When a user gets a 401 message, they have no way of knowing what roles/perms they lack.

[mmbrich]

When a user is given a 401 error message, they have no way to know what roles/perms they are lacking without asking a developer to look at the code (if they don't know it off the top of their head).

I propose that the error message sent from abort() should have the 'can' and 'is' requirements for that route/page/etc.

I have a patch for this feature. I'll submit a pull request shortly.

[mmbrich]

--- HasPermission.php.orig 2017-04-06 15:38:52.000000000 -0500
+++ HasPermission.php 2017-04-06 15:37:51.000000000 -0500
@@ -49,17 +49,20 @@
return $next($request);
}

•    $msg = "You are not authorized to access this resource. ";
  

•    $msg .= "Required Roles: ".implode(' ',$this->getAction('is')). "Required Permissions: ".implode(' ',$this->getAction('can'));
  

•    if ( $request->isJson() || $request->wantsJson() ) {
         return response()->json([
             'error' => [
                 'status_code' => 401,
                 'code'        => 'INSUFFICIENT_PERMISSIONS',
  

•                'description' => 'You are not authorized to access this resource'
  

•                'description' => $msg
             ],
         ], 401);
     }
  

•    return abort(401, 'You are not authorized to access this resource') ;
  

•    return abort(401, $msg) ;
  

  }

  /**

[mkarnicki]

I appreciate your comment on this matter, but I don't agree with you. You do not want to expose application logic to the client. 401 INSUFFICIENT_PERMISSIONS is just right in my opinion.

[judgej]

"You do not have permission to access this resource."
"On, so there IS a resource there. Thanks. 😈"