fix(laravel): fall back to resource class when object is null in ResourceAccessChecker#7948
Merged
soyuka merged 2 commits intoapi-platform:4.3from May 5, 2026
Merged
Conversation
…urceAccessChecker | Q | A | ------------- | --- | Branch? | 4.3 | Tickets | Closes api-platform#7945 | License | MIT | Doc PR | ∅ Gate::allows cannot resolve a policy from a null argument, causing 403 on operations with deserialize:false or output:false even when the policy returns true. Apply the same fallback already used for Paginator.
| Q | A | ------------- | --- | Branch? | 4.3 | Tickets | Refs api-platform#7945 | License | MIT | Doc PR | ∅ Add a functional test reproducing the issue scenario: a Post with deserialize:false, output:false and a policy that returns true. Without the fix the request returns 403 (Gate cannot resolve a policy from the null body); with the fix it returns 202 as configured.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ResourceAccessChecker::isGranted()passes the body returned by the decorated provider toGate::allows()as the second argument. When the operation hasdeserialize: false(oroutput: false) and no provider returning an instance, that body isnull— and Laravel's Gate cannot resolve a policy class fromnull, so it silently returnsfalse. The request fails with 403 even when the policy method explicitly returnstrue.The existing code already handles the symmetric case for
Paginator(collection endpoints, no instance available) by falling back to$resourceClass. This PR applies the same fallback tonull.Behavior
Gate::allows('import', null)→ silent deny (false negative).Gate::allows('import', Item::class)→ routes through normal policy resolution; the configured policy method is invoked as the developer intended.Test plan
Tests/Unit/Security/ResourceAccessCheckerTest.phpcovers null, Paginator, and concrete-object paths. Verified the null case fails without the fix (Gate is called withNULL) and passes with it.Tests/Policy/*andTests/AuthTest.phpstill pass (17 tests, 22 assertions).