kodeine/laravel-acl

When a user gets a 401 message, they have no way of knowing what roles/perms they lack.

mmbrich opened this issue · 3 comments

When a user is given a 401 error message, they have no way to know what roles/perms they are lacking without asking a developer to look at the code (if they don't know it off the top of their head).

I propose that the error message sent from abort() should have the 'can' and 'is' requirements for that route/page/etc.

I have a patch for this feature. I'll submit a pull request shortly.

--- HasPermission.php.orig 2017-04-06 15:38:52.000000000 -0500
+++ HasPermission.php 2017-04-06 15:37:51.000000000 -0500
@@ -49,17 +49,20 @@
return $next($request);
}

  •    $msg = "You are not authorized to access this resource. ";
    
  •    $msg .= "Required Roles: ".implode(' ',$this->getAction('is')). "Required Permissions: ".implode(' ',$this->getAction('can'));
    
  •    if ( $request->isJson() || $request->wantsJson() ) {
           return response()->json([
               'error' => [
                   'status_code' => 401,
                   'code'        => 'INSUFFICIENT_PERMISSIONS',
    
  •                'description' => 'You are not authorized to access this resource'
    
  •                'description' => $msg
               ],
           ], 401);
       }
    
  •    return abort(401, 'You are not authorized to access this resource') ;
    
  •    return abort(401, $msg) ;
    

    }

    /**

I appreciate your comment on this matter, but I don't agree with you. You do not want to expose application logic to the client. 401 INSUFFICIENT_PERMISSIONS is just right in my opinion.

"You do not have permission to access this resource."
"On, so there IS a resource there. Thanks. 😈"