AuthorizesRequests behaviour with additional arguments changed in 8.65.0

[dwightwatson]

• Laravel Version: 8.65.0
• PHP Version: 8.0.11
• Database Driver & Version: PostgreSQL 14.0

Description:

Upon upgrading to 8.65.0 this morning I noticed build failures, and I believe it's related to changes to the authorization gate. It looks to me as though it affects controller calls to authorize but not @can in views.

The simplest example in my app is creating a Block record - for one user to block another user. I have been using a BlockPolicy and passing the other user as an additional argument into the create method.

class BlockPolicy extends Policy
{
    public function create(User $user, User $model): bool
    {
        return ! $user->is($model);
    }
}

class BlockController extends Controller
{
    public function store(User $user)
    {
        $this->authorize([Block::class, $user]);

        //
    }
}

  Error: Method name must be a string in /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php:818
  Stack trace:
  #0 /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php(488): Illuminate\Auth\Access\Gate->Illuminate\Auth\Access\{closure}(Object(App\Models\User))
  #1 /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php(383): Illuminate\Auth\Access\Gate->callAuthCallback(Object(App\Models\User), Array, Array)
  #2 /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php(348): Illuminate\Auth\Access\Gate->raw(Array, Array)
  #3 /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php(335): Illuminate\Auth\Access\Gate->inspect(Array, Array)
  #4 /Users/Dwight/Sites/roomies/vendor/laravel/framework/src/Illuminate/Foundation/Auth/Access/AuthorizesRequests.php(23): Illuminate\Auth\Access\Gate->authorize(Array, Array)
  #5 /Users/Dwight/Sites/roomies/app/Http/Controllers/BlockController.php(15): App\Http\Controllers\Controller->authorize(Array)

At first glance - the API I'm using in the controller is wrong. I would have expected it to be more along the lines of $this->authorize(Block::class, [$user]), however this is what has been working for a long time now. Now it appears that whatever way I try additional arguments are lost.

Comparing the output of $abilities, $arguments after the call to authorize in AuthorizesRequests:

trait AuthorizesRequests
{
    public function authorize($ability, $arguments = [])
    {
        [$ability, $arguments] = $this->parseAbilityAndArguments($ability, $arguments);

        dd($ability, $arguments);
    }
}

Laravel 8.64.0:

"create"
["App\Models\Block", App\Models\User (instance)]

Laravel 8.65.0

"create"
"App\Models\Block"

Opening an issue to see if it's affected others or if there are better solutions. I'll look into options to rectify this.

[dwightwatson]

The easiest fix for the time being is to forgo the automatic method name guessing:

$this->authorize('create', [Block::class, $user]);

---

So it comes down to this specific change that assumes an array passed to authorize must be an ability/argument combination.

Long story short - you can't use the automatic method name guessing with multiple arguments.

[driesvints]

Thanks for reporting. I've sent in a PR to revert this.