问题
I read here : https://laravel.com/docs/5.3/authorization#writing-policies
And I tried to like this
My FavoritePolicy is like this :
<?php
namespace App\Policies;
use App\User;
use App\Models\Favorite;
use Illuminate\Auth\Access\HandlesAuthorization;
class FavoritePolicy
{
use HandlesAuthorization;
public function view(User $user, Favorite $favorite)
{
return $user->id === $favorite->user_id;
}
}
My FavoriteController is like this :
<?php
use App\Models\Favorite;
...
class FavoriteController extends ApiController
{
...
public function index(Favorite $favorite)
{
$this->authorize('view', $favorite);
return view('profile.favorite');
}
}
My AuthServiceProvider is like this :
<?php
namespace App\Providers;
use App\Models\Favorite;
use App\Policies\FavoritePolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',
Favorite::class => FavoritePolicy::class,
];
public function boot()
{
$this->registerPolicies();
}
}
When I run my system to display favorite listing, there exist error like this :
Whoops, looks like something went wrong.
1/1 HttpException in Handler.php line 115: This action is unauthorized.
What the implementation of Authorization Policies is correct?
I try dd($user)
in view method(FavoritePolicy), the result displays user data is being logged. It's true
But I try dd($favorite)
, the result does not display favorite data of the user who is currently logged. Whereas I check on the table, favorite data of the user who is currently logged is exist
How can I solve this problem?
Update
There result of dd($favorite)
:
Favorite {#498 ▼
#fillable: array:3 [▶]
#connection: null
#table: null
#primaryKey: "id"
#keyType: "int"
#perPage: 15
+incrementing: true
+timestamps: true
#attributes: []
#original: []
#relations: []
#hidden: []
#visible: []
#appends: []
#guarded: array:1 [▼
0 => "*"
]
#dates: []
#dateFormat: null
#casts: []
#touches: []
#observables: []
#with: []
+exists: false
+wasRecentlyCreated: false
}
回答1:
Thanks for the additional info in your update!
So, you want to show the detail page of one specific Favorite
entity, but only if the user is the owner of this entity?
Firstly a minor "issue": usually in Laravel the controller method that shows details of a specific entity is called show
, not index
. index
is the name for methods that show a list of entities (in your example: a list of favorites).
Regarding your problem:
Your policy checks if the currently logged in user can view an empty $favorite
(see the dd($favorite)
output in your post update). Which means, that $favorite
is also not set in your index
method.
I guess, you have a route defined similar to this:
Route::get('favorite/{id}', 'FavoriteController@index');
This means, that the value of id
is injected into your index
method as a parameter, but not a Favorite
entity. To query for the Favorite
entity is something you need to do in the method.
So, your method should more look like this:
public function index($favoriteId)
{
$favorite = Favorite::findOrFail($favoriteId);
$this->authorize('view', $favorite);
return view('profile.favorite')->with('favorite', $favorite);
}
Hope that helps! If not, please add a comment!
来源:https://stackoverflow.com/questions/42598826/how-can-i-do-authorization-policies-in-laravel-5-3