fix(laravel): call authorize on delete but not validation

soyuka · soyuka · commit f3b3069ba14a · 2024-09-17T14:13:00.000+02:00
diff --git a/src/Laravel/State/ValidateProvider.php b/src/Laravel/State/ValidateProvider.php
@@ -16,6 +16,7 @@
 use ApiPlatform\Metadata\Error;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
+use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Contracts\Foundation\Application;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Validator;
@@ -42,7 +43,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         $request = $context['request'];
         $body = $this->inner->provide($operation, $uriVariables, $context);
 
-        if (!$operation->canValidate() || $operation instanceof Error) {
+        if ($operation instanceof Error) {
             return $body;
         }
 
@@ -53,15 +54,23 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         if (\is_string($rules) && is_a($rules, FormRequest::class, true)) {
             try {
+                // this also throws an AuthorizationException
                 $this->app->make($rules);
-                // } catch (AuthorizationException $e) { // TODO: we may want to catch this to transform to an error
             } catch (ValidationException $e) { // @phpstan-ignore-line make->($rules) may throw this
+                if (!$operation->canValidate()) {
+                    return $body;
+                }
+
                 throw $this->getValidationError($e->validator, $e);
             }
 
             return $body;
         }
 
+        if (!$operation->canValidate()) {
+            return $body;
+        }
+
         if (!\is_array($rules)) {
             return $body;
         }
diff --git a/src/Laravel/Tests/AuthTest.php b/src/Laravel/Tests/AuthTest.php
@@ -47,4 +47,12 @@ public function testAuthenticatedPolicy(): void
         $response = $this->post('/api/vaults', [], ['accept' => ['application/ld+json'], 'content-type' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
         $response->assertStatus(403);
     }
+
+    public function testAuthenticatedDeleteWithPolicy(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->delete('/api/vaults/1', [], ['accept' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(403);
+    }
 }
diff --git a/src/Laravel/workbench/app/Http/Requests/VaultFormRequest.php b/src/Laravel/workbench/app/Http/Requests/VaultFormRequest.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Workbench\App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Workbench\App\Models\Vault;
+
+class VaultFormRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return $this->user()->can('delete', new Vault());
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'secret' => 'required',
+        ];
+    }
+}
diff --git a/src/Laravel/workbench/app/Models/Vault.php b/src/Laravel/workbench/app/Models/Vault.php
@@ -14,10 +14,12 @@
 namespace Workbench\App\Models;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
+use Workbench\App\Http\Requests\VaultFormRequest;
 
 #[ApiResource(
     operations: [
@@ -30,6 +32,7 @@
             read: true,
             write: false
         ),
+        new Delete(middleware: 'auth:sanctum', rules: VaultFormRequest::class, provider: [self::class, 'provide']),
     ]
 )]
 class Vault extends Model
diff --git a/src/Laravel/workbench/app/Policies/VaultPolicy.php b/src/Laravel/workbench/app/Policies/VaultPolicy.php
@@ -22,4 +22,9 @@ public function update(User $user, Vault $vault): bool
     {
         return false;
     }
+
+    public function delete(User $user): bool
+    {
+        return false;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,12 @@ public function testAuthenticatedPolicy(): void`
`47`	`47`	`$response = $this->post('/api/vaults', [], ['accept' => ['application/ld+json'], 'content-type' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);`
`48`	`48`	`$response->assertStatus(403);`
`49`	`49`	`}`
	`50`	`+`
	`51`	`+ public function testAuthenticatedDeleteWithPolicy(): void`
	`52`	`+ {`
	`53`	`+ $response = $this->post('/tokens/create');`
	`54`	`+ $token = $response->json()['token'];`
	`55`	`+ $response = $this->delete('/api/vaults/1', [], ['accept' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);`
	`56`	`+ $response->assertStatus(403);`
	`57`	`+ }`
`50`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,9 @@ public function update(User $user, Vault $vault): bool`
`22`	`22`	`{`
`23`	`23`	`return false;`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ public function delete(User $user): bool`
	`27`	`+ {`
	`28`	`+ return false;`
	`29`	`+ }`
`25`	`30`	`}`