feat: support Illuminate\Auth\Access\Response from authorizer

Author: Gregory Haddow

src/Http/Requests/FormRequest.php

@@ -11,6 +11,7 @@
 
 namespace LaravelJsonApi\Laravel\Http\Requests;
 
+use Illuminate\Auth\Access\Response;
 use Illuminate\Auth\AuthenticationException;
 use Illuminate\Contracts\Auth\Guard;
 use Illuminate\Foundation\Http\FormRequest as BaseFormRequest;
@@ -233,8 +234,9 @@ protected function passesAuthorization()
          * the default authorization to run.
          */
         if (method_exists($this, 'authorize')) {
-            if (is_bool($passes = $this->container->call([$this, 'authorize']))) {
-                return $passes;
+            $result = $this->container->call([$this, 'authorize']);
+            if ($result !== null) {
+                return $result instanceof Response ? $result->authorize() : $result;
             }
         }
 
@@ -245,7 +247,8 @@ protected function passesAuthorization()
          * `mustAuthorize()` method).
          */
         if (method_exists($this, 'authorizeResource')) {
-            return $this->container->call([$this, 'authorizeResource']);
+            $result = $this->container->call([$this, 'authorizeResource']);
+            return $result instanceof Response ? $result->authorize() : $result;
         }
 
         return true;

src/Http/Requests/ResourceQuery.php

@@ -11,6 +11,7 @@
 
 namespace LaravelJsonApi\Laravel\Http\Requests;
 
+use Illuminate\Auth\Access\Response;
 use Illuminate\Contracts\Validation\Validator;
 use Illuminate\Database\Eloquent\Model;
 use LaravelJsonApi\Contracts\Auth\Authorizer;
@@ -104,9 +105,9 @@ public static function queryOne(string $resourceType): QueryParameters
      * Perform resource authorization.
      *
      * @param Authorizer $authorizer
-     * @return bool
+     * @return bool|Response
      */
-    public function authorizeResource(Authorizer $authorizer): bool
+    public function authorizeResource(Authorizer $authorizer): bool|Response
     {
         if ($this->isViewingAny()) {
             return $authorizer->index(

src/Http/Requests/ResourceRequest.php

@@ -11,6 +11,7 @@
 
 namespace LaravelJsonApi\Laravel\Http\Requests;
 
+use Illuminate\Auth\Access\Response;
 use Illuminate\Contracts\Validation\Factory as ValidationFactory;
 use Illuminate\Contracts\Validation\Validator;
 use Illuminate\Database\Eloquent\Model;
@@ -150,9 +151,9 @@ public function toMany(): Collection
      * Perform resource authorization.
      *
      * @param Authorizer $authorizer
-     * @return bool
+     * @return bool|Response
      */
-    public function authorizeResource(Authorizer $authorizer): bool
+    public function authorizeResource(Authorizer $authorizer): bool|Response
     {
         if ($this->isCreating()) {
             return $authorizer->store(

tests/dummy/app/Http/Controllers/Api/V1/UserController.php

@@ -19,6 +19,7 @@
 class UserController extends Controller
 {
     use Actions\FetchOne;
+    use Actions\Destroy;
     use Actions\FetchRelated;
     use Actions\FetchRelationship;
     use Actions\UpdateRelationship;

tests/dummy/app/Policies/UserPolicy.php

@@ -12,6 +12,7 @@
 namespace App\Policies;
 
 use App\Models\User;
+use Illuminate\Auth\Access\Response;
 
 class UserPolicy
 {
@@ -50,4 +51,17 @@ public function updatePhone(User $user, User $other): bool
     {
         return $user->is($other);
     }
+
+    /**
+     * Determine if the user can delete the other user.
+     *
+     * @param User $user
+     * @param User $other
+     * @return bool|Response
+     */
+    public function delete(User $user, User $other)
+    {
+        return $user->is($other) ? true : Response::denyAsNotFound('not found message');
+    }
+
 }

tests/dummy/routes/api.php

@@ -25,7 +25,7 @@
         });
 
         /** Users */
-        $server->resource('users')->only('show')->relationships(function ($relationships) {
+        $server->resource('users')->only('show','destroy')->relationships(function ($relationships) {
             $relationships->hasOne('phone');
         })->actions(function ($actions) {
             $actions->get('me');

tests/dummy/tests/Api/V1/Users/DeleteTest.php

@@ -0,0 +1,38 @@
+<?php
+/*
+ * Copyright 2024 Cloud Creativity Limited
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+
+declare(strict_types=1);
+
+namespace App\Tests\Api\V1\Users;
+
+use App\Models\User;
+use App\Tests\Api\V1\TestCase;
+
+class DeleteTest extends TestCase
+{
+
+    public function test(): void
+    {
+        $user = User::factory()->createOne();
+
+        $expected = $this->serializer
+            ->user($user);
+        $response = $this
+            ->actingAs(User::factory()->createOne())
+            ->jsonApi('users')
+            ->delete(url('/api/v1/users', $expected['id']));
+
+        $response->assertNotFound()
+            ->assertHasError(404, [
+            'detail' => 'not found message',
+            'status' => '404',
+            'title' => 'Not Found',
+        ]);
+    }
+}