500 status returns for forbidden exception
jacksontong opened this issue · comments
Q | A |
---|---|
Bug? | yes |
New Feature? | no |
Framework | Laravel |
Framework version | 7.16.1 |
Package version | 3.0.0 |
PHP version | 7.4.7 |
Actual Behaviour
I'm using authorizeResource
from controller's constructor and dingo api return 500 status errors if I'm not authorized to perform the action.
Expected Behaviour
It should return 403 status instead.
Steps to Reproduce
Controller
class CustomerController extends Controller
{
public function __construct()
{
$this->middleware('jwt.auth');
$this->authorizeResource(Customer::class, 'customer');
}
/**
* Delete a customer
* @param Customer $customer
* @return \Illuminate\Http\JsonResponse
*/
public function destroy(Customer $customer)
{
$customer->delete();
return response()->json(null, 204);
}
}
CustomerPolicy
class CustomerPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return true;
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Customer $customer
* @return mixed
*/
public function delete(User $user, Customer $customer)
{
return $user->id == $customer->user_id;
}
}
CustomerTest
class CustomerTest extends TestCase
{
use RefreshDatabase;
/**
* @var UrlGenerator
*/
protected $urlGenerator;
protected function setUp(): void
{
parent::setUp();
$this->urlGenerator = app(UrlGenerator::class)->version('v1');
}
public function test_user_cannot_delete_customer_belongs_to_other_user()
{
$urlGenerator = $this->urlGenerator;
$user = factory(User::class)->create();
$customer = factory(Customer::class)->create();
$this->apiLogin($user)
->deleteJson($urlGenerator->route('customers.destroy', $customer))
->dump()
->assertForbidden();
/*
{#2294
+"message": "This action is unauthorized."
+"status_code": 500
}
Response status code [500] is not a forbidden status code.
Failed asserting that false is true.
/home/vagrant/code/php/pvsell-api/vendor/laravel/framework/src/Illuminate/Testing/TestResponse.php:150
*/
}
}
duplicate with #1229