diff --git a/composer.json b/composer.json index 5ac9733..7516ea9 100644 --- a/composer.json +++ b/composer.json @@ -25,7 +25,7 @@ "require": { "php": "^8.2", "ext-json": "*", - "laravel-json-api/core": "^4.3.2", + "laravel-json-api/core": "^4.3.2|^5.0.1", "laravel-json-api/eloquent": "^4.4", "laravel-json-api/encoder-neomerx": "^4.1", "laravel-json-api/exceptions": "^3.1", diff --git a/src/Http/Requests/FormRequest.php b/src/Http/Requests/FormRequest.php index 1ff4f8e..a4974ca 100644 --- a/src/Http/Requests/FormRequest.php +++ b/src/Http/Requests/FormRequest.php @@ -11,6 +11,8 @@ namespace LaravelJsonApi\Laravel\Http\Requests; +use Illuminate\Auth\Access\AuthorizationException; +use Illuminate\Auth\Access\Response; use Illuminate\Auth\AuthenticationException; use Illuminate\Contracts\Auth\Guard; use Illuminate\Foundation\Http\FormRequest as BaseFormRequest; @@ -226,42 +228,54 @@ public function schema(): Schema */ protected function passesAuthorization() { - /** - * If the developer has implemented the `authorize` method, we - * will return the result if it is a boolean. This allows - * the developer to return a null value to indicate they want - * the default authorization to run. - */ - if (method_exists($this, 'authorize')) { - if (is_bool($passes = $this->container->call([$this, 'authorize']))) { - return $passes; + try { + /** + * If the developer has implemented the `authorize` method, we + * will return the result if it is a boolean. This allows + * the developer to return a null value to indicate they want + * the default authorization to run. + */ + if (method_exists($this, 'authorize')) { + $result = $this->container->call([$this, 'authorize']); + if ($result !== null) { + return $result instanceof Response ? $result->authorize() : $result; + } } - } - /** - * If the developer has not authorized the request themselves, - * we run our default authorization as long as authorization is - * enabled for both the server and the schema (checked via the - * `mustAuthorize()` method). - */ - if (method_exists($this, 'authorizeResource')) { - return $this->container->call([$this, 'authorizeResource']); - } + /** + * If the developer has not authorized the request themselves, + * we run our default authorization as long as authorization is + * enabled for both the server and the schema (checked via the + * `mustAuthorize()` method). + */ + if (method_exists($this, 'authorizeResource')) { + $result = $this->container->call([$this, 'authorizeResource']); + return $result instanceof Response ? $result->authorize() : $result; + } + } catch (AuthorizationException $ex) { + $this->failIfUnauthenticated(); + throw $ex; + } return true; } - /** - * @inheritDoc - */ - protected function failedAuthorization() + protected function failIfUnauthenticated() { - /** @var Guard $auth */ + /** @var Guard $auth */ $auth = $this->container->make(Guard::class); if ($auth->guest()) { throw new AuthenticationException(); } + } + + /** + * @inheritDoc + */ + protected function failedAuthorization() + { + $this->failIfUnauthenticated(); parent::failedAuthorization(); } diff --git a/src/Http/Requests/ResourceQuery.php b/src/Http/Requests/ResourceQuery.php index 116d5b9..940fc6e 100644 --- a/src/Http/Requests/ResourceQuery.php +++ b/src/Http/Requests/ResourceQuery.php @@ -11,6 +11,7 @@ namespace LaravelJsonApi\Laravel\Http\Requests; +use Illuminate\Auth\Access\Response; use Illuminate\Contracts\Validation\Validator; use Illuminate\Database\Eloquent\Model; use LaravelJsonApi\Contracts\Auth\Authorizer; @@ -104,9 +105,9 @@ public static function queryOne(string $resourceType): QueryParameters * Perform resource authorization. * * @param Authorizer $authorizer - * @return bool + * @return bool|Response */ - public function authorizeResource(Authorizer $authorizer): bool + public function authorizeResource(Authorizer $authorizer): bool|Response { if ($this->isViewingAny()) { return $authorizer->index( diff --git a/src/Http/Requests/ResourceRequest.php b/src/Http/Requests/ResourceRequest.php index 7a0a267..7b0ef36 100644 --- a/src/Http/Requests/ResourceRequest.php +++ b/src/Http/Requests/ResourceRequest.php @@ -11,6 +11,7 @@ namespace LaravelJsonApi\Laravel\Http\Requests; +use Illuminate\Auth\Access\Response; use Illuminate\Contracts\Validation\Factory as ValidationFactory; use Illuminate\Contracts\Validation\Validator; use Illuminate\Database\Eloquent\Model; @@ -150,9 +151,9 @@ public function toMany(): Collection * Perform resource authorization. * * @param Authorizer $authorizer - * @return bool + * @return bool|Response */ - public function authorizeResource(Authorizer $authorizer): bool + public function authorizeResource(Authorizer $authorizer): bool|Response { if ($this->isCreating()) { return $authorizer->store( diff --git a/tests/dummy/app/Http/Controllers/Api/V1/UserController.php b/tests/dummy/app/Http/Controllers/Api/V1/UserController.php index 0975510..131460c 100644 --- a/tests/dummy/app/Http/Controllers/Api/V1/UserController.php +++ b/tests/dummy/app/Http/Controllers/Api/V1/UserController.php @@ -19,6 +19,7 @@ class UserController extends Controller { use Actions\FetchOne; + use Actions\Destroy; use Actions\FetchRelated; use Actions\FetchRelationship; use Actions\UpdateRelationship; diff --git a/tests/dummy/app/Policies/UserPolicy.php b/tests/dummy/app/Policies/UserPolicy.php index 6c3e233..6fc202c 100644 --- a/tests/dummy/app/Policies/UserPolicy.php +++ b/tests/dummy/app/Policies/UserPolicy.php @@ -12,6 +12,7 @@ namespace App\Policies; use App\Models\User; +use Illuminate\Auth\Access\Response; class UserPolicy { @@ -50,4 +51,17 @@ public function updatePhone(User $user, User $other): bool { return $user->is($other); } + + /** + * Determine if the user can delete the other user. + * + * @param User $user + * @param User $other + * @return bool|Response + */ + public function delete(User $user, User $other) + { + return $user->is($other) ? true : Response::denyAsNotFound('not found message'); + } + } diff --git a/tests/dummy/routes/api.php b/tests/dummy/routes/api.php index a5de0cb..482a64d 100644 --- a/tests/dummy/routes/api.php +++ b/tests/dummy/routes/api.php @@ -25,7 +25,7 @@ }); /** Users */ - $server->resource('users')->only('show')->relationships(function ($relationships) { + $server->resource('users')->only('show','destroy')->relationships(function ($relationships) { $relationships->hasOne('phone'); })->actions(function ($actions) { $actions->get('me'); diff --git a/tests/dummy/tests/Api/V1/Users/DeleteTest.php b/tests/dummy/tests/Api/V1/Users/DeleteTest.php new file mode 100644 index 0000000..4980767 --- /dev/null +++ b/tests/dummy/tests/Api/V1/Users/DeleteTest.php @@ -0,0 +1,38 @@ +createOne(); + + $expected = $this->serializer + ->user($user); + $response = $this + ->actingAs(User::factory()->createOne()) + ->jsonApi('users') + ->delete(url('/api/v1/users', $expected['id'])); + + $response->assertNotFound() + ->assertHasError(404, [ + 'detail' => 'not found message', + 'status' => '404', + 'title' => 'Not Found', + ]); + } +}