laravel 无模型的授权策略
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33576852/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Authorization Policy without model
提问by Pistachio
I need to authorize users on a forum.
So in blade, I have @can('editPost', $post)before showing the form to reply to a topic. My PostPolicyclass has a editPostmethod that validates to true if it's the users own post.
我需要在论坛上授权用户。所以在blade中,我有@can('editPost', $post)之前显示的表单回复一个话题。我的PostPolicy班级有一个editPost方法,如果它是用户自己的帖子,则验证为真。
However, the issue appears when I want to do a simple check, like deletePost(). This checks to see if Auth::user()->isAdmin
但是,当我想做一个简单的检查时会出现问题,例如deletePost(). 这会检查是否Auth::user()->isAdmin
public function deletePost(User $user) {
return Auth::user()->isAdmin;
// return $user->isAdmin
}
However, this won't even get called, since I'm not passing an instance of Post
但是,这甚至不会被调用,因为我没有传递 Post
My real world application is much more complicated, but I'm using isAdminas a simple example.
我的真实世界应用程序要复杂得多,但我将其isAdmin用作一个简单的示例。
I guess defining $gate->define('deletePost', 'App\Policies\PostPolicy@deletePost');in AuthServiceProvidercould work, but would end up separating my definitions and methods, and ultimately for a large app clutter the AuthServiceProvider
我想定义$gate->define('deletePost', 'App\Policies\PostPolicy@deletePost');inAuthServiceProvider可以工作,但最终会分离我的定义和方法,最终对于大型应用程序混乱AuthServiceProvider
采纳答案by RDelorier
When you register a policy it is the classname that is used to route checks to the class, so in order to get routed to the policy you can just pass the class name of the type you registered it with.
当您注册一个策略时,它是用于将检查路由到该类的类名,因此为了被路由到该策略,您只需传递您注册它的类型的类名。
Try using @can('delete', Post::class) and see if that gets you there
尝试使用 @can('delete', Post::class) 看看是否能让你到达那里
refer to Illuminate\Auth\Access\Gate::firstArgumentCorrespondsToPolicy
参考 Illuminate\Auth\Access\Gate::firstArgumentCorrespondsToPolicy
EDIT After a little more diggin I found this https://github.com/laravel/framework/commit/70f75255808ffc96275e6f2f356616dd2e163434#diff-961368895033e553787b301c3be0e17a
编辑经过更多的挖掘后,我发现了这个 https://github.com/laravel/framework/commit/70f75255808ffc96275e6f2f356616dd2e163434#diff-961368895033e553787b301c3be0e0
so it looks like if you on version 5.1.23 then you will be able to pass a string otherwise your will need to just pass new Post
所以看起来如果您使用的是 5.1.23 版本,那么您将能够传递一个字符串,否则您只需要传递新的 Post
回答by user634545
In controllers
在控制器中
$this->authorize('<ability>', <Class-With-Rule::class> |?<Full-Path-To-Class>);
In Blade view
在刀片视图中
@can('<ability>', <Class-With-Rule>::class> |?<Full-Path-To-Class>)
In Eloquent model
在 Eloquent 模型中
$user->can('<ability>', <Class-With-Rule>::class> |?<Full-Path-To-Class>);
回答by fbina
Methods Without Models:
没有模型的方法:
Some policy methods only receive the currently authenticated user and not an instance of the model they authorize. This situation is most common when authorizing create actions. For example, if you are creating a blog, you may wish to check if a user is authorized to create any posts at all.
某些策略方法仅接收当前经过身份验证的用户,而不接收它们授权的模型实例。这种情况在授权创建操作时最常见。例如,如果您正在创建博客,您可能希望检查用户是否有权创建任何帖子。
When defining policy methods that will not receive a model instance, such as a create method, it will not receive a model instance. Instead, you should define the method as only expecting the authenticated user:
当定义不会接收模型实例的策略方法时,例如创建方法,它不会接收模型实例。相反,您应该将该方法定义为只需要经过身份验证的用户:
