I have added the Saptie Laravel Permission Package in a Laravel 5.8 API application. Every works fine and I get exception when a non admin user tries to access admin specific routes.
However the default exception is rendered as HTML 403 User does not have the right roles. Considering I am using this inside an API application, I would like to return my own custom message for such exceptions.
I tried checking if the auth()->user()->hasRole('admin') but still got the same default exception page. Here's my code
route
Route::post('products', 'ProductController#store')->middleware('role:super-admin|admin'); // create a new product
Controller method
if (auth()->user()->hasRole('admin')) {
// create & store the product
$product = Product::create($request->all())
// return new product
$responseMessage = 'Successful operation';
$responseStatus = 200;
$productResource = new ProductResource($product);
return response()->json([
'responseMessage' => $responseMessage,
'responseStatus' => $responseStatus,
'product' => $productResource
]);
} else {
return response()->json([
'responseMessage' => 'You do not have required authorization.',
'responseStatus' => 403,
]);
}
Why is my custom message not showing?
Because you are protecting your routes through the role middleware the UnauthorizedException will be thrown before your controller code is ever reached.
What you can do is use laravels exception handler render method and check the exception type and return your own response:
from the docs:
The render method is responsible for converting a given exception into
an HTTP response that should be sent back to the browser. By default,
the exception is passed to the base class which generates a response
for you. However, you are free to check the exception type or return
your own custom response
app/Exceptions/Handler.php
use Spatie\Permission\Exceptions\UnauthorizedException;
public function render($request, Exception $exception)
{
if ($exception instanceof UnauthorizedException) {
return response()->json([
'responseMessage' => 'You do not have required authorization.',
'responseStatus' => 403,
]);
}
return parent::render($request, $exception);
}
Related
I want to return a JSON response instead of the default 404 error page when ModelNotFoundException occurs. To do this, I wrote the following code into app\Exceptions\Handler.php :
public function render($request, Exception $exception)
{
if ($exception instanceof ModelNotFoundException) {
return response()->json([
'error' => 'Resource not found'
], 404);
}
return parent::render($request, $exception);
}
However it doesn't work. When the ModelNotFoundException occurs, Laravel just shows a blank page. I find out that even declaring an empty render function in Handler.php makes Laravel display a blank page on ModelNotFoundException.
How can I fix this so it can return JSON/execute the logic inside the overriden render function?
In Laravel 8x, You need to Rendering Exceptions in register() method
use App\Exceptions\CustomException;
/**
* Register the exception handling callbacks for the application.
*
* #return void
*/
public function register()
{
$this->renderable(function (CustomException $e, $request) {
return response()->view('errors.custom', [], 500);
});
}
For ModelNotFoundException you can do it as below.
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
public function register()
{
$this->renderable(function (NotFoundHttpException $e, $request) {
return response()->json(...);
});
}
By default, the Laravel exception handler will convert exceptions into an HTTP response for you. However, you are free to register a custom rendering Closure for exceptions of a given type. You may accomplish this via the renderable method of your exception handler. Laravel will deduce what type of exception the Closure renders by examining the type-hint of the Closure:
More info about the error exception
This code doesn't work for me (in Laravel 8.74.0):
$this->renderable(function (ModelNotFoundException$e, $request) {
return response()->json(...);
});
Don't know why, but ModelNotFoundException is directly forwarded to NotFoundHttpException (which is a part of Symfony Component) that used by Laravel and will ultimately triggers a 404 HTTP response. My workaround is checking the getPrevious() method of the exception:
$this->renderable(function (NotFoundHttpException $e, $request) {
if ($request->is('api/*')) {
if ($e->getPrevious() instanceof ModelNotFoundException) {
return response()->json([
'status' => 204,
'message' => 'Data not found'
], 200);
}
return response()->json([
'status' => 404,
'message' => 'Target not found'
], 404);
}
});
And then we will know that this exception come from ModelNotFoundException and return a different response with NotFoundHttpException.
Edit
This is why ModelNotFoundException thrown as NotFoundHttpException
This one is my Handler file:
use Throwable;
public function render($request, Throwable $exception)
{
if( $request->is('api/*')){
if ($exception instanceof ModelNotFoundException) {
$model = strtolower(class_basename($exception->getModel()));
return response()->json([
'error' => 'Model not found'
], 404);
}
if ($exception instanceof NotFoundHttpException) {
return response()->json([
'error' => 'Resource not found'
], 404);
}
}
}
This one is only for all request in API route. If you want to catch all request, so remove the first if.
Please note that by default Laravel emits a JSON representation of an exception ONLY when you send a request with the header parameter Accept: application/json! For all other requests, Laravel sends normal HTML rendered output.
I am building a restful api with laravel and adding a few more custom attributes to the laravel exception handler. Looking for the best way to do it.
I am currently using Laravel 6 and if I setup the Accept header to application/json, exceptions are returned in the json format. I still want to keep the existing logic on how laravel handles exception through render method like so:
public function render($request, Exception $exception)
{
return parent::render($request, $exception);
}
The current method returns only message when debug is false.
{
"message": "No query results for model [App\\Model]"
}
I would like to add more attributes to the response data for the existing exception and custom ones:
{
"message": "No query results for model [App\\Model]",
"type": "exception",
"url": "link to api docs",
"id": "#id of the request"
}
I don't want to rewrite all the logic within render() but want to keep it as is by just adding these attributes.
i use this
public function render($request, Exception $exception)
{
if ($exception instanceof ModelNotFoundException || $exception instanceof NotFoundExeptionMessage){
return $this->NotFoundExeptionMessage($request, $exception);
}
return parent::render($request, $exception);
}
this code check the error and pass it to the NotFoundExeptionMessage if header sets application/json and else return a render
and in second
public function NotFoundExeptionMessage($request, Exception $exception): JsonResponse
{
return $request->expectsJson()
? new JsonResponse([
'data' => 'Not Found',
'Status' => 'Error'
], 404)
: parent::render($request, $exception);
}
i check if request want a json response we return a json message
and else we return a render
you can customize jsonresponse
good luck
I'm developing a Laravel 5.6 API and I'm using Resources and Collections, Route Model Binding.
To show an item, I currently use following code in my controller:
public function show(Todo $todo)
{
TodoResource::withoutWrapping();
return new TodoResource($todo);
}
In the Exceptions > Handler.php I have the following:
public function render($request, Exception $exception)
{
// This will replace our 404 response with
// a JSON response.
if ($exception instanceof ModelNotFoundException) {
return response()->json([
'error' => 'Resource not found'
], 404);
}
return parent::render($request, $exception);
}
This works perfectly when the item is found in the database. If the item is not in the database I get a (when using a browser):
"Sorry, the page you are looking for could not be found"
When using POSTMAN rest client, I'm getting
{
"message": "No query results for model [App\\Todo].",
"exception": "Symfony\\Component\\HttpKernel\\Exception\\NotFoundHttpException",
....
....
I would like to simply retrieve a 404 error with text "Resource not found", using both a browser or POSTMAN.
* Update with Routing info *
In my api.php, I have the following:
Route::apiResource('todos', 'TodoController');
Route::fallback(function () {
return response()->json(['message' => 'Not Found!'], 404);
});
In web.php, I have:
Route::Resource('todos', 'TodoController');
What is the best way to achieve this?
Make sure to alias the exception class you are checking for.
use Illuminate\Database\Eloquent\ModelNotFoundException;
Without this you are checking for an instance of App\Exceptions\ModelNotFoundException.
I'm trying to show a custom error page, which I'd like to appear if the error wasn't a 'page not found' or a authentication issue (e.g. trying to access a page which the user doesn't have access to). I'm using the code below in Laravel 5.3's Handler.php. While the 404 part works, the authentication part doesn't (triggering this error just returns the 500 page instead). What am I missing?
public function render($request, Exception $e)
{
if ($e instanceof NotFoundHttpException || $e instanceof AuthorizationException || $e instanceof AuthenticationException) {
return parent::render($request, $e);
}
else {
return response()->view('errors.500', [
'sentryID' => $this->sentryID,
], 500);
}
}
Edit : Looks like you want to handle all the global error pages. Laravel uses symfony's exception handler to generate the error page text and style. This can be found at
vendor/symfony/debug/ExceptionHandler.php
It's used in vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php as
use Symfony\Component\Debug\ExceptionHandler as SymfonyExceptionHandler;
To handle every error and exception you can extend the method prepareResponse to app/Exceptions/Handler.php and make appropriate changes.
protected function prepareResponse($request, Exception $e)
{
if ($this->isHttpException($e)) {
return $this->toIlluminateResponse($this->renderHttpException($e), $e);
} else {
return $this->toIlluminateResponse($this->convertExceptionToResponse($e), $e);
}
}
You can check the underlying working of this method in vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php
End edit
You don't need to mess in the render method for this. Out of the box laravel searches for error views and renders them if available based on the error code. So for 404 and 500 you could just create the following two views and customize it in there.
resources/views/errors/404.blade.php
resources/views/errors/500.blade.php
This views get the exception, status and header information for you to display if needed. They are called like so
return response()->view("errors.{$status}", ['exception' => $e], $status, $e->getHeaders());
For the authentication check. Laravel calls the unauthenticated method in app/Exceptions/Handler.php when a user is unauthenticated. This code by default redirects the users to login page or shows a json response. You can make you changes here.
protected function unauthenticated($request, AuthenticationException $exception)
{
if ($request->expectsJson()) {
return response()->json(['error' => 'Unauthenticated.'], 401);
}
return redirect()->guest('login');
}
I've built a login form rendered by this controller action:
public function loginAction() {
$helper = $this->get('security.authentication_utils');
return $this->render('SecurityLoginBundle:Login:login.html.twig', array(
'last_username' => $helper->getLastUsername(),
'error' => $helper->getLastAuthenticationError(),
));
}
If the user does not provide a valid email/password "getLastAuthenticationError()" throws a "BadCredentialsException"; if the user is disabled a "DisabledException" is thrown. Both exception objects have a "message" property but I'd like to change the labels. How do I do that?
An ugly workaround would be to read those messages in my Twig template and replace them with my wording but is there a better way? Like checking the class of the "error" parameter in Twig. Unfortunately
get_class($helper->getLastAuthenticationError())
didn't work - it returns "Security\LoginBundle\Controller\LoginController".
Thanks!
I had the same problem.
I solved it when i see
class Symfony\Component\Security\Http\AuthenticationAuthenticationUtils
getLastAuthenticationError has default parameter $clearSession =true
So you can handle error and after clear session
$helper = $this->get('security.authentication_utils');
$error = $helper->getLastAuthenticationError();
You can also if error is an instance of some Exception throw an Exception with your custom message
if ($error instanceof BadCredentialsException) {
throw \Exception('Your Custom exception');
}
Add try catch if you want and create new var $error with your custom message.
and after return content message because it's an exception :
return $this->render('SecurityLoginBundle:Login:login.html.twig', array(
'last_username' => $helper->getLastUsername(),
'error' => $error ? $error->getMessage() : null,
));