403 on nova resource update and call wrong gate

[MattiaMarchiorato]

• Laravel Version: "laravel/framework": "^10.0"
• Nova Version: "laravel/nova": "^4.27"
• PHP Version: 8.3
• Database Driver & Version: MySQL 8.0.30
• Operating System and Version: Ubuntu 24.04
• Browser type and version: chrome

Description:
On updating a nova resource the app hits 3 gates:
viewNova - allowed
create - allowed
[
"App\Models\QrCode"
]

create - denied
[
"App\Models\Suggestion"
]

There are no relations with models QrCode and Suggestion and there are no policies for suggestions.

Thanks

MM

[crynobone]

Unable to reproduce the issue, please provide full reproducing repository based on fresh installation as suggested in the bug report template (or you can refer to https://github.com/nova-issues for example)

[MattiaMarchiorato]

Hello @crynobone

You can create a fresh project with nova and telescope and add this UserPolicy

namespace App\Policies;

use App\Models\User;
use Illuminate\Auth\Access\Response;

class UserPolicy
{
    /**
     * Create a new policy instance.
     */
    public function __construct()
    {
        //
    }

    public function update(User $user, User $EditedUser): Response
    {
        if (($EditedUser->id === $user->id) || $user->isAdmin()) return Response::allow();

        return Response::deny('You do not own this qr code.');
    }
}

Then when you try to update an user you will see a lot of denied gateway

Please tell me if you fall in the same issue.

Thanks

MM

[MattiaMarchiorato]

After a short analysis, get that the gate were denied if the method does not exist, this seems a bug to me.
For example, for some Models we just need maybe an update policy to restrict this action but not a view or create policy, am I wrong?

Thanks

MM

[crynobone]

After a short analysis, get that the gate were denied if the method does not exist, this seems a bug to me.

Expected behaviour and already described on the documentation: https://nova.laravel.com/docs/resources/authorization.html#undefined-policy-methods