[英]Most effective way of protecting a view in Laravel 4.2?
So, it seems the question was a bit confused regarding authentication and password. 因此,似乎这个问题对于身份验证和密码有些困惑。 I'll clarify it.
我会澄清。
In my app, any authenticated user may create a team and be its captain . 在我的应用中,任何经过身份验证的用户都可以创建团队并成为其队长 。 But during that process they're prompted to define a team-password that must be used to EDIT the team's information, such as avatar, e-mail, members, etc.
但是在此过程中,系统会提示他们定义一个团队密码 ,该密码必须用于编辑团队信息,例如头像,电子邮件,成员等。
Therefore, I need to make the edition view accessible ONLY to the captain of that team and IF he has the correct team-password . 因此,我需要使版本视图仅可供该团队的队长访问,并且前提是他具有正确的团队密码 。 What I meant about "authenticating" is checking both if that user is the captain and if the team-password is the team's password (
$team->password
) in the database. 我所说的“身份验证”是指检查该用户是否是队长,以及团队密码是否是数据库中团队的密码(
$team->password
)。 This has nothing to do with Sentry-authenticated users. 这与经过Sentry认证的用户无关。 Sorry about that.
对于那个很抱歉。
Hence, I need to protect that team's edition from any other user that may try to access it. 因此,我需要保护该团队的版本不受可能尝试访问它的任何其他用户的影响。 Hope it's clear now.
希望现在清楚了。
I have a view that is supposed to be seen only by a specific user and only if he enters the correct password (as in a personal info edit page or something like that). 我认为只有特定用户才能看到该视图,并且只有他输入正确的密码(例如在个人信息编辑页面或类似的内容中)时,才能看到该视图。 Therefore, that view needs to be protected from malicious attacks even though its route is set to GET.
因此,即使该视图的路由设置为GET,也需要保护该视图免受恶意攻击。
I've tried two ways of doing that but none worked. 我尝试了两种方法,但没有一种有效。
@if
clause to display the view only if this is the right user. @if
子句显示视图。 (DID NOT WORK: the password needs to be sent through a form. It's not the user's password, so I can't access it via Auth::User()
or Sentry::getUser()
inside the view.) Auth::User()
或Sentry::getUser()
访问它。) So my question is: is there a simpler way of accomplishing that? 所以我的问题是:是否有更简单的方法来实现? What is the most used or best way of doing it?
什么是最常用或最好的方法? It's my first real app using Laravel so I'm not experienced with these things yet.
这是我第一个使用Laravel的真实应用程序,因此我对这些东西还没有经验。
Thanks in advance! 提前致谢!
i remember your last question but since you didn't give the update, i also couldn't post anything. 我记得您的最后一个问题,但由于您未提供最新信息,所以我也无法发布任何内容。 None the less, you are making it complicated than it is.
但是,您正在使它变得复杂。
Route.php Route.php
Route::get('login', 'LoginController@getLogin');
Route::post('login', 'LoginController@postLogin');
Route::group(['before' => 'authentication'], function(){
Route::get('profile' => 'ProfileController@profile');
//All protected routes here
});
what i did here is, i create a filter authentication
which will be run against all the routes inside the group. 我在这里所做的是,我创建了一个过滤器
authentication
,该authentication
将针对组内的所有路由运行。
now, let's define the filter. 现在,让我们定义过滤器。
Route::filter('authentication', function()
{
if ( ! Sentry::check())
{
return Redirect::action('LoginController@getLogin');
}
});
this is just a simple filter which will check if the user is logged in or not. 这只是一个简单的过滤器,它将检查用户是否已登录。 If the user is not logged in, it will redirect the user to the
login
route where the form will be served. 如果用户未登录,它将把用户重定向到将提供该表单的
login
路由。
Controller: 控制器:
public function getLogin()
{
if(Sentry::check())
{
return Redirect::action('ProfileController@profile');
}
return View::make('login');
}
public function postLogin()
{
//put the validation rules here and validate. as far as i remember, you know how to do it.
if($validator->passes())
{
try
{
// Login credentials
$credentials = array(
'email' => 'john.doe@example.com',
'password' => 'password',
);
// Authenticate the user
$user = Sentry::authenticate($credentials, false);
return Redirect::action('ProfileController@profile');
}
catch (Cartalyst\Sentry\Users\LoginRequiredException $e)
{
echo 'Login field is required.';
}
catch (Cartalyst\Sentry\Users\PasswordRequiredException $e)
{
echo 'Password field is required.';
}
catch (Cartalyst\Sentry\Users\WrongPasswordException $e)
{
echo 'Wrong password, try again.';
}
catch (Cartalyst\Sentry\Users\UserNotFoundException $e)
{
echo 'User was not found.';
}
catch (Cartalyst\Sentry\Users\UserNotActivatedException $e)
{
echo 'User is not activated.';
}
// The following is only required if the throttling is enabled
catch (Cartalyst\Sentry\Throttling\UserSuspendedException $e)
{
echo 'User is suspended.';
}
catch (Cartalyst\Sentry\Throttling\UserBannedException $e)
{
echo 'User is banned.';
}
}
}
in the catch block, take the required action. 在catch块中,执行所需的操作。 eg if you want to redirect to the login from with the error, then add the error to the message bag (if you don't know how to, then click here for details) and redirect to the login form.
例如,如果您想从中将错误重定向到登录名,则将错误添加到消息袋中(如果您不知道如何操作, 请单击此处以获取详细信息)并重定向到登录表单。
or, if it is an ajax data, you can return the errors as json and then parse them in client side while showing an error message on ajax failure. 或者,如果它是ajax数据,则可以将错误作为json返回,然后在客户端解析它们,同时在ajax失败时显示错误消息。
if the user is not logged in, then accessing all those protected routes will evoke a redirect and the user will be redirected to the login form. 如果用户未登录,则访问所有那些受保护的路由将引起重定向,并且用户将被重定向到登录表单。 After successful login, he will be redirected to his profile page.
成功登录后,他将被重定向到他的个人资料页面。 On the other hand, if a logged in user tries to goto the login form, then he will be redirected to the profile page because a logged in user should not see the login form.
另一方面,如果已登录的用户尝试转到登录表单,则由于已登录的用户不应看到该登录表单,因此该用户将被重定向到个人资料页面。
it is easier than you think. 它比您想象的要容易。
pseudocode. 伪代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.