Merge branch 'release/5.0.1'

laravel-json-api · Dec 2, 2024 · 44fdbb8 · 44fdbb8
2 parents f21276a + fd0bf65
commit 44fdbb8
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file. This projec
 
 ## Unreleased
 
+## [5.0.1] - 2025-12-02
+
+### Fixed
+
+- [#301](https://github.com/laravel-json-api/laravel/pull/301) Do not override response status when authorization
+  exception is thrown.
+
 ## [5.0.0] - 2025-12-01
 
 ### Changed

diff --git a/src/Http/Requests/FormRequest.php b/src/Http/Requests/FormRequest.php
@@ -254,7 +254,9 @@ protected function passesAuthorization()
             }
 
         } catch (AuthorizationException $ex) {
-            $this->failIfUnauthenticated();
+            if (!$ex->hasStatus()) {
+                $this->failIfUnauthenticated();
+            }
             throw $ex;
         }
         return true;

diff --git a/tests/dummy/app/Policies/UserPolicy.php b/tests/dummy/app/Policies/UserPolicy.php
@@ -55,13 +55,13 @@ public function updatePhone(User $user, User $other): bool
     /**
      * Determine if the user can delete the other user.
      *
-     * @param User $user
+     * @param ?User $user
      * @param User $other
      * @return bool|Response
      */
-    public function delete(User $user, User $other)
+    public function delete(?User $user, User $other)
     {
-        return $user->is($other) ? true : Response::denyAsNotFound('not found message');
+        return $user?->is($other) ? true : Response::denyAsNotFound('not found message');
     }
 
 }
diff --git a/tests/dummy/tests/Api/V1/Users/DeleteTest.php b/tests/dummy/tests/Api/V1/Users/DeleteTest.php
@@ -16,23 +16,34 @@
 
 class DeleteTest extends TestCase
 {
-
     public function test(): void
     {
         $user = User::factory()->createOne();
 
-        $expected = $this->serializer
-            ->user($user);
         $response = $this
             ->actingAs(User::factory()->createOne())
             ->jsonApi('users')
-            ->delete(url('/api/v1/users', $expected['id']));
+            ->delete(url('/api/v1/users', $user));
 
-        $response->assertNotFound()
-            ->assertHasError(404, [
+        $response->assertNotFound()->assertErrorStatus([
             'detail' => 'not found message',
             'status' => '404',
             'title' => 'Not Found',
         ]);
     }
+
+    public function testUnauthenticated(): void
+    {
+        $user = User::factory()->createOne();
+
+        $response = $this
+            ->jsonApi('users')
+            ->delete(url('/api/v1/users', $user));
+
+        $response->assertNotFound()->assertErrorStatus([
+                'detail' => 'not found message',
+                'status' => '404',
+                'title' => 'Not Found',
+            ]);
+    }
 }