Laravel Testing: Ensure your controllers enforce authorization

AuthorizationTest.php

<?php

namespace App\Tests;

use Illuminate\Support\Facades\Route;

class AuthorizationTest extends TestCase
{
    public function setUp()
    {
        parent::setUp();

        /**
         * Testing without middleware allows us to bypass all of the other security at the route/middleware layer.
         * This will allow us to check the controller layer security.
         */
        $this->withoutMiddleware();
    }

    public function testAllRoutesRequireAuthorization()
    {
        $routes = Route::getRoutes();

        foreach ($routes as list('method' => $method, 'uri' => $uri)) {
            // Call each endpoint
            $response = $this->call($method, $uri);

            $this->assertEquals(
                403,
                $response->getStatusCode(),
                "Insecure Route: $method $uri."
            );
        }
    }
}

Using Laravel's built-in Authorization (Gates/Policies) is a simple and excellent way to secure your application. One of the tricks when it's deployed is that, without the presence of an authenticated user, your rules will all fail (as you'd expect) and Laravel adds a 403 Forbidden header to the response.

If you use a common base controller that handles all of your authorization rules, when overriding any of the methods it's all too easy to forget to add the authorization call back in. This test should help you spot those cases where you miss it.