[5.8] Allow for explicit text parameters on Authorize middleware #26443
Conversation
Otherwise the previous (before PR #25763) behaviour should take place and return a null value to the gate when there's no bind to the route with that key.
|
Just for clarity, what policy method now gets called when you use a string argument? For example when you do Does it go to the authorised users' policy and check if there is a method called 'create' and call it with the current user and "article" Or does it try and resolve 'article' to a model and then find that models policy, and then finds the create method and calls it with the authorised user and 'article'? |
|
@JackPriceBurns This does not change at all. If you have registered a policy with the key If you have registered let's say an Neither way it would pass through the modified code. |
Pull Request #25763 broke some non documented functionality (explained here #26422) related to the Authorize middleware.
The previous implementation would allow to set an Authorize for a Gate with an optional parameter. That could be useful when the 'can' middleware is attached directly into the controller method (instead of a route) and thus act on multiple routes that access such method.
The current (master) implementation sends a string with the value of the Authorize argument if it's not a route parameter. This is behave ambiguous as any argument on the middleware can mean either a parameter of the request named after it or it's own name depending of the conditions a layer of abstraction up.
This PR solves this issue while still allowing the Authorize middleware to send string values to Gates by explicitly defining them as string using single or double quoted values on it's arguments, thus removing the ambiguity:
TL;DR; This reverts the default bahaviour to prior PR #25763, while still allowing string parameters.