 404 /index.php; , comment the line and restart the service. That's not the ideal scenario but usually works.

Answer 3

Override the method within your form request object

class CreateUserRequest extends FormRequest {

    public function forbiddenResponse(){
        return abort(403);

    }
}