-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.x] Throws Laravel\Horizon\Exceptions\ForbiddenException
on unauthorized access
#1308
[5.x] Throws Laravel\Horizon\Exceptions\ForbiddenException
on unauthorized access
#1308
Conversation
Instead of configurable option I would feel it might be better to throw custom exception and then you can customise how it render via your application Exception Handler. |
@crynobone a custom exception would work |
I think now we would throw a 500 error? |
src/Http/Middleware/Authenticate.php
Outdated
@@ -15,6 +16,10 @@ class Authenticate | |||
*/ | |||
public function handle($request, $next) | |||
{ | |||
return Horizon::check($request) ? $next($request) : abort(403); | |||
if (! Horizon::check($request)) { | |||
throw new UnauthorizedException(401); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason not to use 403
same as before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably pasted the incorrect exception on my last review. Sorry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, the 403 status code !== unauthorized. We can use 403, but we should probably change the name of the exception to use "Forbidden" instead :)
Laravel\Horizon\Exceptions\ForbiddenException
on unauthorized access
It is common in applications that restrict access to another users' resource to return a 404 to indicate that resource does not exist. I would like to give developers to option to apply this functionality to Horizon to hide it's presence within an application from unauthenticated users.
This PR allows developers to define what status code should be returned when Horizon's authentication fails, via a new
horizon.unauthorized_status
config option (happy for this to be renamed, if anyone has any other suggestions).I've restricted the accepted status codes to 403 and 404, falling back to 403 if this is not the case.