It is absolutely critical to enforce authorization checks on your Horizon dashboard in production, but what about in your local development environment? By default, the Horizon authorization gate is hard-coded to return true if running locally.
My advice is to not special-case your authorization checks based on environment. Consistency between your local environment, the CI environment, and your production environment can make it possible to catch certain types of bugs before they ever reach real users in production.
For example, can you have full confidence in your authorization feature tests if there's special logic kicking in for different environments?
Also, think about why we don't try to bypass authorization in general when doing local development? Sure, it would be a lot more convenient, but it just makes it too easy to have a bug slip through into production because of this radical shift in behavior for the local environment. The same logic applies to Horizon authorization.
Over the years, I've been burned in so many subtle ways by having my local environment slightly different from prod, so my reflex now is to make them match as closely as possible.
Since Laravel has an authorization bypass if you're running in the local environment, if you want to force authorization checks in local, you'll need to override that behavior. Here's how I do it:
// app/Providers/HorizonServiceProvider.php
/**
* Overriding this so we can enforce the gate check, even in the local environment
*/
protected function authorization(): void
{
$this->gate();
Horizon::auth(function ($request) {
return Gate::check('viewHorizon', [$request->user()]);
});
}
Here to help,
Joel
P.S. How confident do you feel with your current tests in your Laravel application? Hit reply and let me know, or book a call if you know you need some help.