Not authorized to perform an action that does not modify the resource

[ryanmitchell]

• Laravel Version: ^8.54
• Nova Version: ^3.29
• PHP Version: 7.4.23
• Database Driver & Version: Mysql 5.7
• Operating System and Version: Ubuntu 20.04.3
• Browser type and version: Safari 14.0.3
• Reproduction Repository: None

Description:

When running an action on a table row resource I'm seeing "Sorry, you are not authorized to perform this action". The resource has an application policy allowing viewAny and view, but not authorized else. The action is not modifying the resource (its a download PDF button).

If I allow update permissions the action runs, but then the user can edit the resource through the nova interface, which I do not want.

Is there a work around or a way of allowing the action to run without the resource being editable? I've searched the docs and can't find one, but its possible/probable I have missed something.

[bogdanghervan]

It's peculiar this thread isn't more popular, I've also run into this issue and I'm trying to find a way to allow users to run actions but not edit/delete entire resources.

[davidhemphill]

This has come up in issues before, but the logic for Orion is: "If the user cannot edit or delete a resource, they are not allowed to run actions that potentially do the same thing against the resource". Modifying this mid-series would be a breaking change.

The next series update will use the following logic order:

1. Use the return value from canRun on the Action.
2. Use the return value from runAction or runDestructiveAction on the underlying model policy.
3. Use the return value from update or delete on the underlying model policy or return false.

[squpshift]

This is really unfortunate. We should at least be able to define a method on the action that overrides the default permission check, without introducing a breaking change, right?

[crynobone]

Refer to David's reply, item 1.

[squpshift]

Aah, thanks, I didn't realise that had been released. I had tried overriding authorizedToRun, which uses the callback passed to canRun, but that hadn't worked. All good now :)