$ lexprog.com

// notes from an old coder -- php, databases, and the occasional rant

[March 08, 2025] Laravel

Laravel Form Request: Authorization

Laravel Form Request: Authorization

────────────────────────────────────────────────────────

Laravel Form Request: Authorization

Tip: Combine Validation + Auth

class UpdatePostRequest extends FormRequest
{
    public function authorize(): bool
    {
        return $this->user()->can('update', $this->route('post'));
    }

    public function rules(): array
    {
        return ['title' => 'required|max:255'];
    }
}

Gotcha: authorize() Runs Before rules()

If authorization fails, validation rules are never checked.

Tip: failedAuthorization() Override

protected function failedAuthorization(): void
{
    throw new AuthorizationException('Custom message');
}

Customize the 403 response.

Gotcha: Redirect on Failure

For web requests, failed authorization redirects back. For API requests, returns JSON 403.

Tip: Access Validated Data

$validated = $request->validated();

Only returns fields that passed validation.

Gotcha: prepareForValidation()

protected function prepareForValidation(): void
{
    $this->merge(['slug' => Str::slug($this->title)]);
}

Modify input before validation runs.

Tip: Use route:cache Carefully

php artisan route:cache is fast, but it doesn't work with closure-based routes. Every time you cache routes, Laravel serializes them. If you have Route::redirect() or closure callbacks, the cache breaks. Stick to controller-based routes in production.

Tip: Model APP_KEY Rotation

Rotating APP_KEY invalidates all encrypted data — cookies, encrypted DB columns, and password reset tokens. If you must rotate (e.g., after a leak), plan a migration that re-encrypts existing data with the new key.

Gotcha: Local Scope Leaks

Global scopes defined in booted() apply to ALL queries on that model — including relationships. An innocent User::all() in admin panel might exclude soft-deleted users if a global scope is active.

Senior Insight

Authorization is where Laravel's elegance can lead to complacency. I've audited apps that used Gate::before() to grant blanket admin access without realizing it also bypasses all other gates. The result: supposedly restricted actions were accessible because the before gate returned true before the specific gate even ran. Always test authorization policies with explicit can() assertions — and never skip testing the 'denied' case.

Source: Laravel News (https://laravel-news.com/), Freek.dev (https://freek.dev/tags/laravel), Spatie Blog (https://spatie.be/blog)

────────────────────────────────────────────────────────
<-- back to posts