gpt4 book ai didi

PHP/Laravel - 扩展 authorizeResource 以处理自定义方法

转载 作者:行者123 更新时间:2023-12-01 23:27:23 25 4
gpt4 key购买 nike

我有一个 资源 Controller StreamController.php ,它利用了一个名为 StreamPolicy.php 的策略.

在我的 Controller 中,我有这个:

    //StreamController.php
/**
* Construct method.
*/
public function __construct()
{
$this->middleware('auth');
$this->authorizeResource(Stream::class, 'stream');
}

有了上述内容,所有 RESTful 端点都使用该策略成功“保护”。

但是,我在 Controller 中添加了一个新方法,名为 documents() ,像这样:
//web.php
Route::get('streams/{stream}/documents', 'StreamController@documents');
    //StreamController.php
/**
* Display the imported documents of the resource
*
* @return \Illuminate\Http\Response
*/
public function documents(Stream $stream)
{
return view('streams.documents', compact('stream'));
}

现在的问题是,如果我访问 URL:

example.com/streams/1 而且我不是流的所有者,我得到了一个 403 页面 - 但是 如果我去:
example.com/streams/1/documents 我不是流的所有者,我仍然可以访问该页面。

我究竟做错了什么?我怎样才能使我的保单也涵盖 documents()我的 Controller 中的方法?

编辑:

这是我的 StreamPolicy.php文件:
//StreamPolicy.php
namespace App\Policies;

use App\User;
use App\Stream;
use Illuminate\Auth\Access\HandlesAuthorization;

class StreamPolicy
{
use HandlesAuthorization;

/**
* Determine whether the user can view the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function view(User $user, Stream $stream)
{
return $user->id == $stream->user_id;
}

/**
* Determine whether the user can create streams.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
return true;
}

/**
* Determine whether the user can update the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function update(User $user, Stream $stream)
{
//

return $user->id == $stream->user_id;
}

/**
* Determine whether the user can delete the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function delete(User $user, Stream $stream)
{
//

return $user->id == $stream->user_id;
}

/**
* Determine whether the user can restore the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function restore(User $user, Stream $stream)
{
//
}

/**
* Determine whether the user can permanently delete the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function forceDelete(User $user, Stream $stream)
{
//
}
}

最佳答案

Controller.php 使用“AuthorizesRequest”特性,它定义了以下两种方法:

trait AuthorizesRequests
{
/**
* Get the map of resource methods to ability names.
*
* @return array
*/
protected function resourceAbilityMap()
{
return [
'show' => 'view',
'create' => 'create',
'store' => 'create',
'edit' => 'update',
'update' => 'update',
'destroy' => 'delete',
];
}

/**
* Get the list of resource methods which do not have model parameters.
*
* @return array
*/
protected function resourceMethodsWithoutModels()
{
return ['index', 'create', 'store'];
}

您可以在每个 Controller 基础上覆盖这 2 个 protected 方法,因为每个 Controller 都扩展 Controller.php
class UserController extends Controller
{
public function __construct ()
{
$this->authorizeResource ( User::class, 'user' );
}

/**
* Get the map of resource methods to ability names.
*
* @return array
*/
protected function resourceAbilityMap()
{
return [
'show' => 'view',
'create' => 'create',
'store' => 'create',
'edit' => 'update',
'update' => 'update',
'destroy' => 'delete',
'customMethod'=>'customMethod',
'customMethodWithoutModel'=>'customMethodWithoutModel'
];
}

/**
* Get the list of resource methods which do not have model parameters.
*
* @return array
*/
protected function resourceMethodsWithoutModels()
{
return ['index', 'create', 'store','customMethodWithoutModel'];
}

其策略类
class UserPolicy
{

/**
* Determine whether the user can custom method.
*
* @param \App\User $user
* @param \App\User $model
* @return mixed
*/
public function customMethod(User $user, User $model){
return true;
}

/**
* Determine whether the user can custom method without model.
*
* @param \App\User $user
* @return mixed
*/
public function customMethodWithoutModel(User $user){
return true;
}

关于PHP/Laravel - 扩展 authorizeResource 以处理自定义方法,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54744588/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com