使用单一策略方法覆盖对资源的所有操作 [英] Using a single policy method to cover every action on a resource

问题描述

我有一个名为Post的资源.每个Post都与单个User相关，并且User可能具有多个(或零个)Posts.

I have a resource named Post. Every Post is related to a single User, and a User may have several (or zero) Posts.

我正在使用Route::resource将针对Post资源的每个可能动作的路由映射到单个资源控制器PostController.

I'm using Route::resource to map routes for every possible action on the Post resource to a single resource controller, PostController.

现在，我希望为Post资源实施一项政策.为了使所有内容尽可能简单和易于使用，我希望制定以下政策:

Now, I wish to implement a policy for the Post resource. Aiming to keep everything as simple and fool-proof as possible, I'd like to make the policy as follows:

• 每个用户都有权执行不需要现有Post的任何操作(例如create).
• 对于每个访问Post的操作(例如，编辑，更新，删除)，仅授权User访问其自己的Posts.

• Every user is authorized to make any action that doesn't require an existing Post (e.g. create).
• A User is only authorized to access its own Posts for every action that accesses a Post (e.g. edit, update, delete).

我现在想做的是创建一个名为access的单一策略方法，该方法将检查Post是否由User拥有.然后，在我的PostController中，每个参数中带有Post对象的方法(例如edit(Post $post))都将以

What I'm trying to do right now is to create a single policy method called access, which would check that the Post is owned by the User. Then, in my PostController, every method that has a Post object in its parameters (such as edit(Post $post)) would begin with

$this->authorize('access', $post);

但是，我不喜欢我需要手动放置这些行.如果我忘记了其中一个，那我马上就会有一个安全漏洞.

However, I don't like that I need to put those lines manually. If I ever forget one of those, I'll have a security hole right there.

另一方面，我有authorizeResource方法，该方法使授权自动进行，但是要求策略具有多个方法，因此它们被映射到控制器的每个方法.另外，我尝试使用 Authorize/can中间件，但这没有用(也许是因为我在Route::resource映射上使用了它.)

On the other hand, I have the authorizeResource method, which makes authorization automatic but requires the policy to have several methods so they are mapped to the each of the controller's methods. Also, I tried to use the Authorize/can middleware, but it didn't work (maybe because I used it on a Route::resource mapping).

问题是:要达到我所描述的结果(即授权使用完全相同的规则访问资源的所有可能的操作)，最干净，更安全的方法是什么?

The question is: What would be the cleanest and more secure way to achieve the result I described (i.e. authorizing every possible action that accesses a resource with the exact same rule)?

推荐答案

您可以使用authorizeResource()并在控制器中覆盖resourceAbilityMap()方法.后一种方法返回从控制器方法到将要调用的策略方法的映射.

You can use authorizeResource() and override the resourceAbilityMap() method in your controller. The latter method returns a mapping from controller methods to the policy methods that will be called.

https://github.com/laravel/framework/blob/5.7/src/Illuminate/Foundation/Auth/Access/AuthorizesRequests.php#L105

例如

class MyController extends Controller
{
    // ...

    /**
     * Get the map of resource methods to ability names.
     *
     * @return array
     */
    protected function resourceAbilityMap()
    {
        return [
            'edit' => 'access',
            'update' => 'access',
            'destroy' => 'access',
        ];
    }

    // ...
}

这篇关于使用单一策略方法覆盖对资源的所有操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！