Laravel 4 Laravel 4多用户安全和身份验证
我正在开发一个多用户web应用程序。我担心的是安全问题,我想知道这是否是一种安全的方式来整合它 我在Laravel 4 Laravel 4多用户安全和身份验证,laravel-4,authentication,multi-user,Laravel 4,Authentication,Multi User,我正在开发一个多用户web应用程序。我担心的是安全问题,我想知道这是否是一种安全的方式来整合它 我在filters.php中完成了以下三个新的过滤器 Route::filter('auth', function() { if (Auth::guest()) { if (Request::ajax()) { return Response::make('Unauthorized', 401); }
filters.php
中完成了以下三个新的过滤器
Route::filter('auth', function()
{
if (Auth::guest())
{
if (Request::ajax())
{
return Response::make('Unauthorized', 401);
}
else
{
return Redirect::guest('login');
}
}
});
Route::filter('user', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 2){
return Redirect::route('/users/users');
}
}
});
Route::filter('admin', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 1){
return Redirect::route('/admin/admin');
}
}
});
Route::filter('business', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 1){
return Redirect::route('/business/business');
}
}
});
在routes.php
中,我添加了以下内容:
Route::group(array('before' => 'admin'), function(){
Route::resource('user', 'UserController');
Route::get('user/dashboard', array(
'as' =>'user-dashboard',
'uses' => 'UserController@show'
));
// Route::group(array('before' => 'user'), function(){
Route::get('admin/dashboard', array(
'as' =>'admin-dashboard',
'uses' => 'AdminController@getAdmin'
));
// });
Route::group(array('before' => 'business'), function(){
Route::get('business/dashboard', array(
'as' =>'business-dashboard',
'uses' => 'BusinessController@getBusiness'
));
});
public function show($id){
$user = User::find($id);
return View::make('admin.show')
->with('title', 'admin dashboard')
->with('user', $user);
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<div class="container">
<h1>{{ $user->email }}</h1>
@else
<p> you are not signed in</p>
@endif
@else
<?php return Redirect::route('login') ?>
@endif
@stop
public function show(){
return View::make('users.index')
->with('title', 'dashboard');
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@else
<div class="container">
<h3>your are not signed in</h3>
</div>
@endif
@else
<?php return Redirect::route('login')->with('global', 'your not allowed here') ?>
@endif
@stop
在AdminController.php
中,我添加了以下内容:
Route::group(array('before' => 'admin'), function(){
Route::resource('user', 'UserController');
Route::get('user/dashboard', array(
'as' =>'user-dashboard',
'uses' => 'UserController@show'
));
// Route::group(array('before' => 'user'), function(){
Route::get('admin/dashboard', array(
'as' =>'admin-dashboard',
'uses' => 'AdminController@getAdmin'
));
// });
Route::group(array('before' => 'business'), function(){
Route::get('business/dashboard', array(
'as' =>'business-dashboard',
'uses' => 'BusinessController@getBusiness'
));
});
public function show($id){
$user = User::find($id);
return View::make('admin.show')
->with('title', 'admin dashboard')
->with('user', $user);
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<div class="container">
<h1>{{ $user->email }}</h1>
@else
<p> you are not signed in</p>
@endif
@else
<?php return Redirect::route('login') ?>
@endif
@stop
public function show(){
return View::make('users.index')
->with('title', 'dashboard');
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@else
<div class="container">
<h3>your are not signed in</h3>
</div>
@endif
@else
<?php return Redirect::route('login')->with('global', 'your not allowed here') ?>
@endif
@stop
在admin/show.blade.php
文件中,我添加了以下内容:
Route::group(array('before' => 'admin'), function(){
Route::resource('user', 'UserController');
Route::get('user/dashboard', array(
'as' =>'user-dashboard',
'uses' => 'UserController@show'
));
// Route::group(array('before' => 'user'), function(){
Route::get('admin/dashboard', array(
'as' =>'admin-dashboard',
'uses' => 'AdminController@getAdmin'
));
// });
Route::group(array('before' => 'business'), function(){
Route::get('business/dashboard', array(
'as' =>'business-dashboard',
'uses' => 'BusinessController@getBusiness'
));
});
public function show($id){
$user = User::find($id);
return View::make('admin.show')
->with('title', 'admin dashboard')
->with('user', $user);
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<div class="container">
<h1>{{ $user->email }}</h1>
@else
<p> you are not signed in</p>
@endif
@else
<?php return Redirect::route('login') ?>
@endif
@stop
public function show(){
return View::make('users.index')
->with('title', 'dashboard');
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@else
<div class="container">
<h3>your are not signed in</h3>
</div>
@endif
@else
<?php return Redirect::route('login')->with('global', 'your not allowed here') ?>
@endif
@stop
在users/index.blade.php
中,我添加了以下内容:
Route::group(array('before' => 'admin'), function(){
Route::resource('user', 'UserController');
Route::get('user/dashboard', array(
'as' =>'user-dashboard',
'uses' => 'UserController@show'
));
// Route::group(array('before' => 'user'), function(){
Route::get('admin/dashboard', array(
'as' =>'admin-dashboard',
'uses' => 'AdminController@getAdmin'
));
// });
Route::group(array('before' => 'business'), function(){
Route::get('business/dashboard', array(
'as' =>'business-dashboard',
'uses' => 'BusinessController@getBusiness'
));
});
public function show($id){
$user = User::find($id);
return View::make('admin.show')
->with('title', 'admin dashboard')
->with('user', $user);
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<div class="container">
<h1>{{ $user->email }}</h1>
@else
<p> you are not signed in</p>
@endif
@else
<?php return Redirect::route('login') ?>
@endif
@stop
public function show(){
return View::make('users.index')
->with('title', 'dashboard');
}
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@else
<div class="container">
<h3>your are not signed in</h3>
</div>
@endif
@else
<?php return Redirect::route('login')->with('global', 'your not allowed here') ?>
@endif
@stop
@extends('layouts.default'))
@节(“内容”)
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@否则
您的帐户尚未登录
@恩迪夫
@否则
@恩迪夫
@停止
业务角色也是这样做的
在管理员的查看文件中:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<h2>welcome {{ Auth::user()->email }}, you are logged in as an administrator </h2>
@else
<p> you are not signed in</p>
@endif
@else
<p><?php return Redirect::route('login')->with('global', 'your not allowed here') ?></p>
@endif
@stop
@extends('layouts.default'))
@节(“内容”)
@if(Auth::check())
@if(Auth::user()->role==1)
欢迎{{Auth::user()->email},您以管理员身份登录
@否则
您尚未登录
@恩迪夫
@否则
@恩迪夫
@停止
对于用户:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
<h2>welcome {{ Auth::user()->email }}, you are logged in as an user </h2>
@else
<p> you are not signed in</p>
@endif
@else
<p><?php return Redirect::route('login')->with('global', 'your not allowed here') ?></p>
@endif
@stop
@extends('layouts.default'))
@节(“内容”)
@if(Auth::check())
@if(Auth::user()->role==2)
欢迎{{Auth::user()->email},您已以用户身份登录
@否则
您尚未登录
@恩迪夫
@否则
@恩迪夫
@停止
首先,您不需要在每个筛选器中检查Auth::guest()
,而是将现有的Auth
筛选器与其他筛选器结合使用,如下所示:
Route::group(array('before' => 'auth|admin'), function() {});
或者使用此备用数组语法:
Route::group(array('before' => array('auth', 'admin')), function() {});
我不确定围绕管理/仪表板
的路由组的注释是否是故意的,但是有了注释,该路由没有路由筛选器,因此请记住,您可能需要取消注释
此外,无需在视图中Auth::check()
和返回重定向::路由(“登录”)
身份验证应在控制器中或通过路由过滤器完成,如果用户未登录,甚至不应呈现视图
除此之外,代码的这些部分似乎相当安全,但如果出现问题,请不要责怪我,也不要责怪堆栈交换,如果有疑问,请咨询专业人士。您说的是
Route::group(array('before'=>'auth | admin'),function(){})代码>那么如何区分路由组中哪些视图仅显示给auth,哪些视图仅显示给admin??有什么例子吗?@pathros这不是决定要显示什么视图(这将根据路由决定),只是要求这两个路由筛选器匹配以返回视图,否则返回“unauthorized”。那么,我还能在哪里控制对每种用户类型视图的访问?我不希望管理员看到与其他用户(如business、normal_user等)相同的页面。@pathros为每个组创建单独的路由筛选器,并要求每个路由组使用其中一个。好的。通过阅读你的建议和这篇文章,它现在可以正常工作了