Ability to see BelongsTo field after Nova update from 3 to 4 even though Policy does not allow it #6222
Description
- Laravel Version: 9.32
- Nova Version: 4.27.0
- PHP Version: 8.1
- Database Driver & Version:
- Operating System and Version: Mac OS
- Browser type and version: Chrome
Description:
Hello,
I stumbled on a strange behaviour during update from Nova 3 to Nova 4. Basically I am able to see relations on a resource in Index,Details view even though the Policy for that resource says the user is unable to see it. I can see that in the previous Nova 3 BelongsTo has the following method:
public function authorize(Request $request)
{
return $this->isNotRedundant($request) && call_user_func(
[$this->resourceClass, 'authorizedToViewAny'], $request
) && parent::authorize($request);
}
but in Nova 4 that method looks like this
public function authorize(Request $request)
{
return $this->isNotRedundant($request) && parent::authorize($request);
}
This leads to the behaviour that the users can see certain BelongsTo relations which they previously couldn't. I can see that this check for authorizedToViewAny has been moved in the jsonSerialize() method and looks intentional but I think this leads to different behaviour between the two versions and wanted to ask is it intentional? I couldn't see anything about that behaviour in the upgrade guide though.
What is your suggestion to bring back the old behaviour? To have canSee on all of my BelongsTo relations?
Kind regards,
Bobby