How can I do Authorization Policies in Laravel 5.3?

I read here :

And I tried to like this

My FavoritePolicy is like this :

namespace AppPolicies;
use AppUser;
use AppModelsFavorite;
use IlluminateAuthAccessHandlesAuthorization;
class FavoritePolicy
    use HandlesAuthorization;
    public function view(User $user, Favorite $favorite)
        return $user->id === $favorite->user_id;

My FavoriteController is like this :
use AppModelsFavorite;
class FavoriteController extends ApiController
    public function index(Favorite $favorite)
        $this->authorize('view', $favorite);
        return view('profile.favorite');

My AuthServiceProvider is like this :
namespace AppProviders;
use AppModelsFavorite;
use AppPoliciesFavoritePolicy;
use IlluminateFoundationSupportProvidersAuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
    protected $policies = [
        'AppModel' => 'AppPoliciesModelPolicy',
        Favorite::class => FavoritePolicy::class,
    public function boot()

When I run my system to display favorite listing, there exist error like this :

Whoops, looks like something went wrong.

1/1 HttpException in Handler.php line 115: This action is

What the implementation of Authorization Policies is correct?

I try dd($user) in view method(FavoritePolicy), the result displays user data is being logged. It’s true

But I try dd($favorite), the result does not display favorite data of the user who is currently logged. Whereas I check on the table, favorite data of the user who is currently logged is exist

How can I solve this problem?


There result of dd($favorite) :

Favorite {#498 ▼
  #fillable: array:3 [▶]
  #connection: null
  #table: null
  #primaryKey: "id"
  #keyType: "int"
  #perPage: 15
  +incrementing: true
  +timestamps: true
  #attributes: []
  #original: []
  #relations: []
  #hidden: []
  #visible: []
  #appends: []
  #guarded: array:1 [▼
    0 => "*"
  #dates: []
  #dateFormat: null
  #casts: []
  #touches: []
  #observables: []
  #with: []
  +exists: false
  +wasRecentlyCreated: false


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Thanks for the additional info in your update!

So, you want to show the detail page of one specific Favorite entity, but only if the user is the owner of this entity?

Firstly a minor “issue”: usually in Laravel the controller method that shows details of a specific entity is called show, not index. index is the name for methods that show a list of entities (in your example: a list of favorites).

Regarding your problem:
Your policy checks if the currently logged in user can view an empty $favorite (see the dd($favorite) output in your post update). Which means, that $favorite is also not set in your index method.

I guess, you have a route defined similar to this:

Route::get('favorite/{id}', '<a href="" class="__cf_email__" data-cfemail="a7e1c6d1c8d5ced3c2e4c8c9d3d5c8cbcbc2d5e7cec9c3c2df">[email protected]</a>');

This means, that the value of id is injected into your index method as a parameter, but not a Favorite entity. To query for the Favorite entity is something you need to do in the method.

So, your method should more look like this:

public function index($favoriteId)
    $favorite = Favorite::findOrFail($favoriteId);
    $this->authorize('view', $favorite);
    return view('profile.favorite')->with('favorite', $favorite);

Hope that helps! If not, please add a comment!

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x