fix: authorizer response should be honoured on destroy action when no request class for resource

Author: Gregory Haddow

src/Http/Controllers/Actions/Destroy.php

@@ -12,6 +12,7 @@
 namespace LaravelJsonApi\Laravel\Http\Controllers\Actions;
 
 use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Auth\Access\Response as AuthResponse;
 use Illuminate\Auth\AuthenticationException;
 use Illuminate\Contracts\Support\Responsable;
 use Illuminate\Http\Response;
@@ -63,13 +64,24 @@ public function destroy(Route $route, StoreContract $store)
          * So we need to trigger authorization in this case.
          */
         if (!$request) {
-            $check = $route->authorizer()->destroy(
+            $result = $route->authorizer()->destroy(
                 $request = \request(),
                 $model,
             );
 
-            throw_if(false === $check && Auth::guest(), new AuthenticationException());
-            throw_if(false === $check, new AuthorizationException());
+            if ($result instanceof AuthResponse) {
+                try {
+                    $result->authorize();
+                } catch (AuthorizationException $ex) {
+                    if (!$ex->hasStatus()) {
+                        throw_if(Auth::guest(), new AuthenticationException());
+                    }
+                    throw $ex;
+                }
+            }
+
+            throw_if(false === $result && Auth::guest(), new AuthenticationException());
+            throw_if(false === $result, new AuthorizationException());
         }
 
         $response = null;

tests/dummy/app/Policies/TagPolicy.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies;
+
+use App\Models\Tag;
+use App\Models\User;
+use Illuminate\Auth\Access\Response;
+
+class TagPolicy
+{
+
+    /**
+     * Determine if the user can delete the tag
+     *
+     * @param ?User $user
+     * @param Tag $tag
+     * @return bool|Response
+     */
+    public function delete(?User $user, Tag $tag)
+    {
+        return Response::denyAsNotFound('not found message');
+    }
+}

tests/dummy/routes/api.php

@@ -8,6 +8,7 @@
  */
 
 use LaravelJsonApi\Laravel\Facades\JsonApiRoute;
+use LaravelJsonApi\Laravel\Http\Controllers\JsonApiController;
 
 JsonApiRoute::server('v1')
     ->prefix('v1')
@@ -35,4 +36,6 @@
         $server->resource('videos')->relationships(function ($relationships) {
             $relationships->hasMany('tags');
         });
+
+        $server->resource('tags', '\\' . JsonApiController::class)->only('destroy');
     });

tests/dummy/tests/Api/V1/Tags/DeleteTest.php

@@ -0,0 +1,50 @@
+<?php
+/*
+ * Copyright 2024 Cloud Creativity Limited
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+
+declare(strict_types=1);
+
+namespace App\Tests\Api\V1\Tags;
+
+use App\Models\Tag;
+use App\Models\User;
+use App\Tests\Api\V1\TestCase;
+
+class DeleteTest extends TestCase
+{
+    public function test(): void
+    {
+        $tag = Tag::factory()->createOne();
+
+        $response = $this
+            ->actingAs(User::factory()->createOne())
+            ->jsonApi('users')
+            ->delete(url('/api/v1/tags', $tag));
+
+        $response->assertNotFound()->assertErrorStatus([
+            'detail' => 'not found message',
+            'status' => '404',
+            'title' => 'Not Found',
+        ]);
+    }
+
+    public function testUnauthenticated(): void
+    {
+        $tag = Tag::factory()->createOne();
+
+        $response = $this
+            ->jsonApi('users')
+            ->delete(url('/api/v1/tags', $tag));
+
+        $response->assertNotFound()->assertErrorStatus([
+            'detail' => 'not found message',
+            'status' => '404',
+            'title' => 'Not Found',
+        ]);
+    }
+}