问题
I have this setup:-
\App\Policies\ObservationPolicy
<?php
namespace App\Policies;
use App\Observation;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class ObservationPolicy
{
use HandlesAuthorization;
/**
* Create a new policy instance.
*
* @return void
*/
public function __construct()
{
//
}
public function edit(User $user, Observation $observation)
{
return $user->id == $observation->user_id;
}
}
Auth Service provider :
<?php
namespace App\Providers;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
/**
* The policy mappings for the application.
*
* @var array
*/
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',
'App\Observation' => 'App\Policies\ObservationPolicy'
];
/**
* Register any authentication / authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
//
}
}
When i tried in view file with this statement :-
@can('edit', $observation)
@endcan
It worked without any issue.
But when i used in Controller :
public function edit($id,Observation $observation)
{
$this->authorize('edit', $observation);
return view('mypage');
}
it always return error :- AccessDeniedHttpException This action is unauthorized
The route that i accessed is :- Route::get('/Observation/{id}/edit', 'ObservationController@edit');
回答1:
Looks like you're accepting the wrong parameters in your controller method.
The route you have defined:
Route::get('/Observation/{id}/edit', 'ObservationController@edit');
is going to pass along the $id, but I think the Observation $observation is just making a new instance of the Observation class.
It's happening because Laravel thinks you want to use dependency injection in your controller method:
https://laravel.com/docs/5.5/controllers#dependency-injection-and-controllers
public function edit($id, Observation $observation):
Instead try this in your route:
Route::get('/Observation/{observation}/edit', 'ObservationController@edit');
and this as your method parameters:
public function edit(Observation $observation):
Here we use the build-in feature to do route model binding:
https://laravel.com/docs/5.5/routing#route-model-binding
If you don't want to rely on that magic, you would have to find the actual observation inside your controller method manually, for example $observation = Observation::findOrFail($id);
来源:https://stackoverflow.com/questions/46906101/laravel-authorization-policy-accessdeniedhttpexception-this-action-is-unauthoriz