Move authentication check into assertCan() method

This will cause the right error (HTTP 401) to be thrown whenever we're checking for a specific permission, but the user is not even logged in. Authenticated users will still get HTTP 403.
2025-10-28 22:07:33 +01:00 · 2019-08-21 23:46:00 +02:00
parent 0836d99e83
commit b60617b849
3 changed files with 8 additions and 2 deletions
--- a/src/User/AssertPermissionTrait.php
+++ b/src/User/AssertPermissionTrait.php
@@ -55,15 +55,23 @@ trait AssertPermissionTrait
     * @param User $actor
     * @param string $ability
     * @param mixed $arguments
+     * @throws NotAuthenticatedException
     * @throws PermissionDeniedException
     */
    protected function assertCan(User $actor, $ability, $arguments = [])
    {
+        // For non-authenticated users, we throw a different exception to signal
+        // that logging in may help.
+        $this->assertRegistered($actor);
+
+        // If we're logged in, then we need to communicate that the current
+        // account simply does not have enough permissions.
        $this->assertPermission($actor->can($ability, $arguments));
    }

    /**
     * @param User $actor
+     * @throws NotAuthenticatedException
     * @throws PermissionDeniedException
     */
    protected function assertAdmin(User $actor)