有这种方法authorizeResource(),它将特定的策略应用于所有路由(索引路由除外)。有没有办法仅在特定路由上应用策略,类似于此功能:
Route::resource('photo', 'PhotoController', ['only' => [
'index', 'show'
]]);
您可以在控制器中实际定义中间件:
public PhotoController extends Controller {
public function __construct() {
$this->middleware("can:save,photo")->only(["save","edit"]); //You get the idea
}
}
这假设你已经写了一个正确的政策(检查https://laravel.com/docs/5.4/authorization)
是的,authorizeResource accepts an $options array as a third parameter。只需传递null作为第二个参数,选项的语法与路由中间件的语法相同。
public function __construct()
{
$this->authorizeResource(Photo::class, null, [
'only' => ['create', 'store'],
]);
}
尽管@jeffPucket在his answer指出,only选项对我没有用。我正在运行Laravel 5.5,其工作原理是逆逻辑:
public function __construct()
{
$this->authorizeResource(Photo::class, null, [
'except' => [ 'index', 'show' ],
]);
}
请注意,您应该将您不希望应用策略的操作(控制器方法)传递给该选项。在这种情况下,index和show将绕过授权中间件。
仅用于比较,以下是使用每个选项时php artisan route:list的结果:
只要
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| | POST | comment | comment.store | App\Http\Controllers\CommentController@store | web,auth,can:create,App\Http\Controllers\Comment |
| | GET|HEAD | comment | comment.index | App\Http\Controllers\CommentController@index | web,auth,can:view,App\Http\Controllers\Comment |
| | GET|HEAD | comment/create | comment.create | App\Http\Controllers\CommentController@create | web,auth,can:create,App\Http\Controllers\Comment |
| | GET|HEAD | comment/{comment} | comment.show | App\Http\Controllers\CommentController@show | web,auth,can:view,comment |
| | PUT|PATCH | comment/{comment} | comment.update | App\Http\Controllers\CommentController@update | web,auth,can:update,comment |
| | DELETE | comment/{comment} | comment.destroy | App\Http\Controllers\CommentController@destroy | web,auth,can:delete,comment |
| | GET|HEAD | comment/{comment}/edit | comment.edit | App\Http\Controllers\CommentController@edit | web,auth,can:update,comment |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
除了
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
| | POST | comment | comment.store | App\Http\Controllers\CommentController@store | web,auth,can:create,App\Http\Controllers\Comment |
| | GET|HEAD | comment | comment.index | App\Http\Controllers\CommentController@index | web,auth |
| | GET|HEAD | comment/create | comment.create | App\Http\Controllers\CommentController@create | web,auth,can:create,App\Http\Controllers\Comment |
| | GET|HEAD | comment/{comment} | comment.show | App\Http\Controllers\CommentController@show | web,auth |
| | PUT|PATCH | comment/{comment} | comment.update | App\Http\Controllers\CommentController@update | web,auth,can:update,comment |
| | DELETE | comment/{comment} | comment.destroy | App\Http\Controllers\CommentController@destroy | web,auth,can:delete,comment |
| | GET|HEAD | comment/{comment}/edit | comment.edit | App\Http\Controllers\CommentController@edit | web,auth,can:update,comment |
+--------+-----------+------------------------+-----------------+------------------------------------------------+--------------------------------------------------+
如您所见,中间件仅在使用except时应用于特定路由。
也许这是框架中的一个错误。但很难确认,因为这个选项似乎没有记录。甚至关于authorizeResource()方法的细节也不存在。