php - Laravel 操作未获得授权

Question

我正在尝试删除属于发帖用户的帖子，但出现此错误(顺便说一句，这是在网络日志中)

"/Applications/MAMP/htdocs/eli42/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php" line : 201 message : "This action is unauthorized." trace : [{,…},…]

我正在使用 laravel 5.5 policy不确定我这样做是否正确，我在 $protected policies

的 AuthServiceProvider 中注册了它

Post::class => PostPolicy::class,

路线

Route::delete('auth/post/{id}', 'PostController@destroy');

PostPolicy.php

<?php

namespace App\Policies;

use App\User;
use App\Post;

use Illuminate\Auth\Access\HandlesAuthorization;

class PostPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function view(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can create posts.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function create(User $user)
    {
        //
    }

    /**
     * Determine whether the user can update the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function update(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can delete the post.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return mixed
     */
    public function delete(User $user, Post $post)
    {
        //

        return $user->id === $post->user_id;

    }

PostController.php(此文件有更多代码，但我想突出显示删除功能)

<?php

namespace App\Http\Controllers;

use App\Post;
use App\User;
use App\Policies\TaskPolicy; 


use Illuminate\Http\Request;
use Illuminate\Http\Response;

class PostController extends Controller
{

    public function destroy($id, Post $post)
    {
        $mypost = $this->authorize('delete',$post);

        if($mypost){
             Post::destroy($id);

        }




    }
}

Main.js 删除帖子

$scope.deletePost = function(post){
    var index = $scope.myposts.indexOf(post);

    if(index != -1){
        $scope.myposts.splice(index, 1);
    }

    $http.delete('auth/post/' + post.id);

};

html

   <button ng-click="deletePost(post)">x</button>

之前

之后

Answer 1

你不需要检索帖子，让 Laravel 为你做这件事。

将你的路线编辑成这样:

Route::delete('auth/post/{post}', 'PostController@destroy');

请注意，大括号之间的 post 将是分配给 Laravel 发现的帖子的变量名。如果没有找到帖子，Laravel 将返回 Not Found 404。

然后在你的 Controller 中，你必须告诉 Laravel 你期待一个通过路由的帖子:

方法签名将是这样的:destroy(Post $post)。 $post 是您 route 的 {post}。

最后，对于授权，你不会得到授权方法返回的帖子。您将 Laravel 找到的 $post 传递给 authorize 方法。

这是完整的方法:

public function destroy(Post $post)
{
    $this->authorize('delete', $post);

    if ($post->delete()) {
        return response()->json(['message' => 'deleted']);
    };

    return response()->json(['error' => 'something went wrong'], 400);
}