The documentation lists default permissions for authorization tests if a policy is not present:
The listed defaults make sense - the behavior seems to be different. The authorizedTo method that a lot of these functions delegate to just returns true as default. Here's a snippet of the authorizedToUpdate function as an example of one that returns true by default is policy isn't present instead of the expected false.
/**
* Determine if the current user can update the given resource.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
public function authorizedToUpdate(Request $request)
{
return $this->authorizedTo($request, 'update');
}
/**
* Determine if the current user can view the given resource.
*
* @param \Illuminate\Http\Request $request
* @param string $ability
* @return bool
*/
public function authorizedTo(Request $request, $ability)
{
return static::authorizable() ? Gate::forUser(Nova::user($request))->check($ability, $this->resource) : true;
}
Description:
The documentation lists default permissions for authorization tests if a policy is not present:
The listed defaults make sense - the behavior seems to be different. The
authorizedTo
method that a lot of these functions delegate to just returnstrue
as default. Here's a snippet of theauthorizedToUpdate
function as an example of one that returnstrue
by default is policy isn't present instead of the expectedfalse
.