I registered a Policy to access User's Profiles (view, edit). I either allow it if:
- The Profile you are trying to view belongs to you
- You have the Permission "edit any profile".
so this is my view()-Function in the Policy:
public function view(User $user)
{
debug('User in Controller: '.$user->id);
return (Auth::user()->id === $user->id) || Auth::user()->can('edit any profile');
}
This is method to show the profile view taken from the ProfileController:
public function show(User $user) {
debug('User in Controller: '.$user->id);
$this->authorize('view', $user);
return view('profile.index')->with([
"user" => $user,
]);
}
And finally the route:
Route::get('/profile/{user}', 'ProfileController@show')->name('profile');
Of course, the Policy has been registered in the AuthServiceProvider:
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',
User::class => ProfilePolicy::class,
];
Basically the controller transmits the wrong user to the policy. Here are both messages from the respective debug()'s:
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire