search

kodeine / laravel-acl

Light-weight role-based permissions system for Laravel 6+ built in Auth system.
MIT License
787 stars 217 forks source link

Acl check failure should return 403 instead 401 #223

Closed fiurino closed 6 years ago

fiurino commented 6 years ago

Hello, ACL validation replies with a 401 (unauthorized) instead of a 403 (forbidden). Is there a specific reason for that?

Thanks in advance.

ignatevdev commented 6 years ago

I have stumbled upon this one too and by looking at the code you can see that 401 is hardcoded into the ACL middleware. However, you can easily replace it with your own middleware, thus I solved this problem in the following way:

  1. Create your own middleware, e.g. HasPermission
  2. Extend the middleware class from Kodeine\Acl\Middleware\HasPermission
  3. Copy-paste the handle method from the original HasPermission middleware and replace 401 with 403
  4. In app/Http/Kernel.php replace 'acl' => 'Kodeine\Acl\Middleware\HasPermission' with your own middleware
kodeine commented 6 years ago

Extending the middleware is a good option for right now.