 |
VOOZH | about |
|
VOOZH | about |
The Authorize middleware enforces authorization at the HTTP layer by checking permissions before requests reach controllers. It integrates with the Gate to evaluate abilities and policies, automatically resolving model instances from route parameters for resource-based authorization.
For authentication enforcement, see page 4.1. For the Gate authorization engine, see page 3.1.
The Authorize class implements PSR-15 MiddlewareInterface and provides route-level authorization.
| Component | Type | Purpose |
|---|---|---|
$gate | Gate | Injected authorization engine for permission evaluation |
using() | static method | Builds middleware configuration string with ability and model parameters |
process() | public method | PSR-15 middleware handler that performs authorization check |
getGateArguments() | protected method | Resolves model arguments from route parameters |
getModel() | protected method | Extracts model instances or class names from request routing data |
isClassName() | protected method | Determines if string is a fully qualified class name |
Sources: src/Middleware/Authorize.php17-90
Authorize::process() Execution Sequence
Sources: src/Middleware/Authorize.php41-48 src/Middleware/Authorize.php53-62 src/Middleware/Authorize.php67-81
The static using() method generates middleware configuration strings for route definitions:
Output Format: "Hypervel\Auth\Middleware\Authorize:ability,model1,model2"
| Parameter | Type | Description |
|---|---|---|
$ability | string | The ability name to check (e.g., "edit", "delete") |
...$models | variadic string | Model parameter names or fully qualified class names |
Sources: src/Middleware/Authorize.php31-34
The process() method is the PSR-15 middleware entry point:
When $ability is not null, calls $this->gate->authorize($ability, $arguments) where arguments are resolved via getGateArguments(). If authorization succeeds, calls $handler->handle($request). If authorization fails, Gate::authorize() throws AuthorizationException.
Sources: src/Middleware/Authorize.php41-48
Converts model parameter specifications into concrete arguments for Gate::authorize():
Model Argument Resolution Logic
Resolution Strategy:
| Input Type | Detection Method | Resolution Result | Code Reference |
|---|---|---|---|
| Model instance | instanceof Model | Returns instance as-is | Line 60 |
| FQCN string | str_contains($value, '\\') | Returns trimmed class name | Lines 69-71, 86-89 |
| Route parameter | Not a class name | Returns $dispatched->params[$model] | Lines 74-80 |
Sources: src/Middleware/Authorize.php53-62 src/Middleware/Authorize.php67-81 src/Middleware/Authorize.php86-89
The middleware delegates authorization decisions to the Gate instance injected via the constructor:
Component Dependencies
The Gate::authorize() method calls Gate::inspect() which calls Gate::raw() to evaluate the authorization logic. The result is wrapped in a Response object, and Response::authorize() either returns successfully or throws AuthorizationException.
Sources: src/Middleware/Authorize.php19-26 src/Middleware/Authorize.php44 src/Access/Gate.php273-276 src/Access/Gate.php281-296 src/Access/Gate.php303-333
The middleware extracts model instances from the Hyperf routing system using Dispatched route metadata:
Route Parameter Resolution
The $dispatched->params array contains resolved route parameters indexed by parameter name. The middleware uses parameter names from the $models array to look up values in this array.
Sources: src/Middleware/Authorize.php74-80
The middleware integrates with route definitions to enforce specific permissions:
| Parameter Type | Configuration | Resolved Argument |
|---|---|---|
| Route parameter | 'post' | $request->route('post') value |
| Class name | 'App\\Models\\Post' | String "App\Models\Post" |
| Model instance | $postModel | The actual model object |
Sources: src/Middleware/Authorize.php59-62 src/Middleware/Authorize.php67-81
The middleware throws AuthorizationException when the Gate denies access. This exception is typically caught by the framework's exception handler to return appropriate HTTP responses (usually 403 Forbidden).
The authorization check occurs before the request reaches the application handler, providing early access control enforcement in the request pipeline.
Sources: src/Middleware/Authorize.php10 src/Middleware/Authorize.php39 src/Middleware/Authorize.php44
Refresh this wiki