PHP/Laravel-扩展authorizeResource以处理自定义方法
我有一个名为PHP/Laravel-扩展authorizeResource以处理自定义方法,php,laravel,Php,Laravel,我有一个名为StreamController.php的资源控制器,它使用名为StreamPolicy.php的策略 在我的控制器中,我有: //StreamController.php /** * Construct method. */ public function __construct() { $this->middleware('auth'); $this->authorizeResourc
StreamController.php的资源控制器,它使用名为StreamPolicy.php的策略
在我的控制器中,我有:
//StreamController.php
/**
* Construct method.
*/
public function __construct()
{
$this->middleware('auth');
$this->authorizeResource(Stream::class, 'stream');
}
有了以上内容,所有RESTful端点都可以使用策略成功地“保护”
但是,我在控制器中添加了一个新方法,称为documents()
,如下所示:
//web.php
Route::get('streams/{stream}/documents', 'StreamController@documents');
现在的问题是,如果我访问URL:
example.com/streams/1如果我不是流的所有者,我会得到403页-但是如果我去:
example.com/streams/1/documents如果我不是流的所有者,我仍然可以访问该页面
我做错了什么?我如何才能使我的策略也涵盖控制器中的documents()
方法
编辑:
这是我的StreamPolicy.php
文件:
//StreamPolicy.php
namespace App\Policies;
use App\User;
use App\Stream;
use Illuminate\Auth\Access\HandlesAuthorization;
class StreamPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function view(User $user, Stream $stream)
{
return $user->id == $stream->user_id;
}
/**
* Determine whether the user can create streams.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
return true;
}
/**
* Determine whether the user can update the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function update(User $user, Stream $stream)
{
//
return $user->id == $stream->user_id;
}
/**
* Determine whether the user can delete the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function delete(User $user, Stream $stream)
{
//
return $user->id == $stream->user_id;
}
/**
* Determine whether the user can restore the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function restore(User $user, Stream $stream)
{
//
}
/**
* Determine whether the user can permanently delete the stream.
*
* @param \App\User $user
* @param \App\Stream $stream
* @return mixed
*/
public function forceDelete(User $user, Stream $stream)
{
//
}
}
我不知道为什么不工作,但我担心authorizeResource
方法只处理已知资源端点的路由:查看、创建、更新、删除和恢复
稍后编辑:查看文档,看看哪些是由资源控制器处理的操作
您应该做的是显式设置新路由的授权:
Route::get('streams/{stream}/documents', 'StreamController@documents')->middleware('can:documents,stream');
当然,documents
方法应该存在于StreamPolicy
类中
或
要在StreamController.documents
方法中进行授权:
public function documents(Stream $stream)
{
$this->authorize('documents', $stream);
return view('streams.documents', compact('stream'));
}
Controller.php使用“AuthorizesRequest”特性,它定义了以下两种方法:
trait AuthorizesRequests
{
/**
* Get the map of resource methods to ability names.
*
* @return array
*/
protected function resourceAbilityMap()
{
return [
'show' => 'view',
'create' => 'create',
'store' => 'create',
'edit' => 'update',
'update' => 'update',
'destroy' => 'delete',
];
}
/**
* Get the list of resource methods which do not have model parameters.
*
* @return array
*/
protected function resourceMethodsWithoutModels()
{
return ['index', 'create', 'store'];
}
每个控制器都可以重写这两个受保护的方法,因为每个控制器都扩展controller.php
class UserController extends Controller
{
public function __construct ()
{
$this->authorizeResource ( User::class, 'user' );
}
/**
* Get the map of resource methods to ability names.
*
* @return array
*/
protected function resourceAbilityMap()
{
return [
'show' => 'view',
'create' => 'create',
'store' => 'create',
'edit' => 'update',
'update' => 'update',
'destroy' => 'delete',
'customMethod'=>'customMethod',
'customMethodWithoutModel'=>'customMethodWithoutModel'
];
}
/**
* Get the list of resource methods which do not have model parameters.
*
* @return array
*/
protected function resourceMethodsWithoutModels()
{
return ['index', 'create', 'store','customMethodWithoutModel'];
}
其政策类别
class UserPolicy
{
/**
* Determine whether the user can custom method.
*
* @param \App\User $user
* @param \App\User $model
* @return mixed
*/
public function customMethod(User $user, User $model){
return true;
}
/**
* Determine whether the user can custom method without model.
*
* @param \App\User $user
* @return mixed
*/
public function customMethodWithoutModel(User $user){
return true;
}
请您尝试一下Route::get('streams/{stream}/documents','StreamPolicy','StreamController@documents');给我的路由操作无效:[App\Http\Controllers\StreamPolicy]
确定。。然后。。另一种方法是检查StreamPolicy是否有documents
方法,该方法实际上调用了policy中的read
方法我在policy中没有看到任何read
方法。然而,我试图在StreamPolicy中添加一个documents
方法。但这并没有改变任何事情您有什么版本的laravel?如何将额外参数传递给自定义策略方法?您不能将额外参数传递给自定义策略方法,因为它们是由框架注入的。第一个是经过身份验证的用户,即user$user
,第二个是针对资源路由的解析模型,即user$user
。您需要创建一个服务,或者将它们添加到当前请求中,并通过请求助手功能访问它们。如果需要访问嵌套的资源路由,请通过request()->route('model\u param\u name')
访问已解析的模型。e、 g.request()->route('post')
这个答案应该被接受,因为它遵循了Laravel标准。
class UserPolicy
{
/**
* Determine whether the user can custom method.
*
* @param \App\User $user
* @param \App\User $model
* @return mixed
*/
public function customMethod(User $user, User $model){
return true;
}
/**
* Determine whether the user can custom method without model.
*
* @param \App\User $user
* @return mixed
*/
public function customMethodWithoutModel(User $user){
return true;
}