fix(laravel): call authorize on delete but not validation (#6618)

Author: soyuka

src/Laravel/State/ValidateProvider.php

@@ -42,7 +42,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         $request = $context['request'];
         $body = $this->inner->provide($operation, $uriVariables, $context);
 
-        if (!$operation->canValidate() || $operation instanceof Error) {
+        if ($operation instanceof Error) {
             return $body;
         }
 
@@ -53,15 +53,23 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         if (\is_string($rules) && is_a($rules, FormRequest::class, true)) {
             try {
+                // this also throws an AuthorizationException
                 $this->app->make($rules);
-                // } catch (AuthorizationException $e) { // TODO: we may want to catch this to transform to an error
             } catch (ValidationException $e) { // @phpstan-ignore-line make->($rules) may throw this
+                if (!$operation->canValidate()) {
+                    return $body;
+                }
+
                 throw $this->getValidationError($e->validator, $e);
             }
 
             return $body;
         }
 
+        if (!$operation->canValidate()) {
+            return $body;
+        }
+
         if (!\is_array($rules)) {
             return $body;
         }

src/Laravel/Tests/AuthTest.php

@@ -47,4 +47,12 @@ public function testAuthenticatedPolicy(): void
         $response = $this->post('/api/vaults', [], ['accept' => ['application/ld+json'], 'content-type' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
         $response->assertStatus(403);
     }
+
+    public function testAuthenticatedDeleteWithPolicy(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->delete('/api/vaults/1', [], ['accept' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(403);
+    }
 }

src/Laravel/workbench/app/Http/Requests/VaultFormRequest.php

@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Workbench\App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Workbench\App\Models\Vault;
+
+class VaultFormRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return $this->user()->can('delete', new Vault());
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'secret' => 'required',
+        ];
+    }
+}

src/Laravel/workbench/app/Models/Vault.php

@@ -14,10 +14,12 @@
 namespace Workbench\App\Models;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
+use Workbench\App\Http\Requests\VaultFormRequest;
 
 #[ApiResource(
     operations: [
@@ -30,6 +32,7 @@
             read: true,
             write: false
         ),
+        new Delete(middleware: 'auth:sanctum', rules: VaultFormRequest::class, provider: [self::class, 'provide']),
     ]
 )]
 class Vault extends Model

src/Laravel/workbench/app/Policies/VaultPolicy.php

@@ -22,4 +22,9 @@ public function update(User $user, Vault $vault): bool
     {
         return false;
     }
+
+    public function delete(User $user): bool
+    {
+        return false;
+    }
 }