我创建了一个 URL 来编辑登录的用户数据,这是我的路线:
Route::get('/admin/create/user', [UserController::class, 'createUser'])->name('create.user');
Route::post('/admin/store/user', [UserController::class, 'storeUser'])->name('store.user');
Route::get('/admin/edit/user/{user_id}', [UserController::class, 'editUser'])->name('edit.user');
当用户单击编辑按钮时,他们会获得此 URL。
http://127.0.0.1:8000/admin/edit/user/160
如果该用户输入 162,他们可以看到其他用户的数据!
如何加密用户 ID,以便任何人都无法看到其他用户的数据?
这是我的控制器的代码:
namespace App\Http\Controllers\Admin;
use App\Http\Controllers\Controller;
use App\Mail\UserActivatedEmail;
use App\Mail\UserBlockedEmail;
use Illuminate\Http\Request;
use App\Models\Role;
use App\Models\User;
use App\Models\Division;
use App\Models\District;
use App\Models\BloodGroup;
use App\Models\SscBoard;
use App\Models\Occupation;
use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail;
use Intervention\Image\Facades\Image;
use Xenon\LaravelBDSms\Facades\SMS;
use Xenon\LaravelBDSms\Provider\AjuraTech;
use Xenon\LaravelBDSms\Sender;
class UserController extends Controller
{
public function storeUser(Request $request) {
$request->validate([
'role_id' => 'required',
'name' => 'required',
'email' => 'required', 'string', 'email', 'max:255', 'unique:users',
]);
$image = $request->file('profile_photo');
if ($image) {
$name_gen = uniqid() . '.' . $image->getClientOriginalExtension();
Image::make($image)->save('backend/images/users/'.$name_gen);
$save_url = 'backend/images/users/' . $name_gen;
User::insert([
'role_id' => $request->role_id,
'name' => $request->name,
'email' => $request->email,
'phone' => $request->phone,
'gender' => $request->gender,
'occupation' => $request->occupation,
'blood_group_id' => $request->blood_group_id,
'ssc_year' => $request->ssc_year,
'ssc_board_id' => $request->ssc_board_id,
'ssc_role' => $request->ssc_role,
'ssc_registration_no' => $request->ssc_registration_no,
'present_division_id' => $request->present_division_id,
'present_district_id' => $request->present_district_id,
'present_address' => $request->present_address,
'permanent_division_id' => $request->permanent_division_id,
'permanent_district_id' => $request->permanent_district_id,
'permanent_address' => $request->permanent_address,
'description' => $request->description,
'facebok' => $request->facebok,
'password' => Hash::make($request->password),
'profile_photo' => $save_url,
'created_at' => Carbon::now(),
]);
} else {
User::insert([
'role_id' => $request->role_id,
'name' => $request->name,
'email' => $request->email,
'phone' => $request->phone,
'gender' => $request->gender,
'occupation' => $request->occupation,
'blood_group_id' => $request->blood_group_id,
'ssc_year' => $request->ssc_year,
'ssc_board_id' => $request->ssc_board_id,
'ssc_role' => $request->ssc_role,
'ssc_registration_no' => $request->ssc_registration_no,
'present_division_id' => $request->present_division_id,
'present_district_id' => $request->present_district_id,
'present_address' => $request->present_address,
'permanent_division_id' => $request->permanent_division_id,
'permanent_district_id' => $request->permanent_district_id,
'permanent_address' => $request->permanent_address,
'description' => $request->description,
'facebok' => $request->facebok,
'password' => Hash::make($request->password),
'created_at' => Carbon::now(),
]);
}
$notification = [
'message' => 'User Created Successfully',
'alert-type' => 'success'
];
return redirect()->route('all.users')->with($notification);
}
public function editUser($user_id) {
$roles = Role::all();
$alldivisions = Division::get();
$alldistricts = District::get();
$allpdivisions = Division::get();
$allpdistricts = District::get();
$bgroups = BloodGroup::get();
$sscboards = SscBoard::get();
$ocupations = Occupation::get();
$editUser = User::findOrFail($user_id);
return view('admin.users.edit', compact('roles','editUser', 'ocupations', 'alldivisions', 'alldistricts', 'allpdivisions', 'allpdistricts', 'bgroups', 'sscboards'));
}
public function updateUser(Request $request) {
$user_id = $request->id;
$image = $request->file('profile_photo');
$oldimage = $request->oldimage;
$userToEdit = User::findOrFail($user_id);
if($image){
$name_gen=uniqid().'.'.$image->getClientOriginalExtension();
Image::make($image)->save('backend/images/users/'.$name_gen);
$save_url = 'backend/images/users/'.$name_gen;
if($oldimage){
unlink($oldimage);
}
$user = User::findOrFail($user_id);
$user->role_id = $request->role_id;
$user->name = $request->name;
$user->email = $request->email;
$user->phone = $request->phone;
$user->gender = $request->gender;
$user->occupation = $request->occupation;
$user->blood_group_id = $request->blood_group_id;
$user->ssc_year= $request->ssc_year;
$user->ssc_board_id= $request->ssc_board_id;
$user->ssc_role= $request->ssc_role;
$user->ssc_registration_no= $request->ssc_registration_no;
$user->present_division_id = $request->present_division_id;
$user->present_district_id = $request->present_district_id;
$user->present_address = $request->present_address;
$user->permanent_division_id = $request->permanent_division_id;
$user->permanent_district_id = $request->permanent_district_id;
$user->permanent_address = $request->permanent_address;
$user->description = $request->description;
$user->facebok = $request->facebok;
$user->profile_photo = $save_url;
//$user->save();
$this->authorize('save', $userToEdit);
}else{
$user = User::findOrFail($user_id);
$user->role_id = $request->role_id;
$user->name = $request->name;
$user->email = $request->email;
$user->phone = $request->phone;
$user->gender = $request->gender;
$user->occupation = $request->occupation;
$user->blood_group_id = $request->blood_group_id;
$user->ssc_year= $request->ssc_year;
$user->ssc_board_id= $request->ssc_board_id;
$user->ssc_role= $request->ssc_role;
$user->ssc_registration_no= $request->ssc_registration_no;
$user->present_division_id = $request->present_division_id;
$user->present_district_id = $request->present_district_id;
$user->present_address = $request->present_address;
$user->permanent_division_id = $request->permanent_division_id;
$user->permanent_district_id = $request->permanent_district_id;
$user->permanent_address = $request->permanent_address;
$user->description = $request->description;
$user->facebok = $request->facebok;
$user->profile_photo =$oldimage;
//$user->save();
$this->authorize('save', $userToEdit);
}
$notification = [
'message' => 'User Updated Successfully',
'alert-type' => 'success'
];
return redirect()->back()->with($notification);
}
}
而不是
Encryption
,您应该限制数据可访问性。意思是,您只需允许 User A
访问他/她的数据。如果用户尝试访问其他人的数据,您应该限制访问。
创建一个
Middleware
来交叉检查当前用户
class CurrentUserOnly
{
public function handle(Request $request, Closure $next): Response
{
$currentUserId = Auth::user()->getId();
$requestedUserId = $request->get("user_id");
// Check the requestedUserId is identical to current user's Id
if ($currentUserId !== $requestedUserId){
// Access denied, Handle error
}
return $next($request);
}
}
将
Middleware
添加到 Routes
Route::get('/admin/edit/user/{user_id}', [UserController::class, 'editUser'])
->middleware(CurrentUserOnly::class);
->name('edit.user');
在 CurrentUserOnly 中间件之前添加您的 Auth 中间件,以避免在未经身份验证的情况下将
变为Auth::user()
。NULL
虽然我建议阅读授权和 Laravel Gates/Policies,但对于简单快速的解决方案,您可以使用
abort
函数。此函数将引发异常,从而阻止请求进一步继续。
public function updateUser(Request $request) {
abort_if(auth()->id() != $request->route('user_id'), 401);
...
}