我在 laravel 8 中为 Post 模型编写了一个策略。
当我使用时
public function __construct()
{
$this->authorizeResource(Post::class, 'post');
}
在控制器中,策略正确应用于索引、创建操作,但不适用于编辑操作。
如果我删除构造函数中的行并像这样修改编辑操作
public function edit( $id)
{
$post = Post::find($id);
$this->authorize('update', $post);
$post = Post::find($id);
$author = User::find($post->author_id);
return view('posts.edit', compact('post', 'author'));
}
仅行 $this->authorize('update', $post);已添加
然后就可以正常使用了。
我不明白我做错了什么
以下是控制器和策略
控制器(未完成)
<?php
namespace App\Http\Controllers;
use App\Models\Post;
use Illuminate\Http\Request;use App\Models\User
;use Illuminate\Support\Facades\Gate;
class PostController extends Controller
{
/**
* Create the controller instance.
*
* @return void
*/
public function __construct()
{
//$this->authorizeResource(Post::class, 'post');
}
/**
* Display a listing of the resource.
*
* @return \Illuminate\Http\Response
*/
public function index()
{
//authorization managed by the constructor
$user = auth()->user();
//$this->authorize('viewAny', Post::class);
$posts = Post::orderBy('created_at', 'desc')->paginate(25);
return view('posts.index', compact('posts', 'user'));
}
/**
* Show the form for creating a new resource.
*
* @return \Illuminate\Http\Response
*/
public function create()
{
// $this->authorize('create', Post::class);
return view('posts.create');
}
/**
* Store a newly created resource in storage.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\Response
*/
public function store(Request $request)
{
//authorization is managed globally in the constructor
$this->validate($request, [
'title' => 'required',
'abstract' => 'required',
'body' => 'required'
]);
$post = new Post;
$post->title = $request->input('title');
$post->abstract = $request->input('abstract');
$post->body = $request->input('body');
$post->author_id = auth()->user()->id;
$post->category = $request->input('category');
$post->beg_date = $request->input('beg_date');
$post->end_date = $request->input('end_date');
$post->close_date = $request->input('close_date');
$post->sticky = $request->input('sticky');
$post->diaporama_dir = $request->input('diaporama_dir');
$post->receive_registration = $request->input('receive_registration');
$post->inscription_directive = $request->input('inscription_directive');
$post->save();
return redirect('/posts')->with('success', 'Article enregistré !');
}
/**
* Display the specified resource.
*
* @param \App\Models\Post $post
* @return \Illuminate\Http\Response
*/
public function show(Post $post)
{
//
}
/**
* Show the form for editing the specified resource.
*
* @param \App\Models\Post $post
* @return \Illuminate\Http\Response
*/
public function edit( $id)
{
$post = Post::find($id);
$this->authorize('update', $post);
$post = Post::find($id);
$author = User::find($post->author_id);
return view('posts.edit', compact('post', 'author'));
}
/**
* Update the specified resource in storage.
*
* @param \Illuminate\Http\Request $request
* @param \App\Models\Post $post
* @return \Illuminate\Http\Response
*/
public function update(Request $request, Post $post)
{
//
}
/**
* Remove the specified resource from storage.
*
* @param \App\Models\Post $post
* @return \Illuminate\Http\Response
*/
public function destroy(Post $post)
{
//
}
}
政策
<?php
namespace App\Policies;
use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;
use Illuminate\Auth\Access\HandlesAuthorization;
class PostPolicy
{
use HandlesAuthorization;
/**
* Perform pre-authorization checks.
*
* @param \App\Models\User $user
* @param string $ability
* @return void|bool
*/
public function before(User $user, $ability)
{
if ($user->role=='admin') {
return Response::allow();
}
}
/**
* Determine whether the user can view any models.
*
* @param \App\Models\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return ($user->role==='admin' || $user->role==='writer' || $user->role==='manager')
? Response::allow()
: Response::deny(__("You are not allowed to view any posts!"));
}
/**
* Determine whether the user can view the model.
*
* @param \App\Models\User $user
* @param \App\Models\Post $post
* @return mixed"
*/
public function view(User $user, Post $post)
{
return $user->id == $post->user_id
? Response::allow()
: Response::deny(trans("You cannot view this post because you are not its owner!"));
}
/**
* Determine whether the user can create models.
*
* @param \App\Models\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->role === 'writer' || $user->role ==='manager'
? Response::allow()
: Response::deny(__("You are not allowed to create posts."));
}
/**
* Determine whether the user can update the model.
*
* @param \App\Models\User $user
* @param \App\Models\Post $post
* @return mixed
*/
public function update(User $user, Post $post)
{
return ($user->id == $post->user_id)
? Response::allow()
: Response::deny(__("You cannot update this post because you are not its owner."));
}
/**
* Determine whether the user can delete the model.
*
* @param \App\Models\User $user
* @param \App\Models\Post $post
* @return mixed
*/
public function delete(User $user, Post $post)
{
return $user->id == $post->user_id
? Response::allow()
: Response::deny(__("You cannot update this post because you are not its owner."));
}
/**
* Determine whether the user can restore the model.
*
* @param \App\Models\User $user
* @param \App\Models\Post $post
* @return mixed
*/
public function restore(User $user, Post $post)
{
return Response::deny();
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\Models\User $user
* @param \App\Models\Post $post
* @return mixed
*/
public function forceDelete(User $user, Post $post)
{
//
}
}
对于资源策略,您需要在控制器操作中使用模型绑定:
public function edit(Post $post)
{
$author = User::find($post->author_id);
return view('posts.edit', compact('post', 'author'));
}
您可能已经注意到,只有那些需要参数的绑定才不起作用。 解决方案,只能通过“戳”才能达到,因为没有任何地方指定策略和控制器中的参数必须具有相同的名称和类型。
政策示例:
namespace App\Policies;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class UserPolicy
{
use HandlesAuthorization;
public function viewAny(User $user)
{
return true;
}
public function view(User $user, User $model)
{
dd("It`s worked");
return true;
}
public function create(User $user)
{
return true;
}
public function update(User $user, User $model)
{
dd("It`s worked");
return true;
}
public function delete(User $user, User $model)
{
dd("It`s worked");
return true;
}
public function restore(User $user, User $model)
{
dd("It`s worked");
return true;
}
public function forceDelete(User $user, User $model)
{
dd("It`s worked");
return true;
}
}
示例控制器
class UserController extends Controller
{
public function __construct(UserRepository $repository)
{
$this->repository = $repository;
$this->authorizeResource($this->repository->getModelClass(), "user");
}
public function index()
{
// do something
}
public function create(): Response
{
// do something
}
public function store(Request $request)
{
// do something
}
public function edit(User $user)
{
// do something
}
public function update(Request $request, User $user)
{
// do something
}
public function destroy(User $user)
{
// do something
}
}
您必须在控制器文件中使用公共函数 edit(Post $post) 代替 edit($id) 。 问候语