'仅授权'资源的特定路径

Posted 2021-04-08

有这种方法authorizeResource()，它将特定的策略应用于所有路由（索引路由除外）。有没有办法仅在特定路由上应用策略，类似于此功能：

Route::resource('photo', 'PhotoController', ['only' => [
    'index', 'show'
]]);

答案

您可以在控制器中实际定义中间件：

public PhotoController extends Controller {
    public function __construct() {
         $this->middleware("can:save,photo")->only(["save","edit"]);   //You get the idea
    }
}

这假设你已经写了一个正确的政策（检查https://laravel.com/docs/5.4/authorization）

另一答案

是的，authorizeResource accepts an $options array as a third parameter。只需传递null作为第二个参数，选项的语法与路由中间件的语法相同。

public function __construct()
{
    $this->authorizeResource(Photo::class, null, [
        'only' => ['create', 'store'],
    ]);
}

另一答案

尽管@jeffPucket在his answer指出，only选项对我没有用。我正在运行Laravel 5.5，其工作原理是逆逻辑：

public function __construct()
{
    $this->authorizeResource(Photo::class, null, [
        'except' => [ 'index', 'show' ],
    ]);
}

请注意，您应该将您不希望应用策略的操作（控制器方法）传递给该选项。在这种情况下，index和show将绕过授权中间件。

仅用于比较，以下是使用每个选项时php artisan route:list的结果：

只要

+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| Domain | Method    | URI                    | Name            | Action                                         | Middleware                                       |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
|        | POST      | comment                | comment.store   | AppHttpControllersCommentController@store   | web,auth,can:create,AppHttpControllersComment |
|        | GET|HEAD  | comment                | comment.index   | AppHttpControllersCommentController@index   | web,auth,can:view,AppHttpControllersComment   |
|        | GET|HEAD  | comment/create         | comment.create  | AppHttpControllersCommentController@create  | web,auth,can:create,AppHttpControllersComment |
|        | GET|HEAD  | comment/{comment}      | comment.show    | AppHttpControllersCommentController@show    | web,auth,can:view,comment                        |
|        | PUT|PATCH | comment/{comment}      | comment.update  | AppHttpControllersCommentController@update  | web,auth,can:update,comment                      |
|        | DELETE    | comment/{comment}      | comment.destroy | AppHttpControllersCommentController@destroy | web,auth,can:delete,comment                      |
|        | GET|HEAD  | comment/{comment}/edit | comment.edit    | AppHttpControllersCommentController@edit    | web,auth,can:update,comment                      |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+

除了

+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| Domain | Method    | URI                    | Name            | Action                                         | Middleware                                       |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
|        | POST      | comment                | comment.store   | AppHttpControllersCommentController@store   | web,auth,can:create,AppHttpControllersComment |
|        | GET|HEAD  | comment                | comment.index   | AppHttpControllersCommentController@index   | web,auth                                         |
|        | GET|HEAD  | comment/create         | comment.create  | AppHttpControllersCommentController@create  | web,auth,can:create,AppHttpControllersComment |
|        | GET|HEAD  | comment/{comment}      | comment.show    | AppHttpControllersCommentController@show    | web,auth                                         |
|        | PUT|PATCH | comment/{comment}      | comment.update  | AppHttpControllersCommentController@update  | web,auth,can:update,comment                      |
|        | DELETE    | comment/{comment}      | comment.destroy | AppHttpControllersCommentController@destroy | web,auth,can:delete,comment                      |
|        | GET|HEAD  | comment/{comment}/edit | comment.edit    | AppHttpControllersCommentController@edit    | web,auth,can:update,comment                      |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+

如您所见，中间件仅在使用except时应用于特定路由。

也许这是框架中的一个错误。但很难确认，因为这个选项似乎没有记录。甚至关于authorizeResource()方法的细节也不存在。