Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.x] Throws Laravel\Horizon\Exceptions\ForbiddenException on unauthorized access #1308

Merged
merged 9 commits into from
Aug 30, 2023
Merged

[5.x] Throws Laravel\Horizon\Exceptions\ForbiddenException on unauthorized access #1308

merged 9 commits into from
Aug 30, 2023

Conversation

joelbutcher
Copy link
Contributor

It is common in applications that restrict access to another users' resource to return a 404 to indicate that resource does not exist. I would like to give developers to option to apply this functionality to Horizon to hide it's presence within an application from unauthenticated users.

This PR allows developers to define what status code should be returned when Horizon's authentication fails, via a new horizon.unauthorized_status config option (happy for this to be renamed, if anyone has any other suggestions).

I've restricted the accepted status codes to 403 and 404, falling back to 403 if this is not the case.

@crynobone
Copy link
Member

Instead of configurable option I would feel it might be better to throw custom exception and then you can customise how it render via your application Exception Handler.

@joelbutcher
Copy link
Contributor Author

joelbutcher commented Aug 29, 2023
edited
Loading

@crynobone a custom exception would work

@taylorotwell
Copy link
Member

I think now we would throw a 500 error?

@taylorotwell taylorotwell marked this pull request as draft August 29, 2023 13:50
@joelbutcher joelbutcher marked this pull request as ready for review August 29, 2023 14:07
crynobone
crynobone reviewed Aug 29, 2023
View reviewed changes
src/Http/Middleware/Authenticate.php Outdated
@@ -15,6 +16,10 @@ class Authenticate
*/
public function handle($request, $next)
{
return Horizon::check($request) ? $next($request) : abort(403);
if (! Horizon::check($request)) {
throw new UnauthorizedException(401);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason not to use 403 same as before?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I probably pasted the incorrect exception on my last review. Sorry

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, the 403 status code !== unauthorized. We can use 403, but we should probably change the name of the exception to use "Forbidden" instead :)

Joel Butcher and others added 3 commits August 29, 2023 15:47
Use original error code and rename exception
2b6ad49
@crynobone
wip
9fef507 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
d30b615 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone changed the title [5.x] Allow setting status code via config [5.x] Throws Laravel\Horizon\Exceptions\ForbiddenException on unauthorized access Aug 30, 2023
@taylorotwell taylorotwell merged commit 2fc2ba7 into laravel:5.x Aug 30, 2023
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crynobone crynobone crynobone approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joelbutcher @crynobone @taylorotwell