Framework: [5.7] Failed policy checks return a 403 json response with a stack trace

Created on 13 Sep 2018  路  2Comments  路  Source: laravel/framework
  • Laravel Version: 5.7.3
  • PHP Version: 7.2.9 (running on ubuntu)
  • Database Driver & Version: Postgres 10.5

Description:

Failed policy checks return a 403 json response that contains a stack trace. It appears that the Illuminate Exception Handler converts Illuminate\Auth\Access\AuthorizationException exceptions into Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException exceptions, which are then passed directly back to the response without any filtering. This could potentially allow unauthorized, albeit known, users to gain insight into the internal structures of an application.

It seems like an easy way to fix this would be to add a render method to the Illuminate\Auth\Access\AuthorizationException class, but there may be some other, better solution that I am not aware of. I would be happy to submit a PR for a render function if that would be helpful.

Steps To Reproduce:

I was able to reproduce this issue in a fresh 5.7 application using these steps: 

// routes/api.php
Route::middleware('auth:api')->get('/user', 'UserController@view');

// app/Policies/UserPolicy.php
public function view(User $user)
{
    return false;
}

// app/Http/Controllers/UserController.php
public function view()
{
    $this->authorize('view', User::class);

    return response()->json();
}

//  tests/Feature/ExampleTest.php
public function testBasicTest()
{
    $user = factory(User::class)->create();

    $response = $this->actingAs($user, 'api')->getJson('/api/user');

    $response->assertStatus(403);
    $response->assertExactJson(['message' => 'This action is unauthorized']);
}

Response: 

{
    "message": "This action is unauthorized.",
    "exception": "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException",
    "file": "/home//foobar/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
    "line": 202,
    "trace": [
        {
         "file": "/home//foobar/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php"
         "line": 176
         "function": "prepareException"
         "class": "Illuminate\Foundation\Exceptions\Handler"
         "type": "->"
        },
     // ...
}
picture rydurham

Most helpful comment

Do you have app_debug set to false in the scenario above?

picture laurencei on 13 Sep 2018
3

All 2 comments

Do you have app_debug set to false in the scenario above?

laurencei picture laurencei on 13 Sep 2018
3

Ah! Good catch. I did indeed have app_debug set to true; setting that to false does address the problem. Thank you!

rydurham picture rydurham on 13 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lzp819739483 picture lzp819739483  路  3Comments
fideloper picture fideloper  路  3Comments
felixsanz picture felixsanz  路  3Comments
JamborJan picture JamborJan  路  3Comments
ghost picture ghost  路  3Comments