Laravel:路由中间件和策略的区别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/35019292/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel: Difference Between Route Middleware and Policy
提问by James Okpe George
I am developing an app with laravel, I realised that what can be done with Policycan exactly be done with Middleware. Say I want to prevent a user from updating a route if he/she is not the owner of the information, I can easily check from the route and can do the same from the policy.
我正在用 laravel 开发一个应用程序,我意识到可以Policy用Middleware. 假设我想阻止用户更新路由,如果他/她不是信息的所有者,我可以轻松地从路由中检查,并且可以从策略中执行相同的操作。
So my question is why should I use policyover middleware and vice versa
所以我的问题是为什么我应该使用policy中间件,反之亦然
回答by GeraldBiggs
I'm currently going through a small refactor with my roles, permissions and routes and asked myself the same question.
我目前正在对我的角色、权限和路线进行小幅重构,并问自己同样的问题。
At the surface level, it appears true middleware and policies perform the same general idea. Check if a user can do what they are doing.
从表面上看,似乎真正的中间件和策略执行相同的总体思路。检查用户是否可以做他们正在做的事情。
For reference here's the laravel docs...
作为参考,这里是 laravel 文档...
Middleware"May I see this? May I go here?"
中间件“我可以看看这个吗?我可以去这里吗?”
HTTP middleware provide a convenient mechanism for filtering HTTP requests entering your application. For example, Laravel includes a middleware that verifies the user of your application is authenticated. If the user is not authenticated, the middleware will redirect the user to the login screen. However, if the user is authenticated, the middleware will allow the request to proceed further into the application.
Of course, additional middleware can be written to perform a variety of tasks besides authentication. A CORS middleware might be responsible for adding the proper headers to all responses leaving your application. A logging middleware might log all incoming requests to your application.
HTTP 中间件提供了一种方便的机制来过滤进入应用程序的 HTTP 请求。例如,Laravel 包含一个中间件,用于验证您的应用程序的用户是否已通过身份验证。如果用户未通过身份验证,中间件会将用户重定向到登录屏幕。但是,如果用户通过了身份验证,中间件将允许请求进一步进入应用程序。
当然,除了身份验证之外,还可以编写额外的中间件来执行各种任务。CORS 中间件可能负责向离开应用程序的所有响应添加正确的标头。日志中间件可能会记录对您的应用程序的所有传入请求。
https://laravel.com/docs/master/middleware#introduction
https://laravel.com/docs/master/middleware#introduction
In my reading, Middleware is about operating at the request level. In the terms of "Can this user seea page?", or "Can this user do something here?"
在我的阅读中,中间件是关于在请求级别操作的。用“这个用户能看到一个页面吗?”或“这个用户能在这里做些什么吗?”
If so, it goes to the controller method associated with that page. Interestingly enough, Middleware may say, "Yes you may go there, but I'll write down that you are going." Etc.
如果是这样,它将转到与该页面关联的控制器方法。有趣的是,中间件可能会说,“是的,你可以去那里,但我会写下你要去的地方。” 等等。
Once it's done. It has no more control or say in what the user is doing. Another way I think of it as the middleperson.
一旦完成。它对用户正在做什么没有更多的控制或发言权。另一种方式我认为它是中间人。
Policies"Can I do this? Can I change this?"
政策“我可以这样做吗?我可以改变这个吗?”
In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic, and we'll cover each of them in this document.
除了提供开箱即用的身份验证服务之外,Laravel 还提供了一种简单的方式来组织授权逻辑和控制对资源的访问。有多种方法和助手可以帮助您组织授权逻辑,我们将在本文档中逐一介绍。
https://laravel.com/docs/master/authorization#introduction
https://laravel.com/docs/master/authorization#introduction
Policies however, appear to be more concerned with doing. Can the user update any entry, or only theirs?
然而,政策似乎更关注做。用户可以更新任何条目,还是只能更新他们的条目?
These questions seem fit for a controller method where all the calls to action on a resource are organized. Retrieve this object, store or update the article.
这些问题似乎适用于控制器方法,其中组织了对资源的所有操作调用。检索此对象、存储或更新文章。
As tjbb mentioned, middleware can make routes very messy and hard to manage. This is an example from my routes file:
正如tjbb 提到的,中间件会使路由变得非常混乱和难以管理。这是我的路由文件中的一个示例:
The problem
问题
Route::group(['middleware' =>'role:person_type,person_type2',], function () {
Route::get('download-thing/{thing}', [
'as' => 'download-thing',
'uses' => 'ThingController@download'
]);
});
This gets very hard to read in my route file!
这在我的路由文件中很难阅读!
Another approach with policies
另一种策略方法
//ThingController
public function download(Thing $thing)
{
//Policy method and controller method match, no need to name it
$this->authorize($thing);
//download logic here....
}
回答by tjbp
Route middleware allows you to apply request handling to a large range of routes, instead of repeating the code in every controller action - checking authentication and redirecting guests is a good example. Controllers instead contain logic unique to specific routes/actions - you could use middleware for this, but you'd need separate middleware for every route's logic and it would all get very messy.
路由中间件允许您将请求处理应用于大范围的路由,而不是在每个控制器操作中重复代码 - 检查身份验证和重定向来宾就是一个很好的例子。控制器反而包含特定路由/操作独有的逻辑 - 您可以为此使用中间件,但您需要为每个路由的逻辑使用单独的中间件,这一切都会变得非常混乱。
Policies/abilities are simply a way of checking user permissions - you can query them from a controller, or from middleware, or anywhere else. They only return true or false, so they aren't equivalent to controllers or middleware. Most of the time abilities will be comparing a user to another model, which will have been loaded based on an identifier sent to a controller action, but there are probably some applications for use with middleware too.
策略/能力只是检查用户权限的一种方式——您可以从控制器、中间件或其他任何地方查询它们。它们只返回 true 或 false,因此它们不等同于控制器或中间件。大多数时候,能力会将用户与另一个模型进行比较,后者将根据发送到控制器操作的标识符加载,但可能也有一些应用程序与中间件一起使用。
