Gating with custom message

[GautierDele]

Summary by CodeRabbit

• Documentation
  • Added a section on policy messages in gates.
  • Describes enabling gate messages via a configuration flag and notes the resulting format change.
  • Includes an example policy returning allow/deny with a message.
  • Shows a sample response where a denied gate includes a message field.
  • No functional or public API changes.

[coderabbitai]

Warning

Rate limit exceeded

@GautierDele has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 12 minutes and 5 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between f53afcd and 7503181.

📒 Files selected for processing (1)

• content/4.digging-deeper/3.gates.md (1 hunks)

Walkthrough

Added a documentation section explaining policy-based messages in gates, how to enable them via rest.gates.message.enabled, an example PHP policy returning Illuminate\Auth\Access\Response, and an example of resulting JSON with message on denial. No code or API changes.

Changes

Cohort / File(s)	Summary
Docs: Gates policy messages content/4.digging-deeper/3.gates.md	Added section “Policy message in gates” detailing configuration flag, PHP policy example using Illuminate\Auth\Access\Response, and JSON output showing message on denied gates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Gating with custom message" succinctly and accurately reflects the primary change in this PR—adding documentation for enabling policy-based messages in gates, including examples and the resulting gating JSON—making it concise and clear for teammates scanning history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

content/4.digging-deeper/3.gates.md (3)

42-46: Clarify wording + note breaking payload shape change

Tighten grammar and make the compatibility warning explicit.

-## Policy message in gates
-
-You are able to get policies message if you want to be more explicit about why the policy is not passing, you first need to set the 
-config `rest.gates.message.enabled` to true. Be aware that this will change the gates format
+## Policy messages in gates
+
+To surface policy messages explaining authorization failures, first set the config `rest.gates.message.enabled` to `true`.
+Enabling this changes the `gates` payload shape returned by the `search` endpoint and may require frontend updates.

---

47-63: Policy example: improve phrasing + i18n; add security tip

Suggest clearer phrasing and a translatable message. Also add a caution about leaking sensitive details; recommend denyAsNotFound when appropriate.

-In your policy you need to return a policy message:
+In your policy, return an authorization `Response`:
@@
-        : Response::deny('You do not own this post.');
+        : Response::deny(__('You do not own this post.'));

Consider adding after the code block:

Tip: If revealing the reason could leak sensitive information (e.g., resource existence), prefer `Response::denyAsNotFound()`.

---

74-77: Document key naming convention for gate entries

Clarify whether gate keys are snake_case (authorized_to_update) or follow another convention, and how they’re derived (policy method name vs. ability name). This helps frontend consumers generate selectors consistently.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c190b3f and f53afcd.

📒 Files selected for processing (1)

• content/4.digging-deeper/3.gates.md (1 hunks)

[coderabbitai]

⚠️ Potential issue

Show before/after schema to prevent client breakage

Make the payload change concrete with a minimal “Before” example and label the current one as “After”.

-and this will result in the change of the `search` gating format:
+This changes the `search` gates payload.
+
+Before (default):
+```json
+{
+  "data": [
+    {
+      "gates": {
+        "authorized_to_update": true
+      }
+    }
+  ]
+}
+```
+
+After (with messages enabled):

🤖 Prompt for AI Agents

In content/4.digging-deeper/3.gates.md around lines 65 to 82, the example only
shows the new payload and the reviewer asked for an explicit "Before" and
"After" to prevent client breakage; add a minimal labeled "Before" JSON example
demonstrating the previous simple boolean gate shape, then label the existing
example as "After (with messages enabled)" showing the new object-with-message
shape, and ensure both examples are wrapped in code blocks and placed
consecutively so readers can clearly compare the schema change.