3

Is there a built-in way to skip authorization completely while testing the controllers?

Sample controller:

public function changePassword(Request $request, LdapInterface $ldap)
{
    $this->authorize('change-password');

    $this->validate($request, [
        'pass' => 'min:8|confirmed|weakpass|required', 
    ]);

    $success = $ldap->updatePassword($request->get('pass'));

    $message = $success ?
        'Your e-mail password has been successfully changed' :
        'An error occured while trying to change your alumni e-mail password.';

    return response()->json(['message' => $message]);
}

I want to skip change-password rule, which is defined inside the AuthServiceProvider like:

public function boot(GateContract $gate)
{
    $gate->define('change-password', function ($user) {
        // Some complex logic here
    });
}

I don't want to add smt. like if (env('APP_ENV') == 'testing') return; inside the code.

Improve this question

5 Answers 5

Reset to default
7

Actually, there is a built-in way. You can add a before callback to be called before the actual authorization check and bypass the check simply by returning true:

\Gate::before(function () {
    return true;
});

You should add this snippet to either the setUp method of your test or every test method that you want to bypass the authorization.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Won't this affect other unit tests? I.e. ones that specifically test user authorization?
5

I'm not aware of one, but you could move that check to a dedicated middleware and use the withoutMiddleware trait to disable it in tests.

Or you could mock the application's gate instance using Mockery. Mockery is well documented so I'd suggest reading the docs for more details, but setting it up would look something like this:

$mock = Mockery::mock('Illuminate\Contracts\Auth\Access\Gate');
$mock->shouldReceive('authorize')->with('change-password')->once()->andReturn(true);
$this->app->instance('Illuminate\Contracts\Auth\Access\Gate', $mock);

This sets up a mock of the gate contract, sets up what it expects to receive and how it should respond, and then injects it into the application.

Improve this answer

Comments

5

From laravel documentation :

When testing your application, you may find it convenient to disable middleware for some of your tests. This will allow you to test your routes and controller in isolation from any middleware concerns. Laravel includes a simple WithoutMiddleware trait that you can use to automatically disable all middleware for the test class:

use Illuminate\Foundation\Testing\WithoutMiddleware;
use Illuminate\Foundation\Testing\DatabaseTransactions;

class ExampleTest extends TestCase
{
    use WithoutMiddleware;

    //
}

Or you can use withoutMiddleware() method in you test method like this :

public function testBasicExample()
{
    $this->withoutMiddleware();

    $this->visit('/')
         ->see('Laravel 5');
}

Ps : since Laravel 5.1

Improve this answer

1 Comment

This check is in the controller, not middleware. OP would need to move it to middleware for that trait to be any use
3

In my tests I add a method I can call at the beginning of a test to disable authorization only for that test.

Add to your base test class

public function withoutAuthorization()
{
    \Gate::before(function () {
        return true;
    });

    return $this;
}

And then in a test you can call it:

public function testSomeThing()
{
    $this->withoutAuthorization();

    // any gates will be bypassed
    $this->get('/my-protected-endpoint');
}
Improve this answer

Comments

-6

It is much simpler. Just take it out of the authorization required section in your routes file. In this example I needed the AssignmentsController to work without Authentication, so I just moved it from the jwt.auth group up:

Route::post('v1/auth/login', 'Api\AuthController@authenticate');
Route::post('v1/auth/sendpassword', 'Api\AuthController@sendPassword');
Route::get('v1/assignments', 'Api\AssignmentsController@getAll');

Route::group(['middleware' => 'jwt.auth'], function() {
  Route::post('v1/auth/logout', 'Api\AuthController@logout');
  Route::post('v1/shipments', 'Api\ShipmentController@getShipments');
  Route::post('v1/assignments/{id}/transfer', 'Api\AssignmentsController@saveAssignment');
  Route::get('v1/shipments/assignments/{assignmentId}', 'Api\AssignmentsController@getDetail');
  Route::post('v1/shipments/assignments/{id}/upload', 'Api\AssignmentsController@uploadFile');
});
Improve this answer

1 Comment

You shouldn't make production code changes in order to run tests. Doing what you're suggesting would be a no-go in a CI environment. This being said, there are use cases where augmenting production code to accommodate testing is the only option. See Testing Aids section in the Carbon docs for a pretty good example.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.