Merge branch 'release/5.0.1'

lindyhopchris · lindyhopchris · commit 44fdbb8e5586 · 2024-12-02T17:28:34.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file. This projec
 
 ## Unreleased
 
+## [5.0.1] - 2025-12-02
+
+### Fixed
+
+- [#301](https://github.com/laravel-json-api/laravel/pull/301) Do not override response status when authorization
+  exception is thrown.
+
 ## [5.0.0] - 2025-12-01
 
 ### Changed
diff --git a/src/Http/Requests/FormRequest.php b/src/Http/Requests/FormRequest.php
@@ -254,7 +254,9 @@ protected function passesAuthorization()
             }
 
         } catch (AuthorizationException $ex) {
-            $this->failIfUnauthenticated();
+            if (!$ex->hasStatus()) {
+                $this->failIfUnauthenticated();
+            }
             throw $ex;
         }
         return true;
diff --git a/tests/dummy/app/Policies/UserPolicy.php b/tests/dummy/app/Policies/UserPolicy.php
@@ -55,13 +55,13 @@ public function updatePhone(User $user, User $other): bool
     /**
      * Determine if the user can delete the other user.
      *
-     * @param User $user
+     * @param ?User $user
      * @param User $other
      * @return bool|Response
      */
-    public function delete(User $user, User $other)
+    public function delete(?User $user, User $other)
     {
-        return $user->is($other) ? true : Response::denyAsNotFound('not found message');
+        return $user?->is($other) ? true : Response::denyAsNotFound('not found message');
     }
 
 }
diff --git a/tests/dummy/tests/Api/V1/Users/DeleteTest.php b/tests/dummy/tests/Api/V1/Users/DeleteTest.php
@@ -16,23 +16,34 @@
 
 class DeleteTest extends TestCase
 {
-
     public function test(): void
     {
         $user = User::factory()->createOne();
 
-        $expected = $this->serializer
-            ->user($user);
         $response = $this
             ->actingAs(User::factory()->createOne())
             ->jsonApi('users')
-            ->delete(url('/api/v1/users', $expected['id']));
+            ->delete(url('/api/v1/users', $user));
 
-        $response->assertNotFound()
-            ->assertHasError(404, [
+        $response->assertNotFound()->assertErrorStatus([
             'detail' => 'not found message',
             'status' => '404',
             'title' => 'Not Found',
         ]);
     }
+
+    public function testUnauthenticated(): void
+    {
+        $user = User::factory()->createOne();
+
+        $response = $this
+            ->jsonApi('users')
+            ->delete(url('/api/v1/users', $user));
+
+        $response->assertNotFound()->assertErrorStatus([
+                'detail' => 'not found message',
+                'status' => '404',
+                'title' => 'Not Found',
+            ]);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -254,7 +254,9 @@ protected function passesAuthorization()`
`254`	`254`	`}`
`255`	`255`
`256`	`256`	`} catch (AuthorizationException $ex) {`
`257`		`- $this->failIfUnauthenticated();`
	`257`	`+ if (!$ex->hasStatus()) {`
	`258`	`+ $this->failIfUnauthenticated();`
	`259`	`+ }`
`258`	`260`	`throw $ex;`
`259`	`261`	`}`
`260`	`262`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -55,13 +55,13 @@ public function updatePhone(User $user, User $other): bool`
`55`	`55`	`/**`
`56`	`56`	`* Determine if the user can delete the other user.`
`57`	`57`	`*`
`58`		`- * @param User $user`
	`58`	`+ * @param ?User $user`
`59`	`59`	`* @param User $other`
`60`	`60`	`* @return bool\|Response`
`61`	`61`	`*/`
`62`		`- public function delete(User $user, User $other)`
	`62`	`+ public function delete(?User $user, User $other)`
`63`	`63`	`{`
`64`		`- return $user->is($other) ? true : Response::denyAsNotFound('not found message');`
	`64`	`+ return $user?->is($other) ? true : Response::denyAsNotFound('not found message');`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`}`