限制特定用户对 POST、DELETE、PATCH、PUT 的访问
Posted
技术标签:
【中文标题】限制特定用户对 POST、DELETE、PATCH、PUT 的访问【英文标题】:Restricting access of a specific user to POST,DELETE,PATCH,PUT 【发布时间】:2018-09-17 22:42:38 【问题描述】:我已经安装了 Laravel 5.6。
我想将演示帐户提供给一个用户,该用户不能插入或更新任何内容,只能查看所有内容。
我的系统中没有一组角色。我只想在某处硬编码用户 ID 并限制这些操作。
我搜索了很多不同的方法 (https://laracasts.com/discuss/channels/laravel/protecting-route-for-specific-user),这远远超出了我的需要。我只是想将此功能限制为所有网站中的特定用户。
Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+-------------------------------------------------------+---------------------------------+------------------------------------------------------------------------------------+--------------------------------------------------+
| | GET|HEAD | / | | Closure | web |
| | GET|HEAD | _debugbar/assets/javascript | debugbar.assets.js | Barryvdh\Debugbar\Controllers\AssetController@js | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/assets/stylesheets | debugbar.assets.css | Barryvdh\Debugbar\Controllers\AssetController@css | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | DELETE | _debugbar/cache/key/tags? | debugbar.cache.delete | Barryvdh\Debugbar\Controllers\CacheController@delete | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/clockwork/id | debugbar.clockwork | Barryvdh\Debugbar\Controllers\OpenHandlerController@clockwork | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/open | debugbar.openhandler | Barryvdh\Debugbar\Controllers\OpenHandlerController@handle | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | api/user | | Closure | api,auth:api |
| | GET|HEAD | giris | | Closure | web |
| | GET|HEAD | horizon/api/jobs/failed | horizon.failed-jobs.index | Laravel\Horizon\Http\Controllers\FailedJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/failed/id | horizon.failed-jobs.show | Laravel\Horizon\Http\Controllers\FailedJobsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/recent | horizon.recent-jobs.index | Laravel\Horizon\Http\Controllers\RecentJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/jobs/retry/id | horizon.retry-jobs.show | Laravel\Horizon\Http\Controllers\RetryController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/masters | horizon.masters.index | Laravel\Horizon\Http\Controllers\MasterSupervisorController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs | horizon.jobs-metrics.index | Laravel\Horizon\Http\Controllers\JobMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs/id | horizon.jobs-metrics.show | Laravel\Horizon\Http\Controllers\JobMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues | horizon.queues-metrics.index | Laravel\Horizon\Http\Controllers\QueueMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues/id | horizon.queues-metrics.show | Laravel\Horizon\Http\Controllers\QueueMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/monitoring | horizon.monitoring.store | Laravel\Horizon\Http\Controllers\MonitoringController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring | horizon.monitoring.index | Laravel\Horizon\Http\Controllers\MonitoringController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring/tag | horizon.monitoring-tag.paginate | Laravel\Horizon\Http\Controllers\MonitoringController@paginate | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | DELETE | horizon/api/monitoring/tag | horizon.monitoring-tag.destroy | Laravel\Horizon\Http\Controllers\MonitoringController@destroy | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/stats | horizon.stats.index | Laravel\Horizon\Http\Controllers\DashboardStatsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/workload | horizon.workload.index | Laravel\Horizon\Http\Controllers\WorkloadController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/view? | horizon.index | Laravel\Horizon\Http\Controllers\HomeController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
【问题讨论】:
【参考方案1】:最快的方法是创建一个简单的中间件,如果是该特定用户,您可以在其中中止。
要创建中间件,您可以使用工匠命令 make:middleware
php artisan make:middleware LimitUserIdX
在新创建的文件 (app/Http/Middleware/LimitUserIdX.php) 中,您可以检查 authentify 用户 id 是否为 X,如果是,则使用错误代码 403(权限被拒绝)中止,如下所示:
public function handle($request, Closure $next)
$userId = Auth::id();
if($userId == 5)
abort(403);
return $next($request);
将 5 更改为您要限制的用户。
编辑:我错过了理解这个问题,这是一个更正。
您应该将新创建的中间件添加到 Laravel 全局中间件列表中。只需转到 App/Http/Kernel.php 并将该类添加到 $middleware var。这将使 Laravel 对应用程序的所有 HTTP 请求运行中间件(无需将其添加到每个路由定义中)。
然后,您还需要编辑中间件本身以在中止之前检查请求的方法,如下所示:
public function handle($request, Closure $next)
$userId = Auth::id();
if(request()->method() != "GET" && request()->method() != "HEAD" && $userId == 5)
abort(403);
return $next($request);
【讨论】:
我想这也会限制对 GET 的访问?我只是希望他们不要插入更新。他们可以访问任何页面。 你可以把中间件放在你想限制的路由上。如果不清楚,请分享您的路线代码。 我添加到原始问题。但是,我不想对特定路由添加限制,我只想说对于特定用户 POST、DELETE、PATCH、PUT 方法将被禁用。 我试过这个,但我可以插入任何东西。我应该将此中间件添加到某个地方以便系统可以发现还是可以自动发现? 到 Kernel.php -> protected $middleware 我添加了 \App\Http\Middleware\LimitDemoUser::class,在中间件顶部我添加了使用 Illuminate\Support\Facades\Auth;但 userId 为空以上是关于限制特定用户对 POST、DELETE、PATCH、PUT 的访问的主要内容,如果未能解决你的问题,请参考以下文章
根据条件限制/锁定所有 Post/Delete Rest API 端点 [关闭]
java 发送POST,DELETE,PATCH,GET请求