dpzo13732 2017-03-04 17:10
浏览 56
已采纳

如何在Laravel 5.3中执行授权策略?

I read here : https://laravel.com/docs/5.3/authorization#writing-policies

And I tried to like this

My FavoritePolicy is like this :

<?php
namespace App\Policies;
use App\User;
use App\Models\Favorite;
use Illuminate\Auth\Access\HandlesAuthorization;
class FavoritePolicy
{
    use HandlesAuthorization;
    public function view(User $user, Favorite $favorite)
    {
        return $user->id === $favorite->user_id;
    }
}

My FavoriteController is like this :

<?php
use App\Models\Favorite;
...
class FavoriteController extends ApiController
{
    ...
    public function index(Favorite $favorite)
    {
        $this->authorize('view', $favorite);
        return view('profile.favorite');
    }
}

My AuthServiceProvider is like this :

<?php
namespace App\Providers;
use App\Models\Favorite;
use App\Policies\FavoritePolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
    protected $policies = [
        'App\Model' => 'App\Policies\ModelPolicy',
        Favorite::class => FavoritePolicy::class,
    ];
    public function boot()
    {
        $this->registerPolicies();
    }
}

When I run my system to display favorite listing, there exist error like this :

Whoops, looks like something went wrong.

1/1 HttpException in Handler.php line 115: This action is unauthorized.

What the implementation of Authorization Policies is correct?

I try dd($user) in view method(FavoritePolicy), the result displays user data is being logged. It's true

But I try dd($favorite), the result does not display favorite data of the user who is currently logged. Whereas I check on the table, favorite data of the user who is currently logged is exist

How can I solve this problem?

Update

There result of dd($favorite) :

Favorite {#498 ▼
  #fillable: array:3 [▶]
  #connection: null
  #table: null
  #primaryKey: "id"
  #keyType: "int"
  #perPage: 15
  +incrementing: true
  +timestamps: true
  #attributes: []
  #original: []
  #relations: []
  #hidden: []
  #visible: []
  #appends: []
  #guarded: array:1 [▼
    0 => "*"
  ]
  #dates: []
  #dateFormat: null
  #casts: []
  #touches: []
  #observables: []
  #with: []
  +exists: false
  +wasRecentlyCreated: false
}
  • 写回答

1条回答 默认 最新

  • dongquepao8653 2017-03-05 10:32
    关注

    Thanks for the additional info in your update!

    So, you want to show the detail page of one specific Favorite entity, but only if the user is the owner of this entity?

    Firstly a minor "issue": usually in Laravel the controller method that shows details of a specific entity is called show, not index. index is the name for methods that show a list of entities (in your example: a list of favorites).

    Regarding your problem:
    Your policy checks if the currently logged in user can view an empty $favorite (see the dd($favorite) output in your post update). Which means, that $favorite is also not set in your index method.

    I guess, you have a route defined similar to this:

    Route::get('favorite/{id}', 'FavoriteController@index');

    This means, that the value of id is injected into your index method as a parameter, but not a Favorite entity. To query for the Favorite entity is something you need to do in the method.

    So, your method should more look like this:

    public function index($favoriteId)
{
    $favorite = Favorite::findOrFail($favoriteId);
    $this->authorize('view', $favorite);
    return view('profile.favorite')->with('favorite', $favorite);
}

    Hope that helps! If not, please add a comment!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?