Laravel 中 Request 类中的授权方法的目的是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37184430/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the purpose of the authorize method in a Request class in Laravel?
提问by Pankaj
I am today in bit confusion about my website security and some extra code that is written to make the website secure. Below are 2 locations where security is applied.
我今天对我的网站安全性和一些额外的代码感到有些困惑,这些代码是为了确保网站安全。以下是应用安全性的 2 个位置。
Inside Route Config, To secure the route, I have used Middleware to check the user role.
在路由配置内部,为了保护路由,我使用了中间件来检查用户角色。
Route::group(['middleware' => ['web', 'SuperAdmin', 'auth']], function () {
Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});
I mentioned 2 Middlewares.
我提到了 2 Middlewares。
Auth Middleware: This is forauthentication.SuperAdmin Middleware: This is forAuthorization.
Auth Middleware: 这是为了authentication。SuperAdmin Middleware: 这是为了Authorization。
Second location is Request class. Here is the code. In authorize method, again same thing is being checked as already done in route
第二个位置是请求类。这是代码。在授权方法中,再次检查与路由中已经完成的相同的事情
class DepartmentRequest extends Request
{
public function authorize()
{
if(\Auth::user() == null) {
return false;
}
if(\Auth::user()->isSuperAdmin()) {
return true;
}
return false;
}
public function rules()
{
return [
'Department' => 'required',
];
}
}
Question:Should I remove check in Request class? Is that an unwanted validation to secure the request ? As route.config is already doing the job.
问题:我应该删除 Request 类中的检查吗?这是不需要的验证来保护请求吗?因为 route.config 已经在做这项工作。
What's the use of authorize method? I meant, I am using Request class to validate form inputs. Should I always return true from authorize method?
授权方法有什么用?我的意思是,我使用 Request 类来验证表单输入。我应该总是从授权方法返回 true 吗?
采纳答案by Moppo
yes, you should remove that checks in the Requestclass: if you're already doing that checks in your middleware you should not repeat them
是的,您应该删除Request课程中的检查:如果您已经在中间件中进行了检查,则不应重复它们
When you specify this:
当你指定这个时:
Route::group(['middleware' => ['web', 'SuperAdmin']], function () {
Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});
You're telling laravel that, when it finds a /Create-Departmentroute, it should trigger the handlemethod of these middleware: ['web', 'SuperAdmin'], beforethe request is sent to the DepartmentController
你告诉 laravel,当它找到一个/Create-Department路由时,它应该触发handle这些中间件的方法:['web', 'SuperAdmin'],在请求被发送到DepartmentController
So, if you check for authentication and authorization in the middlewares, when the request will get to your controller you're sure that it has satisfied all the middleware it went through
因此,如果您在中间件中检查身份验证和授权,那么当请求到达您的控制器时,您可以确定它已经满足了它经过的所有中间件
Regarding the purpose of the authorizemethod: the authorize method is usually used to authorize the actual request basing on some policy you'd like to respect. For example, if you have a request to edit a Post model, in the authorizemethod you'd check that the specific user trying to edit the post has the permissions to do it (for example being the author of the post )
关于authorize方法的目的:授权方法通常用于根据您希望遵守的某些策略对实际请求进行授权。例如,如果您有一个编辑 Post 模型的请求,在该authorize方法中,您将检查尝试编辑该帖子的特定用户是否具有执行此操作的权限(例如作为该帖子的作者)
EDIT
编辑
Even if you want to use a middleware for your authorization, it's fine. Anyhow, usually the authorizemethod within form requests is used to do authorization checks on the specific request.
即使您想使用中间件进行授权,也没关系。无论如何,通常authorize使用表单请求中的方法对特定请求进行授权检查。
For instance check this example from the docs:
例如,从文档中查看此示例:
public function authorize()
{
$postId = $this->route('post');
//here the authorization to edit the post is checked through the Gate facade
return Gate::allows('update', Post::findOrFail($postId));
}
In conclusion: if you're doing your authentication and authorization tasks in middlewares, you don't need to repeat them in the authorizemethod, but keep in mind that the native purpose of the method is to authorize the specific request
总结:如果你在中间件中做你的认证和授权任务,你不需要在authorize方法中重复它们,但请记住,方法的本机目的是对特定请求进行授权
