[英]Guest users in laravel authorization policies
I use policies for user authorization.我使用用户授权策略。 How to use policies for guest users?
如何使用来宾用户的策略?
Here is my code:这是我的代码:
In controller:在控制器中:
class PostController extends Controller
{
public function index(Post $post)
{
$this->authorize($post);
return $post->all();
}
}
In policy:在政策方面:
class PostPolicy
{
// This function executes only for authenticated users.
// I want to use it for guest users too
public function index(User $user)
{
return $user->can('get-posts');
}
}
First make a new service provider:首先创建一个新的服务提供者:
php artisan make:provider GuestServiceProvider
Then edit GuestServiceProvider.php with this:然后使用以下内容编辑 GuestServiceProvider.php:
public function boot()
{
// Laravel policies only work if the user isn't null so for guest access we need to assign a dummpy user.
// From now on to check for guest use is_null(Auth::user()->getKey())
if(!Auth::check()) {
$userClass = config('auth.providers.users.model');
Auth::setUser(new $userClass());
}
}
Now Policies will work for guest users and in your policy you can check for the guest by doing:现在策略将适用于来宾用户,在您的策略中,您可以通过执行以下操作来检查来宾:
if(is_null(Auth::user()->getKey())){
// it's a guest
}
Which essentially means if the user doesn't have an id then its not a real user, hence must be a guest.这实质上意味着如果用户没有 id 则它不是真正的用户,因此必须是访客。
Laravel 5.7 now has this feature built in (with PHP >=7.1) See the docs on the new Gate . Laravel 5.7 现在内置了此功能(PHP >=7.1)请参阅新 Gate 上的文档。 For anyone using older versions, here is my solution.
对于使用旧版本的任何人,这是我的解决方案。 Make a small helper to use the
authorizeForUser
method on Illuminate\\Foundation\\Auth\\Access\\AuthorizesRequests
.创建一个小助手来使用
Illuminate\\Foundation\\Auth\\Access\\AuthorizesRequests
上的authorizeForUser
方法。 It leaves all native functionality intact.它使所有本机功能完好无损。 Extend your controller:
扩展您的控制器:
use App\User;
public function authorizeAnyone($ability, $arguments = []) {
list($ability, $arguments) = $this->parseAbilityAndArguments($ability, $arguments);
return $this->authorizeForUser( auth()->user() ?? new User(), $ability, $arguments);
}
Then wherever you want the possibility of checking your policy against a guest, use然后,无论您想在何处检查针对客人的政策的可能性,请使用
$this->authorizeAnyone();
instead of而不是
$this->authorize();
If you don't want to extend your controller, you can also call (for example):如果你不想扩展你的控制器,你也可以调用(例如):
$this->authorizeForUser( auth()->user() ?? new User, 'index', $post );
In your PostPolicy change this在您的 PostPolicy 更改此
class PostPolicy{
// This function executes only for authenticated users.
// I want to use it for guest users too
public function index(User $user)
{
return $user->can('get-posts');
}
}
to:到:
class PostPolicy{
// This function executes only for authenticated users.
// I want to use it for guest users too
public function index(?User $user)
{
return $user->can('get-posts');
}
}
I think the simpliest way is to protect with Auth middleware.我认为最简单的方法是使用 Auth 中间件进行保护。 or check if user is authenticated in policy
或检查用户是否在策略中通过身份验证
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.