Courtesy ATF and CNN

First, credit where it’s due. CNN’s Scott Glover has managed to turn out an excellent article about a fairly arcane aspect of guns and firearms law while getting the details right. That’s a notable feat for legacy media these days. Read the whole thing here.

With that out of the way, the criminal prosecution — aborted though it was — that Glover has written about is worthy of note and could make the ATF’s job of regulating AR-15 sales going forward extremely difficult. CNN’s article is titled, He sold illegal AR-15s. Feds agreed to let him go free to avoid hurting gun control efforts.

Here are the particulars. A Southern California man named Joseph Roh produced 80% AR-15 lowers and complete rifles, some of which he allegedly sold without a manufacturer’s license, and some allegedly to prohibited persons. At least a few of the guns he sold were used in crimes including an 80% lower that was used as the basis for a rifle build used in a 2013 spree shooting in Santa Monica.

The ATF had been watching Roh for years and mounted a sting operation against him in 2014. They sent undercover agents into his south LA machine shop where he was holding what were basically “build parties” where customers finished lowers and assembled completed rifles.

Roh was eventually arrested and charged with running an unlicensed firearms manufacturing operation. But none of that is the interesting part of the story.

The aspect that’s worthy of your attention — and is no doubt giving the ATF nightmares — is the argument that Roh’s attorney made in successfully defending his client.

As you probably know, the only part of an AR-15 that’s legally considered a firearm is the lower receiver. That’s the part that’s serialized and requires a background check to purchase (unless you buy an 80% lower and finish it yourself, but that’s another story).

Joseph Roh was smart enough to hire a good attorney, Gregory Nicolaysen. Nicolaysen did his homework and actually read the federal statue that lays out what constitutes — legally speaking — a firearm. When Roh’s case came to trial in 2018 . . .

Nicolaysen argued that the definition of a receiver under the relevant federal code differed in various ways from the AR-15 component Roh was accused of manufacturing.

Under the US Code of Federal Regulations, a firearm frame or receiver is defined as: “That part of a firearm which provides housing for the hammer, bolt or breechblock, and firing mechanism, and which is usually threaded at its forward portion to receive the barrel.” (emphasis added)

The lower receiver in Roh’s case does not have a bolt or breechblock and is not threaded to receive the barrel, Nicolaysen noted.

And neither does any other AR-15 lower receiver. Where most firearms have a monolithic receiver that meets the definition under federal law, an AR has a split receiver, an upper and a lower. Neither component, strictly speaking, meets the definition of a frame or receiver that is explicitly laid out in the law.

In effect, Nicolaysen argued that the ATF’s interpretation of federal law that they’ve been using to deem AR-15 lowers as legal firearms is wrong…and has been since, well, forever.

(Nicolaysen) called the decision to classify it as a firearm nonetheless, the result of “secret, in-house decision-making.”

Nicolaysen accused the ATF of abusing its authority by pursuing Roh based on his alleged violation of a policy “that masquerades as law.”

Roh’s case was heard in a bench trial (at his option) in which only the judge hears the evidence and renders a verdict. US District Court Judge James V. Selna deliberated for a year and then wrote a tentative order in April.

Selna agreed with Roh’s argument that the ATF’s definition of an AR-15 lower as a firearm is faulty.

That, no doubt, set off alarm bells from LA to DC. If the ruling were allowed to stand, that would set a very inconvenient precedent, one that would make AR-15 lowers like any other part of an AR platform rifle…just another gun part that could be made and sold through the mail to just about anyone. No serial number or background check needed.

The ATF couldn’t let that stand, so prosecutors reached a plea deal with Roh.

Selna did find that Roh was guilty of selling completed firearms without a license, subjecting him to a possible prison sentence.

Following Selna’s tentative order, the prosecution and defense agreed to a deal in which Roh would plead guilty to the charge against him, but would be allowed to withdraw that plea if he stayed out of trouble for a year. Prosecutors would then dismiss the case. If Roh abides by the deal, he will have no criminal conviction and serve no time behind bars.

You can read the court’s findings in the Jimenez case here (PDF) sent to us by an attorney friend of TTAG. Note in particular the areas highlighted in yellow.

So the government has known that the ATF is using a faulty interpretation of federal law to regulate the sale of AR-15 lowers for decades now. And the deal they cut in the Roh prosecution doesn’t change that in the slightest.

Laravel released v6.2 yesterday with a new password confirmation feature that enables you to require a logged-in user to re-enter their password before being allowed access to a route.

This functionality works like the GitHub confirmation screen when you perform sensitive actions. Setting it up is a breeze in Laravel, so let’s take the new feature for a spin so you can see how it works:

Setup

First, let’s create a new Laravel application to work with so you can visualize how this new feature works:

laravel new confirm-app cd confirm-app composer require laravel/ui --dev 

If you remember, the make:auth command was removed in Laravel 6 and moved to the laravel/ui first-party package. Let’s generate the authorization code for our app:

php artisan ui vue --auth yarn install yarn dev 

Next, let’s configure an SQLite database (feel free to use whatever driver you want):

touch database/database.sqlite 

We’ve created the file that Laravel will look for by default when using the sqlite driver, but you’ll either need to update the .env file with the correct connection and database path:

DB_CONNECTION=sqlite # ... # Use the default path of the sqlite driver # DB_DATABASE=laravel 

Next, let’s run migrations and then create a test user:

php artisan migrate 

We can create a test user with the console via the factory() :

php artisan tinker >>> $user = factory(App\User::class)->create([ ... 'password' => bcrypt('secret'), ... 'email' => 'admin@example.com' ... ]); 

Writing the Controllers

Let’s say that you wanted users to re-authenticate their password before viewing an administration action like adding an SSH key. We would want the user to re-enter their password within the configured window (the default is 3 hours).

We’ll create a fake /settings/ssh/create route where we’ll require the new password.confirm middleware before the user can create a new key:

php artisan make:controller Settings/SSHController 

Next, create the controller action create():

namespace App\Http\Controllers\Settings; use App\Http\Controllers\Controller; use Illuminate\Http\Request; class SSHController extends Controller { public function create() { return view('secret'); } } 

We’ll stub out the secret template, which we put in the root of the views path resources/views/secret.blade.php:

@extends('layouts.app') @section('content') <div class="container"> <div class="row justify-content-center"> <div class="col-md-8"> <h1>Add a New SSH Key</h1> <p>This page is only shown after password confirmation.</p> </div> </div> </div> @endsection 

At the time of writing, you need to copy the auth/passwords/confirm.blade.php file to your project. You can get the stub here: ui/confirm.stub. Copy this file and add it to your project in the following path:

resources/views/auth/passwords/confirm.blade.php 

Next, we need to define the route, along with the middleware we’ll need for this at the end of the routes/web.php file:

Route::namespace('Settings') ->middleware(['auth']) ->group(function () { Route::get('/settings/ssh/create', 'SSHController@create')->middleware('password.confirm'); }); 

Note: typically, you might group all routes requiring authentication auth routes. For this demo, we’re creating one controller route in the Settings namespace using

With that in place, once you log in, you’ll be redirected to /home. From there, navigate to /settings/ssh/create, and then you’re prompted for your password:

If you followed along with this tutorial, enter secret, submit the form, and then you will be taken to the create view. You can refresh this page without being prompted after confirming the password.

Using the new ddd() Helper, add this to your SSHController::create() method to visualize the auth.password_confirmed_at session value that determines the next time you’ll be prompted:

public function create() { ddd(session('auth')); return view('secret'); } 

This value was the timestamp when the password was last confirmed. By default, the middleware will not re-prompt for three hours. You can control how long before the user should confirm the password again with the config('auth.password_timeout') value located in config/auth.php as of Release v6.2.0.

Learn More

First of all, thanks Dries Vints for this wonderful new feature! Check out Pull Request #5129 for the implementation details. Any new Laravel applications created with Laravel 6.2 include this new middleware!

Filed in: News