laravel 限制对非管理员用户的路由访问
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30643810/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Restrict route access to non-admin users
提问by Tiffany Soun
Goal
目标
I'm trying to create Admin route restriction for my log-in users.
I've tried a check to see if my user is log-in, and also if the user type is Admin, and if they are, I want to allow them access to the admin route, otherwise, respond a 404.
我正在尝试为我的登录用户创建管理员路由限制。我已经尝试检查我的用户是否为log-in,以及用户类型是否为Admin,如果是,我想允许他们访问管理路由,否则响应 404。
routes.php
路由文件
<!-- Route group -->
$router->group(['middleware' => 'auth'], function() {
<!-- No Restriction -->
Route::get('dashboard','WelcomeController@index');
<!-- Admin Only -->
if(Auth::check()){
if ( Auth::user()->type == "Admin" ){
//Report
Route::get('report','ReportController@index');
Route::get('report/create', array('as'=>'report.create', 'uses'=>'ReportController@create'));
Route::post('report/store','ReportController@store');
Route::get('report/{id}', array('before' =>'profile', 'uses'=>'ReportController@show'));
Route::get('report/{id}/edit', 'ReportController@edit');
Route::put('report/{id}/update', array('as'=>'report.update', 'uses'=>'ReportController@update'));
Route::delete('report/{id}/destroy',array('as'=>'report.destroy', 'uses'=>'ReportController@destroy'));
}
}
});
Result
结果
It's not working as I intended. It throws 404 error - even for Admin users.
它没有按我的意图工作。它会引发 404 错误 - 即使对于管理员用户也是如此。
回答by Limon Monte
You can use Middlewarefor this simple case.
对于这种简单的情况,您可以使用中间件。
- Create middleware:
- 创建中间件:
php artisan make:middleware AdminMiddleware
namespace App\Http\Middleware;
use App\Article;
use Closure;
use Illuminate\Contracts\Auth\Guard;
class AdminMiddleware
{
/**
* The Guard implementation.
*
* @var Guard
*/
protected $auth;
/**
* Create a new filter instance.
*
* @param Guard $auth
* @return void
*/
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->getUser()->type !== "admin") {
abort(403, 'Unauthorized action.');
}
return $next($request);
}
}
- Add it to
app\Http\Kernel.php:
- 将其添加到
app\Http\Kernel.php:
protected $routeMiddleware = [
'admin' => 'App\Http\Middleware\AdminMiddleware',
];
- Use middleware in your routes:
- 在你的路由中使用中间件:
Route::group(['middleware' => ['auth', 'admin']], function() {
// your routes
});
回答by edi9999
This answer is about whyyour code doesn't work as expected. @limonte 's solution is correct and the best I can think of.
这个答案是关于为什么您的代码没有按预期工作的原因。@limonte 的解决方案是正确的,也是我能想到的最好的解决方案。
Your routes file is parsed to get your routes, and after that, those routes might be cached somewhere else.
您的路由文件被解析以获取您的路由,之后,这些路由可能会缓存在其他地方。
Thus you shouldn't put any code that depends on the request (eg checking whether a User has sufficient rights to access a route).
因此,您不应放置任何依赖于请求的代码(例如,检查用户是否具有访问路由的足够权限)。
In particular, you shouldn't use the following request dependent modules inside your routes.php (not exhaustive) :
特别是,您不应在 routes.php 中使用以下请求相关模块(并非详尽无遗):
AuthDBor any kind of db queries that might depend on timeSessionRequest
AuthDB或任何可能取决于时间的数据库查询SessionRequest
You should view your routes.php as part of your config, it just happens that it is written in php directly instead of some new language you have to learn.
您应该将 routes.php 视为配置的一部分,碰巧它是直接用 php 编写的,而不是您必须学习的一些新语言。
