When a user gets a 401 message, they have no way of knowing what roles/perms they lack.
mmbrich opened this issue · 3 comments
When a user is given a 401 error message, they have no way to know what roles/perms they are lacking without asking a developer to look at the code (if they don't know it off the top of their head).
I propose that the error message sent from abort() should have the 'can' and 'is' requirements for that route/page/etc.
I have a patch for this feature. I'll submit a pull request shortly.
--- HasPermission.php.orig 2017-04-06 15:38:52.000000000 -0500
+++ HasPermission.php 2017-04-06 15:37:51.000000000 -0500
@@ -49,17 +49,20 @@
return $next($request);
}
-
$msg = "You are not authorized to access this resource. ";
-
$msg .= "Required Roles: ".implode(' ',$this->getAction('is')). "Required Permissions: ".implode(' ',$this->getAction('can'));
-
if ( $request->isJson() || $request->wantsJson() ) { return response()->json([ 'error' => [ 'status_code' => 401, 'code' => 'INSUFFICIENT_PERMISSIONS',
-
'description' => 'You are not authorized to access this resource'
-
'description' => $msg ], ], 401); }
-
return abort(401, 'You are not authorized to access this resource') ;
-
return abort(401, $msg) ;
}
/**
I appreciate your comment on this matter, but I don't agree with you. You do not want to expose application logic to the client. 401 INSUFFICIENT_PERMISSIONS is just right in my opinion.
"You do not have permission to access this resource."
"On, so there IS a resource there. Thanks. 😈"