Laravel ACL with Entrust,如何保护路由,控制器方法
Laravel ACL with Entrust, how to protect routes, controller methods
如果用户对路由有权限,我如何检查 Entrust。
我有权限 table 路由字段和操作名称
例如
can_update_profile, can_delete_profile, can_see_profile
比起我为每个角色添加特权,而不是我尝试实现一个中间件,该中间件在用户能够访问控制器方法但失败时检查路由。
委托 can 将所有请求解释为免费访问
这是我的中间件
<?php
namespace App\Http\Middleware;
use Closure;
use App\Permission;
use Illuminate\Contracts\Auth\Guard;
use Route;
class AuthorizeRoute
{
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$user = $this->auth->user();
$permissions = Permission::all();
//dd($user);
$uri = $request->route()->uri();
foreach ($permissions as $permission) {
if (!$user->can($permission->name) && $permission->route === $uri) {
//var_dump($user->can($permission->name));
abort(403);
}
}
return $next($request);
}
}
我无法测试这个,但我猜你应该这样写 handle()
public function handle($request, Closure $next)
{
$user = $this->auth->user();
$permissions = Permission::all();
$uri = $request->route()->uri();
foreach ($permissions as $permission) {
// reordered expression order to skip calling $user->can()
// for routes that don't match
if ( $permission->route === $uri && $user->can($permission->name) ) {
// allow access only if it's a match
return $next($request);
}
}
// nothing matched, abort
abort(403);
}
如果用户对路由有权限,我如何检查 Entrust。
我有权限 table 路由字段和操作名称
例如
can_update_profile, can_delete_profile, can_see_profile
比起我为每个角色添加特权,而不是我尝试实现一个中间件,该中间件在用户能够访问控制器方法但失败时检查路由。
委托 can 将所有请求解释为免费访问
这是我的中间件
<?php
namespace App\Http\Middleware;
use Closure;
use App\Permission;
use Illuminate\Contracts\Auth\Guard;
use Route;
class AuthorizeRoute
{
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$user = $this->auth->user();
$permissions = Permission::all();
//dd($user);
$uri = $request->route()->uri();
foreach ($permissions as $permission) {
if (!$user->can($permission->name) && $permission->route === $uri) {
//var_dump($user->can($permission->name));
abort(403);
}
}
return $next($request);
}
}
我无法测试这个,但我猜你应该这样写 handle()
public function handle($request, Closure $next)
{
$user = $this->auth->user();
$permissions = Permission::all();
$uri = $request->route()->uri();
foreach ($permissions as $permission) {
// reordered expression order to skip calling $user->can()
// for routes that don't match
if ( $permission->route === $uri && $user->can($permission->name) ) {
// allow access only if it's a match
return $next($request);
}
}
// nothing matched, abort
abort(403);
}