Laravel 8 控制器构造函数中的 authorizeResources 不适用于编辑操作

Question

我在 laravel 8 中为 Post 模型编写了策略。

当我使用

public function __construct()
    {
       $this->authorizeResource(Post::class, 'post');
    }

在控制器中，策略正确应用于索引、创建操作但不适用于编辑操作。

如果我删除构造函数中的行并像这样修改编辑操作

 public function edit( $id)
    {   
        $post = Post::find($id);
        $this->authorize('update', $post);
        $post = Post::find($id);
        $author = User::find($post->author_id);
        return view('posts.edit', compact('post', 'author'));
       
    }

only the line $this->authorize('update', $post); is added

然后它就可以正常工作了。

我不明白我做错了什么

以下是控制器和策略

控制器（未完成）

<?php

namespace App\Http\Controllers;

use App\Models\Post;
use Illuminate\Http\Request;use App\Models\User
;use Illuminate\Support\Facades\Gate;

class PostController extends Controller
{
    /**
     * Create the controller instance.
     *
     * @return void
     */
    public function __construct()
    {
       //$this->authorizeResource(Post::class, 'post');
    }

    /**
     * Display a listing of the resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function index()
    { 
        //authorization managed by the constructor
        $user = auth()->user();
    //$this->authorize('viewAny', Post::class);
       
        $posts = Post::orderBy('created_at', 'desc')->paginate(25);
        return view('posts.index', compact('posts', 'user'));
    }

    /**
     * Show the form for creating a new resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function create()
    {
       // $this->authorize('create', Post::class);
        return view('posts.create');
    }

    /**
     * Store a newly created resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function store(Request $request)
    {
        
       //authorization is managed globally in the constructor
        $this->validate($request, [
            'title' => 'required',
            'abstract' => 'required',
            'body' => 'required'
        ]);
        $post = new Post;
        $post->title = $request->input('title');
        $post->abstract = $request->input('abstract');
        $post->body = $request->input('body');
        $post->author_id = auth()->user()->id;
        $post->category = $request->input('category');
        $post->beg_date = $request->input('beg_date');
        $post->end_date = $request->input('end_date');
        $post->close_date = $request->input('close_date');
        $post->sticky = $request->input('sticky');
        $post->diaporama_dir = $request->input('diaporama_dir');
        $post->receive_registration = $request->input('receive_registration');
        $post->inscription_directive = $request->input('inscription_directive');
        $post->save();
        return redirect('/posts')->with('success', 'Article enregistré !');
    

    }

    /**
     * Display the specified resource.
     *
     * @param  \App\Models\Post  $post
     * @return \Illuminate\Http\Response
     */
    public function show(Post $post)
    {
        //
    }

    /**
     * Show the form for editing the specified resource.
     *
     * @param  \App\Models\Post  $post
     * @return \Illuminate\Http\Response
     */
    public function edit( $id)
    {   
        $post = Post::find($id);
        $this->authorize('update', $post);
        $post = Post::find($id);
        $author = User::find($post->author_id);
        return view('posts.edit', compact('post', 'author'));
       
    }

    /**
     * Update the specified resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \App\Models\Post  $post
     * @return \Illuminate\Http\Response
     */
    public function update(Request $request, Post $post)
    {
        //
    }

    /**
     * Remove the specified resource from storage.
     *
     * @param  \App\Models\Post  $post
     * @return \Illuminate\Http\Response
     */
    public function destroy(Post $post)
    {
        //
    }
}

政策

<?php

namespace App\Policies;

use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;
use Illuminate\Auth\Access\HandlesAuthorization;

class PostPolicy
{
    use HandlesAuthorization;


    /**
 * Perform pre-authorization checks.
 *
 * @param  \App\Models\User  $user
 * @param  string  $ability
 * @return void|bool
 */
    public function before(User $user, $ability)
    {
     if ($user->role=='admin') {
        return Response::allow();
        }
    }

    /**
     * Determine whether the user can view any models.
     *
     * @param  \App\Models\User  $user
     * @return mixed
     */
    public function viewAny(User $user)
    {
        return ($user->role==='admin' || $user->role==='writer' || $user->role==='manager')
            ? Response::allow()
            : Response::deny(__("You are not allowed to view any posts!"));
    }

    /**
     * Determine whether the user can view the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return mixed"
     */
    public function view(User $user, Post $post)
    {
        
        return $user->id == $post->user_id
                ? Response::allow()
                : Response::deny(trans("You cannot view this post because you are not its owner!"));
    }

    /**
     * Determine whether the user can create models.
     *
     * @param  \App\Models\User  $user
     * @return mixed
     */
    public function create(User $user)
    {
        return $user->role === 'writer' || $user->role ==='manager'
                ? Response::allow()
                : Response::deny(__("You are not allowed to create posts."));
    }

    /**
     * Determine whether the user can update the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return mixed
     */
    public function update(User $user, Post $post)
    {
       

        return ($user->id == $post->user_id)
                ? Response::allow()
                : Response::deny(__("You cannot update this post because you are not its owner."));
    }

    /**
     * Determine whether the user can delete the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return mixed
     */
    public function delete(User $user, Post $post)
    {
        return $user->id == $post->user_id
                ? Response::allow()
                : Response::deny(__("You cannot update this post because you are not its owner."));
    }

    /**
     * Determine whether the user can restore the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return mixed
     */
    public function restore(User $user, Post $post)
    {
        return Response::deny();
    }

    /**
     * Determine whether the user can permanently delete the model.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return mixed
     */
    public function forceDelete(User $user, Post $post)
    {
        //
    }
}

Answer 1

对于资源策略，您需要在控制器操作中使用模型绑定：

public function edit(Post $post)
{   
    $author = User::find($post->author_id);
    return view('posts.edit', compact('post', 'author'));
}

Laravel 8 控制器构造函数中的 authorizeResources 不适用于编辑操作

Laravel 8 authorizeResources in the controller constructor doesn't work for edit action

php

authorization

laravel