使用单一策略方法覆盖对资源的所有操作 [英] Using a single policy method to cover every action on a resource
问题描述
我有一个名为Post
的资源.每个Post
都与单个User
相关,并且User
可能具有多个(或零个)Posts
.
I have a resource named Post
. Every Post
is related to a single User
, and a User
may have several (or zero) Posts
.
我正在使用Route::resource
将针对Post
资源的每个可能动作的路由映射到单个资源控制器PostController
.
I'm using Route::resource
to map routes for every possible action on the Post
resource to a single resource controller, PostController
.
现在,我希望为Post
资源实施一项政策.为了使所有内容尽可能简单和易于使用,我希望制定以下政策:
Now, I wish to implement a policy for the Post
resource. Aiming to keep everything as simple and fool-proof as possible, I'd like to make the policy as follows:
- 每个用户都有权执行不需要现有
Post
的任何操作(例如create). - 对于每个访问
Post
的操作(例如,编辑,更新,删除),仅授权User
访问其自己的Posts
.
- Every user is authorized to make any action that doesn't require an existing
Post
(e.g. create). - A
User
is only authorized to access its ownPosts
for every action that accesses aPost
(e.g. edit, update, delete).
我现在想做的是创建一个名为access
的单一策略方法,该方法将检查Post
是否由User
拥有.然后,在我的PostController
中,每个参数中带有Post
对象的方法(例如edit(Post $post)
)都将以
What I'm trying to do right now is to create a single policy method called access
, which would check that the Post
is owned by the User
. Then, in my PostController
, every method that has a Post
object in its parameters (such as edit(Post $post)
) would begin with
$this->authorize('access', $post);
但是,我不喜欢我需要手动放置这些行.如果我忘记了其中一个,那我马上就会有一个安全漏洞.
However, I don't like that I need to put those lines manually. If I ever forget one of those, I'll have a security hole right there.
另一方面,我有authorizeResource
方法,该方法使授权自动进行,但是要求策略具有多个方法,因此它们被映射到控制器的每个方法.另外,我尝试使用 Authorize
/can
中间件,但这没有用(也许是因为我在Route::resource
映射上使用了它.)
On the other hand, I have the authorizeResource
method, which makes authorization automatic but requires the policy to have several methods so they are mapped to the each of the controller's methods. Also, I tried to use the Authorize
/can
middleware, but it didn't work (maybe because I used it on a Route::resource
mapping).
问题是:要达到我所描述的结果(即授权使用完全相同的规则访问资源的所有可能的操作),最干净,更安全的方法是什么?
The question is: What would be the cleanest and more secure way to achieve the result I described (i.e. authorizing every possible action that accesses a resource with the exact same rule)?
推荐答案
您可以使用authorizeResource()
并在控制器中覆盖resourceAbilityMap()
方法.后一种方法返回从控制器方法到将要调用的策略方法的映射.
You can use authorizeResource()
and override the resourceAbilityMap()
method in your controller. The latter method returns a mapping from controller methods to the policy methods that will be called.
例如
class MyController extends Controller
{
// ...
/**
* Get the map of resource methods to ability names.
*
* @return array
*/
protected function resourceAbilityMap()
{
return [
'edit' => 'access',
'update' => 'access',
'destroy' => 'access',
];
}
// ...
}
这篇关于使用单一策略方法覆盖对资源的所有操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!