What is the purpose of the authorize method in a Request class in Laravel?

Question

I am today in bit confusion about my website security and some extra code that is written to make the website secure. Below are 2 locations where security is applied.

Inside Route Config, To secure the route, I have used Middleware to check the user role.

Route::group(['middleware' => ['web', 'SuperAdmin', 'auth']], function () {
    Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});

I mentioned 2 Middlewares .

1. Auth Middleware : This is for authentication .
2. SuperAdmin Middleware : This is for Authorization .

Second location is Request class. Here is the code. In authorize method, again same thing is being checked as already done in route

class DepartmentRequest extends Request
{
    public function authorize()
    {
        if(\Auth::user() == null) {
            return false;
        }
        if(\Auth::user()->isSuperAdmin()) {
            return true;
        }
        return false;
    }

    public function rules()
    {
        return [
            'Department' => 'required',
        ];
    }
}

Question: Should I remove check in Request class? Is that an unwanted validation to secure the request ? As route.config is already doing the job.

What's the use of authorize method? I meant, I am using Request class to validate form inputs. Should I always return true from authorize method?

Answer 1

yes, you should remove that checks in the Request class: if you're already doing that checks in your middleware you should not repeat them

When you specify this:

Route::group(['middleware' => ['web', 'SuperAdmin']], function () {
    Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});

You're telling laravel that, when it finds a /Create-Department route, it should trigger the handle method of these middleware: ['web', 'SuperAdmin'] , before the request is sent to the DepartmentController

So, if you check for authentication and authorization in the middlewares, when the request will get to your controller you're sure that it has satisfied all the middleware it went through

Regarding the purpose of the authorize method: the authorize method is usually used to authorize the actual request basing on some policy you'd like to respect. For example, if you have a request to edit a Post model, in the authorize method you'd check that the specific user trying to edit the post has the permissions to do it (for example being the author of the post )

EDIT

Even if you want to use a middleware for your authorization, it's fine. Anyhow, usually the authorize method within form requests is used to do authorization checks on the specific request.

For instance check this example from the docs :

public function authorize()
{
    $postId = $this->route('post');

    //here the authorization to edit the post is checked through the Gate facade
    return Gate::allows('update', Post::findOrFail($postId));
} 

In conclusion: if you're doing your authentication and authorization tasks in middlewares, you don't need to repeat them in the authorize method, but keep in mind that the native purpose of the method is to authorize the specific request