鉴于我是 CakePHP 的新手,我忍不住注意到授权中明显的失败。再次,继续CMS Tutorial当我添加授权代码并以 user1 身份登录到文章/添加页面时,一切都很好。然后,我从下拉列表中选择了用户(在运行 cake Baake allarticles
命令并按照教程重新修改 ArticlesController.php 且不修改“.ctp 文件”之后),用户 ID = 2,创建了文章并能够保存它,尽管我已经以 user1 身份登录,用户 ID = 1!我也觉得很奇怪。。
然后我尝试编辑 user2 的文章,它正确地给出了“未经授权的访问错误”,但是当我尝试编辑 user1 自己的文章时,它给出了如下错误:
Notice (8): Trying to get property 'user_id' of non-object [APP/Controller\ArticlesController.php, line 154]
Warning (512): Unable to emit headers. Headers sent in file=D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php line=856 [CORE\src\Http\ResponseEmitter.php, line 51]
Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 152]
Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]
Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]
Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]
错误信息对应的代码(ArticlesController.php,第154行)如下:
public function isAuthorized($user)
{
$action = $this->request->getParam('action');
// The add and tags actions are always allowed to logged in users.
if (in_array($action, ['add', 'tags'])) {
return true;
}
// All other actions require a slug.
$slug = $this->request->getParam('pass.0');
if (!$slug) {
return false;
}
// Check that the article belongs to the current user.
$article = $this->Articles->findBySlug($slug)->first();
<**line 154**> return $article->user_id === $user['id'];
}
这意味着无论哪个用户登录,编辑功能都不起作用。
So here is my question:
- 当某个用户(例如 user1)尝试使用自己以外的用户 ID 保存文章时,授权如何工作?
- 为什么授权代码不允许 user1 编辑自己的文章?
提前致谢, 俯冲
最佳答案
失败消息(第 154 行)表明 $article
从未获得应有的正确值,这意味着 $slug
从未获得正确的值,尽管非零值。我发现了问题。事实证明,我使用的是按 Id 查找(自动代码生成),而不是按照文章中的建议在 edit()
代码中使用 findBySlug()
,因此调用函数 $slug = $this->request->getParam('pass.0');
返回文章的 Id,而不是 $slug
值。如果一个人使用bin\cake Bakery allarticles
命令自动生成大部分代码,那么它会附带find by Id,而不是findBySlug()
。因此,授权代码应如下所示:
public function isAuthorized($user)
{
$action = $this->request->getParam('action');
// The add and tags actions are always allowed to logged in users.
if (in_array($action, ['add', 'tags'])) {
return true;
}
// All other actions require a slug.
$id = $this->request->getParam('pass.0');
if (!$id) {
return false;
}
// Check that the article belongs to the current user.
$article = $this->Articles->get($id);
return $article->user_id === $user['id'];
}
通过上述更改,仅允许授权用户进行编辑,从而阻止所有其他用户。
这仅回答第二个问题,第一个问题仍然悬而未决。
关于php - CakePHP 3.8.6 : Authorization failure when adding new content,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58891439/