[8.x] Adds Response authorization to Form Requests

[DarkGhostHunter]

What?

Allows to use Response objects in the authorize() method of the Form Requests.

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Auth\Access\Response;

class CreatePostFormRequest extends FormRequest
{
    public function authorize()
    {
        return Response::deny('You are too cool to post.');
    }
}

Why?

Because otherwise you have to fallback to using the Gate or Policy manually, or authorize via Controller, which makes FormRequest authorization a moot point.

How?

When the passesAuthorization() method of the FormRequest is called, it will do two additional checks if the response from the authorize() method is not falsy: if it's a Response instance, call authorize().

BC?

None, as the authorize() is meant to return a bool anyway as the PHPDoc states.

[rodrigopedra]

Isn't overridden the failedAuthorization() method meant to allow customizing the return message/exception?

[DarkGhostHunter]

Isn't overridden the failedAuthorization() method meant to allow customizing the return message/exception?

Yes, but then you're bound for one generic authorization message, which may not reflect why the authorization failed.

public function authorize()
{
    return $this->user()->isAdmin() || $this->user()->posts()->count() < 30;
}

public function failedAuthorization()
{
    return 'Well... you are not an admin, or you are over your post count'.
}

[rodrigopedra]

Got it. Thanks for the heads up

[taylorotwell]

It would be less of a breaking if you do not change the behavior at all for non Response results.

[DarkGhostHunter]

It would be less of a breaking if you do not change the behavior at all for non Response results.

Yeah, was kind of a stretch for strings. I'll fix it once I get into my oven.