fix: hide actions with authorization feedback when denial has no message (#19792)

intrepidws · danharrin · web-flow · commit 2f10baac0933 · 2026-05-07T10:06:41.000+01:00
* Add "or hidden" mode for action auth tooltips and notifications

* Update 01-overview.md

* Make new functionality the default

* test: relocate authorization tests into ActionTest.php

Moves the authorization feedback test cases from a standalone
AuthorizationFeedbackTest.php into a `describe('authorization', ...)`
block in ActionTest.php, alongside related Action behaviour tests.
Adds four baseline tests for the wider authorization concern (default
visibility, `authorize(false)` without feedback methods, `Response`
acceptance, and `authorizationMessage()` chaining), since no prior
tests covered any of `CanBeAuthorized`.

---------

Co-authored-by: Dan Harrin &lt;git@danharrin.com&gt;
diff --git a/packages/actions/docs/01-overview.md b/packages/actions/docs/01-overview.md
@@ -262,6 +262,8 @@ Action::make('edit')
     ->authorizationTooltip()
 ```
 
+If the denial does not provide a message (for example, your policy returns plain `false`, or a `Gate::before()` hook short-circuits the check), the action is hidden instead. You can supply a fallback message with `authorizationMessage()` to keep the action visible in that case.
+
 <AutoScreenshot name="actions/trigger-button/authorization-tooltip" alt="Disabled action button with an authorization tooltip" version="4.x" />
 
 You may instead allow the action to still be clickable even if the user is not authorized, but send a notification containing the response message, using the `authorizationNotification()` method:
@@ -275,6 +277,8 @@ Action::make('edit')
     ->authorizationNotification()
 ```
 
+As with `authorizationTooltip()`, the action is hidden if the denial does not provide a message, unless you supply a fallback with `authorizationMessage()`.
+
 ### Disabling a button
 
 If you want to disable a button instead of hiding it, you can use the `disabled()` method:
diff --git a/packages/actions/src/Concerns/CanBeAuthorized.php b/packages/actions/src/Concerns/CanBeAuthorized.php
@@ -205,15 +205,17 @@ public function hasAuthorizationNotification(): bool
 
     public function isAuthorizedOrNotHiddenWhenUnauthorized(): bool
     {
-        if ($this->hasAuthorizationTooltip()) {
-            return true;
+        if (! $this->hasAuthorizationTooltip() && ! $this->hasAuthorizationNotification()) {
+            return $this->isAuthorized();
         }
 
-        if ($this->hasAuthorizationNotification()) {
+        $response = $this->getAuthorizationResponse();
+
+        if ($response->allowed()) {
             return true;
         }
 
-        return $this->isAuthorized();
+        return filled($response->message()) || filled($this->getAuthorizationMessage());
     }
 
     public function authorizeIndividualRecords(bool | string | Closure | null $callback = true): static
diff --git a/tests/src/Actions/ActionTest.php b/tests/src/Actions/ActionTest.php
@@ -11,6 +11,7 @@
 use Filament\Tests\Actions\TestCase;
 use Filament\Tests\Fixtures\Models\Post;
 use Filament\Tests\Fixtures\Pages\Actions;
+use Illuminate\Auth\Access\Response;
 use Illuminate\Support\Str;
 
 use function Filament\Tests\livewire;
@@ -1548,3 +1549,174 @@
         expect($action)->toBeInstanceOf(Action::class);
     });
 });
+
+describe('authorization', function (): void {
+    it('is visible by default when no `authorize()` is configured', function (): void {
+        $action = Action::make('test');
+
+        expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+        expect($action->isVisible())->toBeTrue();
+    });
+
+    it('is hidden when `authorize()` returns `false` and no auth feedback method is set', function (): void {
+        $action = Action::make('test')
+            ->authorize(fn (): bool => false);
+
+        expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+        expect($action->isVisible())->toBeFalse();
+    });
+
+    it('accepts an `authorize()` closure returning a `Response`', function (): void {
+        $action = Action::make('test')
+            ->authorize(fn (): Response => Response::deny('Nope.'));
+
+        expect($action->getAuthorizationResponse()->message())->toBe('Nope.');
+    });
+
+    it('can chain `authorizationMessage()` to set a fallback message', function (): void {
+        $action = Action::make('test')
+            ->authorizationMessage('Custom fallback.');
+
+        expect($action->getAuthorizationMessage())->toBe('Custom fallback.');
+    });
+
+    describe('with `authorizationNotification()`', function (): void {
+        it('shows the action when the user is allowed', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::allow())
+                ->authorizationNotification();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+        });
+
+        it('shows the action when denied with a message', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny('You cannot do that.'))
+                ->authorizationNotification();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+            expect($action->hasAuthorizationNotification())->toBeTrue();
+            expect($action->getAuthorizationResponseWithMessage()->message())->toBe('You cannot do that.');
+        });
+
+        it('hides the action when denied with `Response::deny()` and no message', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny())
+                ->authorizationNotification();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('hides the action when the policy returns bare `false`', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationNotification();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('shows the action when `authorizationMessage()` is set even if the policy returns bare `false`', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationMessage('Explicit message.')
+                ->authorizationNotification();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+            expect($action->getAuthorizationResponseWithMessage()->message())->toBe('Explicit message.');
+        });
+
+        it('is a no-op when `condition: false` is passed', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationNotification(false);
+
+            expect($action->hasAuthorizationNotification())->toBeFalse();
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('stays hidden when `visible(false)` is also set', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny('Has a message.'))
+                ->authorizationNotification()
+                ->visible(false);
+
+            expect($action->isVisible())->toBeFalse();
+        });
+    });
+
+    describe('with `authorizationTooltip()`', function (): void {
+        it('shows the action when the user is allowed', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::allow())
+                ->authorizationTooltip();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+        });
+
+        it('shows the action with the deny message as a tooltip when denied with a message', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny('You cannot do that.'))
+                ->authorizationTooltip();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+            expect($action->hasAuthorizationTooltip())->toBeTrue();
+            expect($action->getTooltip())->toBe('You cannot do that.');
+        });
+
+        it('hides the action when denied with `Response::deny()` and no message', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny())
+                ->authorizationTooltip();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('hides the action when the policy returns bare `false`', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationTooltip();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('shows the action when `authorizationMessage()` is set even if the policy returns bare `false`', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationMessage('Explicit message.')
+                ->authorizationTooltip();
+
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeTrue();
+            expect($action->isVisible())->toBeTrue();
+            expect($action->getTooltip())->toBe('Explicit message.');
+        });
+
+        it('is a no-op when `condition: false` is passed', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): bool => false)
+                ->authorizationTooltip(false);
+
+            expect($action->hasAuthorizationTooltip())->toBeFalse();
+            expect($action->isAuthorizedOrNotHiddenWhenUnauthorized())->toBeFalse();
+            expect($action->isVisible())->toBeFalse();
+        });
+
+        it('stays hidden when `visible(false)` is also set', function (): void {
+            $action = Action::make('test')
+                ->authorize(fn (): Response => Response::deny('Has a message.'))
+                ->authorizationTooltip()
+                ->visible(false);
+
+            expect($action->isVisible())->toBeFalse();
+        });
+    });
+});

Original file line number	Diff line number	Diff line change
`@@ -205,15 +205,17 @@ public function hasAuthorizationNotification(): bool`
`205`	`205`
`206`	`206`	`public function isAuthorizedOrNotHiddenWhenUnauthorized(): bool`
`207`	`207`	`{`
`208`		`- if ($this->hasAuthorizationTooltip()) {`
`209`		`- return true;`
	`208`	`+ if (! $this->hasAuthorizationTooltip() && ! $this->hasAuthorizationNotification()) {`
	`209`	`+ return $this->isAuthorized();`
`210`	`210`	`}`
`211`	`211`
`212`		`- if ($this->hasAuthorizationNotification()) {`
	`212`	`+ $response = $this->getAuthorizationResponse();`
	`213`	`+`
	`214`	`+ if ($response->allowed()) {`
`213`	`215`	`return true;`
`214`	`216`	`}`
`215`	`217`
`216`		`- return $this->isAuthorized();`
	`218`	`+ return filled($response->message()) \|\| filled($this->getAuthorizationMessage());`
`217`	`219`	`}`
`218`	`220`
`219`	`221`	`public function authorizeIndividualRecords(bool \| string \| Closure \| null $callback = true): static`