laravel · taylorotwell · Jul 12, 2022 · Jun 26, 2022 · Jul 8, 2022 · Jul 8, 2022
diff --git a/src/Illuminate/Auth/Access/AuthorizationException.php b/src/Illuminate/Auth/Access/AuthorizationException.php
@@ -14,6 +14,13 @@ class AuthorizationException extends Exception
  */
  protected $response;
 
+ /**
+ * The HTTP response status code.
+ *
+ * @var int|null
+ */
+ protected $status;
+
  /**
  * Create a new authorization exception instance.
  *
@@ -52,13 +59,56 @@ public function setResponse($response)
  return $this;
  }
 
+ /**
+ * Set the HTTP response status code.
+ *
+ * @param int|null $status
+ * @return $this
+ */
+ public function withStatus($status)
+ {
+ $this->status = $status;
+
+ return $this;
+ }
+
+ /**
+ * Set the HTTP response status code to 404.
+ *
+ * @return $this
+ */
+ public function asNotFound()
+ {
+ return $this->withStatus(404);
+ }
+
+ /**
+ * Determine if the HTTP status code has been set.
+ *
+ * @return bool
+ */
+ public function hasStatus()
+ {
+ return $this->status !== null;
+ }
+
+ /**
+ * Get the HTTP status code.
+ *
+ * @return int|null
+ */
+ public function status()
+ {
+ return $this->status;
+ }
+
  /**
  * Create a deny response object from this exception.
  *
  * @return \Illuminate\Auth\Access\Response
  */
  public function toResponse()
  {
- return Response::deny($this->message, $this->code);
+ return Response::deny($this->message, $this->code)->withStatus($this->status);
  }
 }
diff --git a/src/Illuminate/Auth/Access/HandlesAuthorization.php b/src/Illuminate/Auth/Access/HandlesAuthorization.php
@@ -27,4 +27,29 @@ protected function deny($message = null, $code = null)
  {
  return Response::deny($message, $code);
  }
+
+ /**
+ * Deny with a HTTP status code.
+ *
+ * @param int $status
+ * @param ?string $message
+ * @param ?int $code
+ * @return \Illuminate\Auth\Access\Response
+ */
+ public function denyWithStatus($status, $message = null, $code = null)
+ {
+ return Response::denyWithStatus($status, $message, $code);
+ }
+
+ /**
+ * Deny with a 404 HTTP status code.
+ *
+ * @param ?string $message
+ * @param ?int $code
+ * @return \Illuminate\Auth\Access\Response
+ */
+ public function denyAsNotFound($message = null, $code = null)
+ {
+ return Response::denyWithStatus(404, $message, $code);
+ }
 }
diff --git a/src/Illuminate/Auth/Access/Response.php b/src/Illuminate/Auth/Access/Response.php
@@ -27,6 +27,13 @@ class Response implements Arrayable
  */
  protected $code;
 
+ /**
+ * The HTTP response status code.
+ *
+ * @var int|null
+ */
+ protected $status;
+
  /**
  * Create a new response.
  *
@@ -66,6 +73,31 @@ public static function deny($message = null, $code = null)
  return new static(false, $message, $code);
  }
 
+ /**
+ * Create a new "deny" Response with a HTTP status code.
+ *
+ * @param int $status
+ * @param string|null $message
+ * @param mixed $code
+ * @return \Illuminate\Auth\Access\Response
+ */
+ public static function denyWithStatus($status, $message = null, $code = null)
+ {
+ return static::deny($message, $code)->withStatus($status);
+ }
+
+ /**
+ * Create a new "deny" Response with a 404 HTTP status code.
+ *
+ * @param string|null $message
+ * @param mixed $code
+ * @return \Illuminate\Auth\Access\Response
+ */
+ public static function denyAsNotFound($message = null, $code = null)
+ {
+ return static::denyWithStatus(404, $message, $code);
+ }
+
  /**
  * Determine if the response was allowed.
  *
@@ -117,12 +149,46 @@ public function authorize()
  {
  if ($this->denied()) {
  throw (new AuthorizationException($this->message(), $this->code()))
- ->setResponse($this);
+ ->setResponse($this)
+ ->withStatus($this->status);
  }
 
  return $this;
  }
 
+ /**
+ * Set the HTTP response status code.
+ *
+ * @param null|int $status
+ * @return $this
+ */
+ public function withStatus($status)
+ {
+ $this->status = $status;
+
+ return $this;
+ }
+
+ /**
+ * Set the HTTP response status code to 404.
+ *
+ * @return $this
+ */
+ public function asNotFound()
+ {
+ return $this->withStatus(404);
+ }
+
+ /**
+ * Get the HTTP status code.
+ *
+ * @return int|null
+ */
+ public function status()
+ {
+ return $this->status;
+ }
+
  /**
  * Convert the response to an array.
  *

diff --git a/src/Illuminate/Foundation/Exceptions/Handler.php b/src/Illuminate/Foundation/Exceptions/Handler.php
@@ -375,7 +375,8 @@ protected function prepareException(Throwable $e)
  return match (true) {
  $e instanceof BackedEnumCaseNotFoundException => new NotFoundHttpException($e->getMessage(), $e),
  $e instanceof ModelNotFoundException => new NotFoundHttpException($e->getMessage(), $e),
- $e instanceof AuthorizationException => new AccessDeniedHttpException($e->getMessage(), $e),
+ $e instanceof AuthorizationException && $e->hasStatus() => new HttpException($e->status(), $e->getMessage(), $e),
+ $e instanceof AuthorizationException && ! $e->hasStatus() => new AccessDeniedHttpException($e->getMessage(), $e),
  $e instanceof TokenMismatchException => new HttpException(419, $e->getMessage(), $e),
  $e instanceof SuspiciousOperationException => new NotFoundHttpException('Bad hostname provided.', $e),
  $e instanceof RecordsNotFoundException => new NotFoundHttpException('Not found.', $e),

diff --git a/tests/Auth/AuthAccessResponseTest.php b/tests/Auth/AuthAccessResponseTest.php
@@ -35,6 +35,82 @@ public function testDenyMethodWithNoMessageReturnsNull()
  $this->assertNull($response->message());
  }
 
+ public function testItSetsEmptyStatusOnExceptionWhenAuthorizing()
+ {
+ try {
+ Response::deny('foo', 3)->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertNull($e->status());
+ $this->assertFalse($e->hasStatus());
+ $this->assertSame('foo', $e->getMessage());
+ $this->assertSame(3, $e->getCode());
+ }
+ }
+
+ public function testItSetsStatusOnExceptionWhenAuthorizing()
+ {
+ try {
+ Response::deny('foo', 3)->withStatus(418)->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(418, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('foo', $e->getMessage());
+ $this->assertSame(3, $e->getCode());
+ }
+
+ try {
+ Response::deny('foo', 3)->asNotFound()->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(404, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('foo', $e->getMessage());
+ $this->assertSame(3, $e->getCode());
+ }
+
+ try {
+ Response::denyWithStatus(444)->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(444, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('This action is unauthorized.', $e->getMessage());
+ $this->assertSame(0, $e->getCode());
+ }
+
+ try {
+ Response::denyWithStatus(444, 'foo', 3)->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(444, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('foo', $e->getMessage());
+ $this->assertSame(3, $e->getCode());
+ }
+
+ try {
+ Response::denyAsNotFound()->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(404, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('This action is unauthorized.', $e->getMessage());
+ $this->assertSame(0, $e->getCode());
+ }
+
+ try {
+ Response::denyAsNotFound('foo', 3)->authorize();
+ $this->fail();
+ } catch (AuthorizationException $e) {
+ $this->assertSame(404, $e->status());
+ $this->assertTrue($e->hasStatus());
+ $this->assertSame('foo', $e->getMessage());
+ $this->assertSame(3, $e->getCode());
+ }
+ }
+
  public function testAuthorizeMethodThrowsAuthorizationExceptionWhenResponseDenied()
  {
  $response = Response::deny('Some message.', 'some_code');