How to check authorization before loading Route Model Binding

I ask this question after doing various searches without finding any clarifying information that helps me solve the problem that I am presenting.

I have created a controller with the following command:

php artisan make:controller UserController --api -m User -r -R

Which creates the controller and the FormRequest classes. Inside the controller, let's just focus on the 'update' method, since that's the one I'm having some trouble with.

<?php

namespace App\Http\Controllers;

use App\Http\Requests\StoreUserRequest;
use App\Http\Requests\UpdateUserRequest;
use App\Models\User;

class UserController extends Controller
{
    /**
     * Update the specified resource in storage.
     *
     * @param  \App\Http\Requests\UpdateUserRequest  $request
     * @param  \App\Models\User  $user
     * @return \Illuminate\Http\Response
     */
    public function update(UpdateUserRequest $request, User $user)
    {
        //
    }

    ...

As you can see from the method arguments, this method uses what we call Route Model Binding

After this, I define my route in the routes file 'api.php' as follows:

<?php

use App\Http\Controllers\UserController;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->group(function () {

    Route::apiResource('user', UserController::class);

});

Which registers all the routes and within them the 'update' route.

In the FormRequest class named 'UpdateUserRequest', which uses the 'update' method in the previously created controller, I define the 'authorize' method to return false on all checks just for testing. The class would look similar to this:

<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Validation\Rule;

class UpdateUserRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        return false;
    }
    
    ...

Now, the problem that I am presenting, when I access the route:

http://127.0.0.1:8000/api/user/100?

Using Postman, I make a request to that route with the PUT method and Laravel returns the following error:

{
    "message": "No query results for model [App\\Models\\User] 100"
}

This is because I don't have a user with 'id' 100, I only have 2 users in my database for testing purposes.

My question is this: Isn't Laravel supposed to return an error on this request? Telling me that the action is not allowed, since in the FormRequest 'UpdateUserRequest' class, in the 'authorize' method, I always return false.

I think Laravel is loading the middleware \Illuminate\Routing\Middleware\SubstituteBindings::class before middleware \Illuminate\Contracts\Auth\Middleware\AuthenticatesRequests::class.

I know that in the app/Http/Kernel.php file I can modify the middleware priority, overriding the $middlewarePriority property, but I've tried it and I don't get the expected result.

Because from my perspective, it doesn't make much sense, taking the previous example that a user who doesn't have permissions to update the model User tries to access the route and Laravel returns an error saying that the user trying to modify with that id exists or not, without first verifying that the user trying to perform the (update) action has or does not have permissions to perform it.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum