[8.x] Adds on-demand gate authorization

[DarkGhostHunter]

What?

Allows the gate to permit or forbid a procedure by a condition, instead of using the gate to register a one-time ability or using verbose checks. Rework of #39778.

Before

use Illuminate\Auth\Access\AuthorizationException;
use App\Models\Wallet;

$wallet = Wallet::find(1);

if ($wallet->overQuota()) {
    throw new AuthorizationException("This action exceeds your cuota");
}

After

use Illuminate\Support\Facades\Gate;
use App\Models\Wallet;

$wallet = Wallet::find(1);

// Forbids an action...
Gate::forbid($wallet->overQuota(), "This action exceeds your cuota");

// or permits an action.
Gate::permit($wallet->underQuota(), "This action exceeds your cuota");

This is intended is only for one-time checks. Developers are encouraged to register abilities when these can be reused.

Why?

Because you can bypass registering an action in the Gate, without abandoning the Gate powers. For example, you can also issue callbacks to retrieve the currently authenticated user and even set a message...

use Illuminate\Support\Facades\Gate;
use App\Models\Wallet;

Gate::forbid(fn ($user) => $user->wallet->overQuota(), "You exceed your cuota", 409);

... or hijack the callback with a Response instance anytime.

use Illuminate\Auth\Access\Response;use Illuminate\Support\Facades\Gate;
use App\Models\Wallet;

Gate::forbid(function ($user) {
    if ($user->can('bypassQuota')) {
        // This takes precedence. 
        return Response::allow('Quota limits are not applied to you.');
    }
    
    return $user->wallet->overQuota();
});

BC?

Nope, only additive.

[DarkGhostHunter]

Help pls Docker decided to die.

[DarkGhostHunter]

Can someone help me re-run the jobs?

[driesvints]

@DarkGhostHunter done

[DarkGhostHunter]

Tx

[taylorotwell]

@DarkGhostHunter

Renamed to allowIf and denyIf.

I have a concern with the behavior of the callback in regards to the currently authenticated user. Currently, it functions differently than typical gates. Typically, a gate will automatically throw an authorization exception if no user is authenticated unless the given gate or policy method has a nullable type hint on the user.

However, this PR will just pass null into the callback if the user is not authenticated.

IMO it should function exactly like a typical gate if you pass a callback to the allowIf or denyIf methods.

[taylorotwell]

Converting to draft while you potentially address this. Please mark as ready for review when you would like me to look at this PR again.

[DarkGhostHunter]

I reworked the method to always throw an exception if the callback requires the authenticated user and there is none.

I thought a AuthenticationException would make more sense, but since the user requirement is part of the callback itself, I think it's fine to even respect the same message and code issued (if any).

This will return an AuthorizationException

// No user authenticated
Gate::allowIf(function (Authenticatable $user) {
    return true;
}, 'Do not');

// AuthorizationException: "Do not".

[taylorotwell]

I find passing an $allow flag as the last parameter of allowIf utterly confusing. Please remove that and just duplicate some code if you have to between the two methods. It makes them both much easier to read.

[DarkGhostHunter]

Can I just create a “onDemand” protected method and use allowIf and denyIf as the fronts? Not a fan of copy pasting anything. Italo Baeza C.

…

El 02-12-2021, a la(s) 11:00, Taylor Otwell ***@***.***> escribió:  I find passing an $allow flag as the last parameter of allowIf utterly confusing. Please remove that and just duplicate some code if you have to between the two methods. It makes them both much easier to read. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[taylorotwell]

Thanks for contributing to Laravel! ❤️

[DarkGhostHunter]

You rock dude. If I wasn’t for you, I would probably be stealing on the streets. Italo Baeza C.

…

El 02-12-2021, a la(s) 18:22, Taylor Otwell ***@***.***> escribió:  Thanks for contributing to Laravel! ❤️ — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.