Laravel中Request类中authorize方法的目的是什么?
[英]What is the purpose of the authorize method in a Request class in Laravel?
问题描述
I am today in bit confusion about my website security and some extra code that is written to make the website secure. 
我今天对我的网站安全性以及为使网站安全而编写的一些额外代码感到有些困惑。 Below are 2 locations where security is applied. 以下是2个应用安全性的位置。
Inside Route Config, To secure the route, I have used Middleware to check the user role. 在路由配置中,为了保护路由,我使用了中间件来检查用户角色。
Route::group(['middleware' => ['web', 'SuperAdmin', 'auth']], function () {
Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});
I mentioned 2 Middlewares . 我提到了2个Middlewares 。
Auth Middleware: This is forauthentication.Auth Middleware:用于authentication。SuperAdmin Middleware: This is forAuthorization.SuperAdmin Middleware:这是Authorization。
Second location is Request class. 第二个位置是请求类。 Here is the code. 这是代码。 In authorize method, again same thing is being checked as already done in route 在授权方法中,再次检查同样的事情,就像在路线中已经完成的那样
class DepartmentRequest extends Request
{
public function authorize()
{
if(\Auth::user() == null) {
return false;
}
if(\Auth::user()->isSuperAdmin()) {
return true;
}
return false;
}
public function rules()
{
return [
'Department' => 'required',
];
}
}
Question: Should I remove check in Request class? 问题:我应该删除Check in Request类吗? Is that an unwanted validation to secure the request ? 这是一个不需要的验证来保护请求吗? As route.config is already doing the job. 由于route.config已经在完成这项工作。
What's the use of authorize method? 授权方法有什么用? I meant, I am using Request class to validate form inputs. 我的意思是,我使用Request类来验证表单输入。 Should I always return true from authorize method? 我应该总是从授权方法返回true吗?
1 个解决方案
解决方案1
5 已采纳 2016-05-12 10:49:01
yes, you should remove that checks in the Request class: if you're already doing that checks in your middleware you should not repeat them 是的,您应该删除Request类中的检查:如果您已经在中间件中进行了检查,则不应重复这些检查
When you specify this: 当你指定这个:
Route::group(['middleware' => ['web', 'SuperAdmin']], function () {
Route::get('/Create-Department', 'DepartmentController@CreateDepartment');
});
You're telling laravel that, when it finds a /Create-Department route, it should trigger the handle method of these middleware: ['web', 'SuperAdmin'] , before the request is sent to the DepartmentController 你告诉laravel,当它找到/Create-Department路由时,它应该在请求被发送到DepartmentController 之前触发这些中间件的handle方法: ['web', 'SuperAdmin']
So, if you check for authentication and authorization in the middlewares, when the request will get to your controller you're sure that it has satisfied all the middleware it went through 因此,如果您检查中间件中的身份验证和授权,当请求到达您的控制器时,您确定它已满足它经历的所有中间件
Regarding the purpose of the authorize method: the authorize method is usually used to authorize the actual request basing on some policy you'd like to respect. 关于authorize方法的目的:授权方法通常用于根据您要尊重的某些策略授权实际请求。 For example, if you have a request to edit a Post model, in the authorize method you'd check that the specific user trying to edit the post has the permissions to do it (for example being the author of the post ) 例如,如果您有编辑Post模型的请求,则在authorize方法中,您将检查尝试编辑帖子的特定用户是否具有执行此操作的权限(例如,作为帖子的作者)
EDIT 编辑
Even if you want to use a middleware for your authorization, it's fine. 即使您想使用中间件进行授权,也没关系。 Anyhow, usually the authorize method within form requests is used to do authorization checks on the specific request. 无论如何,通常表单请求中的authorize方法用于对特定请求进行授权检查。
For instance check this example from the docs : 例如,从文档中检查此示例:
public function authorize()
{
$postId = $this->route('post');
//here the authorization to edit the post is checked through the Gate facade
return Gate::allows('update', Post::findOrFail($postId));
}
In conclusion: if you're doing your authentication and authorization tasks in middlewares, you don't need to repeat them in the authorize method, but keep in mind that the native purpose of the method is to authorize the specific request 总之:如果您在中间件中执行身份验证和授权任务,则无需在authorize方法中重复这些任务,但请记住,该方法的本机用途是授权特定请求
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.