UserPolicy is called for viewNova gate

[OliverZiegler]

• Laravel Version: 10.22.0
• Nova Version: 4.27.12
• PHP Version: 8.2

Description:

As already stated in #2795 currently the Gate::check('viewNova', [Nova::user($request)]) call in the NovaApplicationServiceProvider::authorization() call leads to unintended behaviour regarding the use of Policies.

By passing [Nova::user($request)] to the gate method, Laravel authorization logic resolves to the existing UserPolicy.
As stated in the Laravel Docs:

Policies are classes that organize authorization logic around a particular model or resource.
In my opinion the UserPolicy should have nothing to do with the viewNova authorization or it should be explicitly stated in Nova-Docs.

As @crynobone stated in #2795 (comment) the parameter is used for assuring that the correct guard is used.
I don't see how by passing the parameter you are assuring this.
Could you please lead me to the code for better understanding?

In https://laravel.com/docs/10.x/authorization#authorizing-actions-via-gates there is mentioned another method for specific user checking: Gate::forUser
Would this be a better approach?

The default authorization code would then be:

    protected function authorization()
    {
        Nova::auth(function ($request) {
            return app()->environment('local') ||
                   Gate::forUser(Nova::user($request))->check('viewNova');
        });
    }

and this should assure that there is no interference with the UserPolicy in any unintended way.

Detailed steps to reproduce the issue on a fresh Nova installation:

• Create UserPolicy
• add public function __call or public function viewNova
• the defined guard in the nova service provider will not be called instead the method in the UserPolicy gets called

[crynobone]

Wouldn't this cause a breaking change if users already utilize UserPolicy::viewNova(). As this involve authorization to Nova we need to consider changing this with caution, and may only consider this on a major release.

Also note that this usage is identical to other first-party packages: https://github.com/laravel/telescope/blob/3a250a44faa89ba4790ad6207060e90f79f49d1e/src/TelescopeApplicationServiceProvider.php#L29-L32

[OliverZiegler]

I understand this would be a breaking change for anyone relying on UserPolicy::viewNova and should not be implemented.

For clarity I would propose to add some information to https://nova.laravel.com/docs/installation.html#authorizing-access-to-nova so developers are aware of this behaviour.

Some sentence like:

Optionally you can use your UserPolicy to handle the gate check. Just add a viewNova method to it and it will be called with the currently authenticated user.