限制特定用户对 POST,DELETE,PATCH,PUT 的访问
Restricting access of a specific user to POST,DELETE,PATCH,PUT
我安装了Laravel 5.6。
我想向用户提供演示帐户,该用户不能插入或更新任何内容,只能查看所有内容。
我的系统中没有一组角色。我只想在某个地方硬编码用户 ID 并限制这些操作。
我用谷歌搜索并发现了很多不同的方法 (https://laracasts.com/discuss/channels/laravel/protecting-route-for-specific-user),这远远超出了我的需要。我只是想将此功能限制为所有网站中的特定用户。
Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+-------------------------------------------------------+---------------------------------+------------------------------------------------------------------------------------+--------------------------------------------------+
| | GET|HEAD | / | | Closure | web |
| | GET|HEAD | _debugbar/assets/javascript | debugbar.assets.js | Barryvdh\Debugbar\Controllers\AssetController@js | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/assets/stylesheets | debugbar.assets.css | Barryvdh\Debugbar\Controllers\AssetController@css | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | DELETE | _debugbar/cache/{key}/{tags?} | debugbar.cache.delete | Barryvdh\Debugbar\Controllers\CacheController@delete | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/clockwork/{id} | debugbar.clockwork | Barryvdh\Debugbar\Controllers\OpenHandlerController@clockwork | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/open | debugbar.openhandler | Barryvdh\Debugbar\Controllers\OpenHandlerController@handle | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | api/user | | Closure | api,auth:api |
| | GET|HEAD | giris | | Closure | web |
| | GET|HEAD | horizon/api/jobs/failed | horizon.failed-jobs.index | Laravel\Horizon\Http\Controllers\FailedJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/failed/{id} | horizon.failed-jobs.show | Laravel\Horizon\Http\Controllers\FailedJobsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/recent | horizon.recent-jobs.index | Laravel\Horizon\Http\Controllers\RecentJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/jobs/retry/{id} | horizon.retry-jobs.show | Laravel\Horizon\Http\Controllers\RetryController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/masters | horizon.masters.index | Laravel\Horizon\Http\Controllers\MasterSupervisorController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs | horizon.jobs-metrics.index | Laravel\Horizon\Http\Controllers\JobMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs/{id} | horizon.jobs-metrics.show | Laravel\Horizon\Http\Controllers\JobMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues | horizon.queues-metrics.index | Laravel\Horizon\Http\Controllers\QueueMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues/{id} | horizon.queues-metrics.show | Laravel\Horizon\Http\Controllers\QueueMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/monitoring | horizon.monitoring.store | Laravel\Horizon\Http\Controllers\MonitoringController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring | horizon.monitoring.index | Laravel\Horizon\Http\Controllers\MonitoringController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring/{tag} | horizon.monitoring-tag.paginate | Laravel\Horizon\Http\Controllers\MonitoringController@paginate | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | DELETE | horizon/api/monitoring/{tag} | horizon.monitoring-tag.destroy | Laravel\Horizon\Http\Controllers\MonitoringController@destroy | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/stats | horizon.stats.index | Laravel\Horizon\Http\Controllers\DashboardStatsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/workload | horizon.workload.index | Laravel\Horizon\Http\Controllers\WorkloadController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/{view?} | horizon.index | Laravel\Horizon\Http\Controllers\HomeController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
最快的方法是创建一个简单的中间件,如果是特定用户,您可以在其中中止。
要创建中间件,您可以使用 artisan 命令 make:middleware
php artisan make:middleware LimitUserIdX
在新创建的文件 (app/Http/Middleware/LimitUserIdX.php) 中,您可以只检查身份验证用户 ID 是否为 X,如果是,则中止并显示错误代码 403(权限被拒绝),如下所示:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if($userId == 5) {
abort(403);
}
return $next($request);
}
将 5 更改为您要限制的用户。
编辑:我没有理解问题,这是更正。
您应该将新创建的中间件添加到 Laravel 全局中间件列表。只需转到 App/Http/Kernel.php 并将 class 添加到 $middleware var。这将使 Laravel 运行 成为您对应用程序的所有 HTTP 请求的中间件(无需将其添加到每个路由定义中)。
然后,您还需要编辑中间件本身以在中止之前检查请求的方法,如下所示:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if(request()->method() != "GET" && request()->method() != "HEAD" && $userId == 5) {
abort(403);
}
return $next($request);
}
我安装了Laravel 5.6。
我想向用户提供演示帐户,该用户不能插入或更新任何内容,只能查看所有内容。
我的系统中没有一组角色。我只想在某个地方硬编码用户 ID 并限制这些操作。
我用谷歌搜索并发现了很多不同的方法 (https://laracasts.com/discuss/channels/laravel/protecting-route-for-specific-user),这远远超出了我的需要。我只是想将此功能限制为所有网站中的特定用户。
Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+-------------------------------------------------------+---------------------------------+------------------------------------------------------------------------------------+--------------------------------------------------+
| | GET|HEAD | / | | Closure | web |
| | GET|HEAD | _debugbar/assets/javascript | debugbar.assets.js | Barryvdh\Debugbar\Controllers\AssetController@js | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/assets/stylesheets | debugbar.assets.css | Barryvdh\Debugbar\Controllers\AssetController@css | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | DELETE | _debugbar/cache/{key}/{tags?} | debugbar.cache.delete | Barryvdh\Debugbar\Controllers\CacheController@delete | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/clockwork/{id} | debugbar.clockwork | Barryvdh\Debugbar\Controllers\OpenHandlerController@clockwork | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/open | debugbar.openhandler | Barryvdh\Debugbar\Controllers\OpenHandlerController@handle | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | api/user | | Closure | api,auth:api |
| | GET|HEAD | giris | | Closure | web |
| | GET|HEAD | horizon/api/jobs/failed | horizon.failed-jobs.index | Laravel\Horizon\Http\Controllers\FailedJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/failed/{id} | horizon.failed-jobs.show | Laravel\Horizon\Http\Controllers\FailedJobsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/recent | horizon.recent-jobs.index | Laravel\Horizon\Http\Controllers\RecentJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/jobs/retry/{id} | horizon.retry-jobs.show | Laravel\Horizon\Http\Controllers\RetryController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/masters | horizon.masters.index | Laravel\Horizon\Http\Controllers\MasterSupervisorController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs | horizon.jobs-metrics.index | Laravel\Horizon\Http\Controllers\JobMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs/{id} | horizon.jobs-metrics.show | Laravel\Horizon\Http\Controllers\JobMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues | horizon.queues-metrics.index | Laravel\Horizon\Http\Controllers\QueueMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues/{id} | horizon.queues-metrics.show | Laravel\Horizon\Http\Controllers\QueueMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/monitoring | horizon.monitoring.store | Laravel\Horizon\Http\Controllers\MonitoringController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring | horizon.monitoring.index | Laravel\Horizon\Http\Controllers\MonitoringController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring/{tag} | horizon.monitoring-tag.paginate | Laravel\Horizon\Http\Controllers\MonitoringController@paginate | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | DELETE | horizon/api/monitoring/{tag} | horizon.monitoring-tag.destroy | Laravel\Horizon\Http\Controllers\MonitoringController@destroy | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/stats | horizon.stats.index | Laravel\Horizon\Http\Controllers\DashboardStatsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/workload | horizon.workload.index | Laravel\Horizon\Http\Controllers\WorkloadController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/{view?} | horizon.index | Laravel\Horizon\Http\Controllers\HomeController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
最快的方法是创建一个简单的中间件,如果是特定用户,您可以在其中中止。
要创建中间件,您可以使用 artisan 命令 make:middleware
php artisan make:middleware LimitUserIdX
在新创建的文件 (app/Http/Middleware/LimitUserIdX.php) 中,您可以只检查身份验证用户 ID 是否为 X,如果是,则中止并显示错误代码 403(权限被拒绝),如下所示:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if($userId == 5) {
abort(403);
}
return $next($request);
}
将 5 更改为您要限制的用户。
编辑:我没有理解问题,这是更正。
您应该将新创建的中间件添加到 Laravel 全局中间件列表。只需转到 App/Http/Kernel.php 并将 class 添加到 $middleware var。这将使 Laravel 运行 成为您对应用程序的所有 HTTP 请求的中间件(无需将其添加到每个路由定义中)。
然后,您还需要编辑中间件本身以在中止之前检查请求的方法,如下所示:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if(request()->method() != "GET" && request()->method() != "HEAD" && $userId == 5) {
abort(403);
}
return $next($request);
}