It's easy to forget authorization. This package is here to help you out!
You can install the package via composer:
composer require jurianarie/unauthorised-laravel-endpoints --devYou can publish the config file with:
php artisan vendor:publish --tag="unauthorized-detection"This package looks through all routes defined in your application and tries to find authorization checks.
There are a few build in checks:
- Authorization via middleware
- Authorization via FormRequests
- Authorization via source code (This has some limitations.)
php artisan unauthorised-endpoints:detectOr exclude vendor routes:
php artisan unauthorised-endpoints:detect --except-vendorTip: the same arguments are available as with route:list
By default, only the auth middleware is checked. Routes without the specified middleware will be ignored.
'authentication-middleware' => [
'auth:api', // Only check api.
],Here you can specify the middleware that is used to authorize the routes.
'authorization-middleware' => [
'your-custom-middleware',
],You can add regular expressions.
'authorization-methods' => [
'/\$this->authorize\(\'(.*)\\)/',
'/Gate::authorize\(\'(.*)\\)/',
],You can ignore routes the same way as with Request::is() and Request::routeIs() https://laravel.com/docs/9.x/requests#inspecting-the-request-path.
You can add custom detection by adding a class that implements \JurianArie\UnauthorisedDetection\Detectors\DetectsAuthorization to the 'authorization-detectors' array in your config.
You might get false positives if your authorization has to be detected in your source code.
- Your action doesn't have any source code.
- Your authorization happens further down in the call stack.
- Your authorization uses structures such as
abort_if($user->cannot(...),if ($user->cannot(...)) {...}
The MIT License (MIT). Please see License File for more information.