I'm trying to find a clean way to override the AuthorizationException to take a dynamic string that can be passed back when a policy fails.

Things I know I can do are:

1) Wrap the policy in the controller with a try-catch, then rethrow a custom exception that takes a specific string, which seems a bit verbose

2) abort(403, '...') in the policy prior to returning, which seems a bit hacky since policies are already doing the work

and then in /Exceptions/Handler::render I can send back the response as JSON

Is there a nicer way to do this to get a message in the response of a policy failure? or is 1 or 2 my best choices.

I noticed if you throw AuthorizationException($message) in a policy using Laravel's exception it jumps you out of the policy, but continues execution in the controller, and doesn't progress to Handler::render. Which I'm assuming this is them handling the exception somehow, but I couldn't find where they were doing it... so if anyone finds where this is happening I'd still like to know.

If you create your own AuthorizationException and throw it, it will stop execution as expected, and drop into Handler::render so I ended up adding this method to my policy:

use App\Exceptions\AuthorizationException;

// ... removed for brevity

private function throwExceptionIfNotPermitted(bool $hasPermission = false, bool $allowExceptions = false, $exceptionMessage = null): bool
{
    // Only throw when a message is provided, or use the default 
    // behaviour provided by policies
    if (!$hasPermission && $allowExceptions && !is_null($exceptionMessage)) {

        throw new \App\Exceptions\AuthorizationException($exceptionMessage);
    }

    return $hasPermission;
}

New exception for throwing in policies only in \App\Exceptions:

namespace App\Exceptions;

use Exception;

/**
 * The AuthorizationException class is used by policies where authorization has
 * failed, and a message is required to indicate the type of failure.
 * ---
 * NOTE: For consistency and clarity with the framework the exception was named
 * for the similarly named exception provided by Laravel that does not stop
 * execution when thrown in a policy due to internal handling of the
 * exception.
 */
class AuthorizationException extends Exception
{
    private $statusCode = 403;

    public function __construct($message = null, \Exception $previous = null, $code = 0)
    {
        parent::__construct($message, $code, $previous);
    }

    public function getStatusCode()
    {
        return $this->statusCode;
    }
}

Handle the exception and provide the message in a JSON response in Handler::render():

public function render($request, Exception $exception)
{
    if ($exception instanceof AuthorizationException && $request->expectsJson()) {

        return response()->json([
            'message' => $exception->getMessage()
        ], $exception->getStatusCode());
    }

    return parent::render($request, $exception);
}

and I also removed it from being logged in Handler::report.

Laravel does have an option to pass arguments to customize the errors in the authorize() method of a Controller Class accessed through the Gate Class's implementation of the GateContract made available by the Gate Facade.

However, it seems that they forgot to pass those arguments to the allow()/deny() methods responsible for returning error messages, implemented in the HandlesAuthorization Trait.

You need to pass those arguments by following these steps:

1. Modify the authorize method in the vendor/laravel/framework/src/Illuminate/Auth/Access/Gate.php file

   public function authorize($ability, $arguments = []) {
     $result = $this->raw($ability, $arguments);
     if ($result instanceof Response) {
         return $result;
     }
   
     return $result ? $this->allow() : $this->deny($arguments);
   }
   

2. Call authorize from the controller with an extra argument, ie: your custom $message -

   $message = "You can not delete this comment!";
   $response = $this->authorize('delete', $message);
   

I have made a pull request to fix this, hopefully someone will merge it soon.

I think the best way to think about Policies is they are simply a way to split controller logic, and move all authorization related logic to a separate file. Thus abort(403, 'message') is the right way to do this, in most cases.

The only downside is you may want some policies to be 'pure' logic for use in business logic only, and thus not to have any response control. They could be kept separate, and a commenting system could be used distinguish them.

What I found was not "passing" a custom message to authorize, just defining a custom message in the policy it selfs, so, for example, if you have the method "canUseIt", in your UserPolicy, like the following:

public function canUseIt(User $user, MachineGun $machineGun)
    {
        if ($user->isChuckNorris()) {
            return true;
        }
        return false;
    }

You can change it and do something like this:

public function canUseIt(User $user, MachineGun $machineGun)
    {
        if ($user->isChuckNorris()) {
            return true;
        }
        $this->deny('Sorry man, you are not Chuck Norris');
    }

It uses the deny() method from the HandlesAuthorization trait. Then when you use it like $this->authorize('canUseIt', $user) and it fails, it will return a 403 HTTP error code with the message "Sorry man, you are not Chuck Norris".