5

I have a problem, I can not use policies in laravel 5.2.

I have 2 tables, students and tasks.

I try to apply a policy to prevent editing of a task by changing the url, but I always get the message This action is unauthorized although the task is the correct user.

Policy Code:

  <?php

    namespace App\Policies;

    use App\Models\Student;
    use App\Models\Task;

    class TasksPolicy
    {
        public function edit(Student $student, Task $tasks)
        {
            return $student->id === $tasks->student_id;
        }
    }

Code in AuthServiceProvider.php

<?php

    namespace App\Providers;

    use App\Models\Task;
    use App\Policies\TasksPolicy;

    class AuthServiceProvider extends ServiceProvider
    {
        /**
         * The policy mappings for the application.
         *
         * @var array
         */
        protected $policies = [
            Task::class => TasksPolicy::class
        ];

And then the call in the TaskController.php file:

    public function edit($id)
    {
        $tasks = Task::findOrFail($id);
        $this->authorize('edit', $tasks);
        return view('tasks.edit', compact('tasks'));
    }

I think the code is good because I've revised several times, but as I said earlier I always get the message This action is unauthorized although the task is to edit the user.

https://i.stack.imgur.com/9Gkb3.jpg

What am I doing wrong? As I can use the policy correctly?

Cristian Bustos
  • 357
  • 7
  • 20
  • I don't think it's meant to be used between two models. One of them *must* be the `User` model. – Hkan Mar 31 '16 at 07:15
  • Hi, table users use it for other users, so I have to use the students table (I'm using multi-auth laravel 5.2). – Cristian Bustos Mar 31 '16 at 07:23
  • What do you get if you `dd($student->id, $tasks->student_id)` in the `edit()` method? – Joel Hinz Mar 31 '16 at 07:51
  • Hello, sorry for delay in responding. If I make as I said, I get the correct id for each table (1, 1) for example. I have already used the user policy table and I have had no problems. Apparently the students table is the one with the problem. – Cristian Bustos Mar 31 '16 at 15:08

2 Answers2

0

you are using "===" which means that both side data and datatype will match.May be your data are matched,not datatype,you may try using "=="

public function edit(Student $student, Task $tasks)
    {
        return $student->id == $tasks->student_id;
    }
Imtiaz Pabel
  • 5,307
  • 1
  • 19
  • 24
0

Two things: one is the name of the method and the other is the order of parameters. The method name should be 'update', not 'edit' - these are predefined, at least in later versions of Laravel. You might be getting the authorization error because the name 'edit' is not recognized by Laravel, so the policy for update is never defined.

The order of arguments also matters. When there are parameters passed to policy methods, the User model has to be the first parameter, followed by all the others.

public function update(User $user, [... other objects...])

So, you'd have

update(User $user, Student $student, Task $tasks)

Laravel will inject the Authenticated User Model but other objects have to be passed directly.

$this->authorize('edit', $student, $tasks);

Hopefully that will work.

If your Student class extends User Class, you may be thinking that you can substitute Student for User in the method prototype. You can't do that - that's a different method altogether.

user17691074
  • 1
  • 5