Guest users in laravel authorization policies

Question

I use policies for user authorization. How to use policies for guest users?

Here is my code:

In controller:

class PostController extends Controller
{
    public function index(Post $post)
    {
        $this->authorize($post);
        return $post->all();
    }
}

In policy:

class PostPolicy
{
    // This function executes only for authenticated users.
    // I want to use it for guest users too
    public function index(User $user)
    {            
        return $user->can('get-posts');
    }
}

Answer 1

First make a new service provider:

php artisan make:provider GuestServiceProvider

Then edit GuestServiceProvider.php with this:

public function boot()
{
    // Laravel policies only work if the user isn't null so for guest access we need to assign a dummpy user.
    // From now on to check for guest use is_null(Auth::user()->getKey())
    if(!Auth::check()) {
        $userClass = config('auth.providers.users.model');
        Auth::setUser(new $userClass());
    }
}

Now Policies will work for guest users and in your policy you can check for the guest by doing:

if(is_null(Auth::user()->getKey())){
    // it's a guest
}

Which essentially means if the user doesn't have an id then its not a real user, hence must be a guest.

Answer 2

Laravel 5.7 now has this feature built in (with PHP >=7.1) See the docs on the new Gate . For anyone using older versions, here is my solution. Make a small helper to use the authorizeForUser method on Illuminate\\Foundation\\Auth\\Access\\AuthorizesRequests . It leaves all native functionality intact. Extend your controller:

use App\User;

public function authorizeAnyone($ability, $arguments = []) {
   list($ability, $arguments) = $this->parseAbilityAndArguments($ability, $arguments);
   return $this->authorizeForUser( auth()->user() ?? new User(), $ability, $arguments);
}

Then wherever you want the possibility of checking your policy against a guest, use

$this->authorizeAnyone();

instead of

$this->authorize();

If you don't want to extend your controller, you can also call (for example):

$this->authorizeForUser( auth()->user() ?? new User, 'index', $post );

Answer 3

In your PostPolicy change this

class PostPolicy{
// This function executes only for authenticated users.
// I want to use it for guest users too
public function index(User $user)
{            
    return $user->can('get-posts');
}
}

to:

class PostPolicy{
// This function executes only for authenticated users.
// I want to use it for guest users too
public function index(?User $user)
{            
    return $user->can('get-posts');
}
}

source

Answer 4

I think the simpliest way is to protect with Auth middleware. or check if user is authenticated in policy