Handle non-JSON requests in auth middlewares

KroderDev · KroderDev · commit d7a7c4afef5d · 2025-06-23T22:33:21.000-04:00
Updated PermissionMiddleware and RoleMiddleware to return a JSON response only if the request expects JSON. For non-JSON requests, the middlewares now abort with a 403 error and a relevant message. This improves compatibility with web and API clients.
diff --git a/src/Http/Middleware/PermissionMiddleware.php b/src/Http/Middleware/PermissionMiddleware.php
@@ -22,11 +22,14 @@ public function handle(Request $request, Closure $next, string $permission): Res
     {
         $user = Auth::user();
         if (! $user || ! $user->hasPermissionTo($permission)) {
-            return response()->json([
-                'error'   => 'forbidden',
-                'message' => "User does not have required permission: {$permission}",
-                'status'  => Response::HTTP_FORBIDDEN,
-            ], Response::HTTP_FORBIDDEN);
+            if ($request->expectsJson()) {
+                return response()->json([
+                    'error'   => 'forbidden',
+                    'message' => "User does not have required permission: {$permission}",
+                    'status'  => Response::HTTP_FORBIDDEN,
+                ], Response::HTTP_FORBIDDEN);
+            }
+            abort(Response::HTTP_FORBIDDEN, "User does not have required permission: {$permission}");
         }
         return $next($request);
     }
diff --git a/src/Http/Middleware/RoleMiddleware.php b/src/Http/Middleware/RoleMiddleware.php
@@ -22,11 +22,14 @@ public function handle(Request $request, Closure $next, string $role): Response
     {
         $user = Auth::user();
         if (! $user || ! $user->hasRole($role)) {
-            return response()->json([
-                'error'   => 'forbidden',
-                'message' => "User does not have required role: {$role}",
-                'status'  => Response::HTTP_FORBIDDEN,
-            ], Response::HTTP_FORBIDDEN);
+            if ($request->expectsJson()) {
+                return response()->json([
+                    'error'   => 'forbidden',
+                    'message' => "User does not have required role: {$role}",
+                    'status'  => Response::HTTP_FORBIDDEN,
+                ], Response::HTTP_FORBIDDEN);
+            }
+            abort(Response::HTTP_FORBIDDEN, "User does not have required role: {$role}");
         }
         return $next($request);
     }
