search

laravel / nova-issues

554 stars 35 forks source link

Default authorization not behaving according to docs #6316

Closed ppisecky closed 5 months ago

ppisecky commented 5 months ago

Description:

The documentation lists default permissions for authorization tests if a policy is not present: image

The listed defaults make sense - the behavior seems to be different. The authorizedTo method that a lot of these functions delegate to just returns true as default. Here's a snippet of the authorizedToUpdate function as an example of one that returns true by default is policy isn't present instead of the expected false.

    /**
     * Determine if the current user can update the given resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return bool
     */
    public function authorizedToUpdate(Request $request)
    {
        return $this->authorizedTo($request, 'update');
    }

    /**
     * Determine if the current user can view the given resource.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  string  $ability
     * @return bool
     */
    public function authorizedTo(Request $request, $ability)
    {
        return static::authorizable() ? Gate::forUser(Nova::user($request))->check($ability, $this->resource) : true;
    }
crynobone commented 5 months ago

Please only submit a bug report with reproducing repository.