php - Laravel 授权策略 AccessDeniedHttpException 此操作未经授权

Question

我有这样的设置:-

\App\Policies\ObservationPolicy

<?php

namespace App\Policies;

use App\Observation;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class ObservationPolicy
{
    use HandlesAuthorization;

    /**
     * Create a new policy instance.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    public function edit(User $user, Observation $observation)
    {
        return $user->id == $observation->user_id;
    }



}

身份验证服务提供商:

<?php

namespace App\Providers;

use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;


class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        'App\Model' => 'App\Policies\ModelPolicy',
        'App\Observation' => 'App\Policies\ObservationPolicy'
    ];

    /**
     * Register any authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();

        //
    }
}

当我尝试使用以下语句查看文件时:-

@can('edit', $observation)
@endcan

它运行没有任何问题。

但是当我在 Controller 中使用时:

public function edit($id,Observation $observation)
    {
        $this->authorize('edit', $observation);
        return view('mypage');
    }

它总是返回错误:- AccessDeniedHttpException 此操作未经授权

我访问的路线是:- 路线::get('/Observation/{id}/edit', 'ObservationController@edit');

Answer 1

看起来您在 Controller 方法中接受了错误的参数。

您定义的路线:

Route::get('/Observation/{id}/edit', 'ObservationController@edit');

将传递$id，但我认为Observation $observation只是创建Observation类的一个新实例。 发生这种情况是因为 Laravel 认为您想在 Controller 方法中使用依赖注入(inject): https://laravel.com/docs/5.5/controllers#dependency-injection-and-controllers

public function edit($id, Observation $observation):

---

相反在您的 route 尝试此操作:

Route::get('/Observation/{observation}/edit', 'ObservationController@edit');

并将其作为您的方法参数:

public function edit(Observation $observation):

这里我们使用内置功能来进行路由模型绑定(bind): https://laravel.com/docs/5.5/routing#route-model-binding
如果您不想依赖这种魔法，则必须手动在 Controller 方法中查找实际观察，例如 $observation = Observation::findOrFail($id);