AuthorizationException throws MethodNotAllowed in redirect due to status code 302

[lcamero]

Hi,

Using Laravel as backend, I've implemented a ProductPolicy for my Product model, mapped the validations in the __construct() method within my ProductController using this->authorizeResource(Product::class, 'product');.

My routes are using a Route::resource('product', ProductController::class); definition

And I've implemented a if ($exception instanceof AuthorizationException) {} validation within my \App\Exceptions\Handler render() method to catch my authorization errors to perform a redirect back with some errors

The issue I'm having is that I've been testing my DELETE route using a user with no permission to DELETE by performing a <Link method="delete" as="button" :href="route('product.destroy', product.id)">Remove</Link> in my Vue template.
This results in a MethodNotAllowed because the DELETE permission fires, gets caught by my handler and returns a 302, which then goes to my redirect (to the index route in my case) but since we need a 303 redirect instead, it opens a model with the exception message.

Now, I've read that Inertia handles the 303 status code conversion in the Middleware, so I'm assuming that my AuthorizationException is getting in the middle and I'm having to do some check in the request method to convert the status code to 303 myself, something like

public function render($request, Throwable $exception)
    {
        if ($exception instanceof AuthorizationException) {
            $errors = ['message' => __("You're not authorized to perform this action")];

            return in_array($request->method(), ['PUT', 'PATCH', 'DELETE']) ?
                    redirect()->back()->withErrors($errors)->setStatusCode(303) :
                    redirect()->back()->withErrors($errors) ;
        }

        return parent::render($request, $exception);
    }

Is it possible I'm handling this the wrong way? Should I be handling the exception differently so Inertia has time to convert my status code?

I'm just trying to validate the user has DELETE permissions on a resource by using the policy validation, but the Exception seems to be getting in the way of the redirect, which makes me have to manually validate the request method.

I did check redirecting back within the destroy() method in my controller, and that works as long as I don't throw the exception.

[ajnsn]

Hey @lcamero

I tried your code and it works, at least in Laravel 8. I am getting an 303 redirect, even with just a return redirect()->back()->withErrors($errors). It takes me back to the original component and the payload has the errors prop filled.

I am using a smiliar approach in my Inertia apps by default, e.g. also for the TokenMismatchException or the ThrottleRequestsException.

Are you sure you have applied the Inertia middleware to your web middleware group as described here? And that this group is applied to your route? (Note that the web group does not apply to routes inside the api.php by default, just in case.)

If I change the changeRedirectCode method to just return $response;, I am also getting the MethodNotAllowedHttpException.

[lcamero]

Hey thanks for the reply! @ajnsn

The code works on my end as well as it is right now, I just find it a little dirty having to check the request method in that exception.

Without any special handling on my side, laravel does change the status code using the middleware which is good. I've checked it exists in my web group, last position and it is applied to my route as well

I just find that when trying to perform a DELETE action on a resource I have no permissions for, instead of redirecting back with my error it throws the exception.

This code throws the exception in my case in App\Exceptions\Handler

public function render($request, Throwable $exception)
    {
        if ($exception instanceof AuthorizationException) {
            $errors = ['message' => __("You're not authorized to perform this action")];

            return redirect()->back()->withErrors($errors);
        }

        return parent::render($request, $exception);
    }

At this moment my policy just checks this

    public function delete(User $user, Product $product)
    {
        return $user->can('products:delete');
    }

If I make that validation fail be removing that permission from my user, when I hit the destroy route, it throws the AuthorizationException and the redirect then throws the MethodNotAllowedHttpException

Here's an image of the network tab for that failure

You can see the 302 status code.

Below is the successful attempt, which is processed by my doing a redirect()->back()->withErrors($errors)->setStatusCode(303)

For some reason I think the authorization exception breaks the flow of the redirect status definition.

If you have any more insight I'd appreciate it!

[ajnsn]

I already tried to reproduce your code and it works for me out of the box. I do not need to apply the status code. Is your application repo public or can you give me an invite, so I can take a look?
You can also try to setup a fresh Laravel/Inertia project with just one Model + Policy and try to reproduce it yourself.