Laravel阻止用户访问其他用户资源** URL [英] Laravel preventing user from accessing other users resource **url
问题描述
例如,我正在url中传递特定资源. https://www.example.com/ {companyID}
I am passing a specific resource in the url, for ex. https://www.example.com/{companyID}
在控制器中,我可以通过
And in the controller I can access the resource by
public function index($companyID)
{
// Code Here
}
我需要阻止用户更改URL和从系统访问其他companyID.当前它是开放的,并且存在安全风险.我查看了Laravel Gate和Policy的文档,但看不到如何针对我的案例实施.
I need to block users from changing the url and accessing other companyIDs from the system. Currently its open and is a security risk. I checked out Laravel Gate and Policy's but fail to see how this could be implemented for my case.
我真正要寻找的是AuthServiceProvider引导方法中的某些内容,可以在继续执行代码之前检查用户是否确实是资源的所有者.
What I am really looking for is something in the AuthServiceProvider boot method that can check if the user really is the owner of the resource before continuing with the code.
有帮助吗?
推荐答案
如前所述,您可以通过创建一个中间件来执行此操作,该中间件检查登录的用户是否应该使用您的资源.
As mentioned before, you can do that by creating a Middleware that checks if your resource should be available to the logged in user.
在此处
首先,像这样通过php artisan创建中间件
First, create a Middleware via php artisan, like this
php artisan make:middleware AuthResource
下一步,将其添加到您的App\Http\Kernel.php
Next, add it to your App\Http\Kernel.php
protected $routeMiddleware = [
...
'AuthResource' => \App\Http\Middleware\AuthResource::class,
];
在您的路线中,您现在可以执行以下操作:
In your routes, you can now do the following:
Route::get('{companyID}', ['uses' => CompanyController@index, 'middleware' => 'AuthResource']);
这样,在调用路由时都会使用您的AuthResource中间件.
在您的App\Http\Middleware\AuthResource.php中,您必须将代码更改为
That way, your AuthResource middleware is used whenenver the route is called.
In your App\Http\Middleware\AuthResource.php you have to change the code from
public function handle($request, Closure $next)
{
return $next($request);
}
可以检查当前登录用户是否可以使用该资源.
我假设您的公司表具有字段user_id,该字段将公司链接到用户.如果您的数据结构不同,则需要相应地更改代码.
to something that checks if the resource is available to the currently logged in user.
I assume that your companies table has a field user_id, which links the Company to a User. If your data structure is different, you need to change the code accordingly.
public function handle($request, Closure $next)
{
if ($request->route('companyID')) {
$company = Company::find($request->route('companyID'));
if ($company && $company->user_id != auth()->user()->id) {
return redirect('/');
}
}
return $next($request);
}
这样,我们检查名称为companyID的route参数是否存在,如果存在,则检查当前登录用户是否可用.如果没有companyID参数可用,则可以无限制地加载页面.
That way we check if the a route parameter with the name companyID exists, and if it does we check if it is available to the currently logged in user. If no companyID parameter is available, the page can be loaded without any restrictions.
这样,您可以在中间件中复制/粘贴代码中的任何参数,以使中间件确实适用于多种资源(不仅限于公司).
That way you can copy/paste the code within the middleware for any parameters so that the middleware does work for multiple resources (not only companies).
这篇关于Laravel阻止用户访问其他用户资源** URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
