novaView ability is authorized in UserPolicy first before the Gate defined in NovaServicePorvider #2795
Description
- Laravel Version: 7.22.4
- Nova Version: 3.8.2
- PHP Version: 7.4.2
Description:
Nova authorises "novaView" ability in NovaApplicationServiceProvider.php authorization() method by using Gate::check('viewNova', [$request->user()]);. $request->user() should not be passed in arguments as this is then treated as model that ability should be checked for. It is not relevant here so it should be simply Gate::check('viewNova'); - $user is passed automatically.
It may cause issue when using UserPolicy class which is because of that checked first. Normally, when ability "viewNova" does not exist in UserPolicy authorisation continues to other gate - the one that is defined in NovaServiceProvider and there is no issue. But in my case, when UserPolicy returns false for not existing ability it restricts access to Nova.
Or is there any purpose of gate check against UserPolicy?
Detailed steps to reproduce the issue on a fresh Nova installation:
in NovaServiceProvider::gate()
Gate::define('viewNova', function ($user) {
return true;
});
Create app/Policies/UserPolicy.php and define overloading method:
public function __call($ability, $args) {
return false;
}
set environment
APP_ENV = production
You get 403 forbidden access to Nova.