Framework: Guest User Gates not working when defined using Class@method style callback

Created on 23 Oct 2018  路  5Comments  路  Source: laravel/framework
  • Laravel Version: 5.7.*
  • PHP Version: 7.1.22
  • Database Driver & Version: Not relevant

Description:

The Guest User Gates introduced in Laravel 5.7 work only if you pass a _function_ callback when defining the gate ability. If a string is provided (Class@method) they do not work.

I have researched about how the Gate works and I think the issue comes from this line:
https://github.com/laravel/framework/blob/db6d5cb0ebf0901c0e27f292810835f9bfe4c0a6/src/Illuminate/Auth/Access/Gate.php#L489

When passing the ability to the canBeCalledWithUser method, the ability is already a closure as the define method transforms it using the buildAbilityCallback. So when checking if the canBeCalledWithUser, methodAllowsGuests is never called as $class is never an array, it's already a closure:

https://github.com/laravel/framework/blob/db6d5cb0ebf0901c0e27f292810835f9bfe4c0a6/src/Illuminate/Auth/Access/Gate.php#L349-L352

Steps To Reproduce:

Define a gate using a Class@method style callback:

\Gate::define('user.view', 'App\Policies\UserPolicy@view');

// UserPolicy.php
class UserPolicy {
    public function view(?User $user, Product $product) {
        dd('I am never called');
    }
}

However, this works:

\Gate::define('user.view', function(?User $user, Product $product) {
        dd('I am called');
});
bug
Source
picture IsraelOrtuno

Most helpful comment

I can reproduce this.

picture driesvints on 9 Nov 2018
👍3

All 5 comments

Hi @IsraelOrtuno, you should check this method;

https://github.com/laravel/framework/blob/db6d5cb0ebf0901c0e27f292810835f9bfe4c0a6/src/Illuminate/Auth/Access/Gate.php#L625-L628

When you passing to class@method, this method return user.view. So trying to run App\Policies\[email protected] but don't work because user.view method does not exists

emre-kaya picture emre-kaya on 23 Oct 2018
👍1

So you mean that abilities should be camelCased? I get the same behaviour whatever the ability is called.

IsraelOrtuno picture IsraelOrtuno on 24 Oct 2018

No. I mean, if you pass to callback instead of class@method, gate trying to find ability on policy class. In this example gate trying to work [email protected]. If you replaced ability with view, it is work. Or you replaced ability with user-view and replaced method with userView, works again.

emre-kaya picture emre-kaya on 24 Oct 2018

I can reproduce this.

driesvints picture driesvints on 9 Nov 2018
👍3

@driesvints This is fixed.

imanghafoori1 picture imanghafoori1 on 22 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lzp819739483 picture lzp819739483  路  3Comments
kerbylav picture kerbylav  路  3Comments
YannPl picture YannPl  路  3Comments
felixsanz picture felixsanz  路  3Comments
fideloper picture fideloper  路  3Comments