我正在开发一个多用户Web应用程序。我担心的是安全问题,我想知道这是否是安全的方法?
我在filters.php中完成了以下三个新过滤器。
Route::filter('auth', function()
{
if (Auth::guest())
{
if (Request::ajax())
{
return Response::make('Unauthorized', 401);
}
else
{
return Redirect::guest('login');
}
}
});
Route::filter('user', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 2){
return Redirect::route('/users/users');
}
}
});
Route::filter('admin', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 1){
return Redirect::route('/admin/admin');
}
}
});
Route::filter('business', function(){
if(Auth::guest()){
return Redirect::route('login');
}else{
if(Auth::user()->role == 1){
return Redirect::route('/business/business');
}
}
});
在routes.php我添加了以下内容:
Route::group(array('before' => 'admin'), function(){
Route::resource('user', 'UserController');
Route::get('user/dashboard', array(
'as' =>'user-dashboard',
'uses' => 'UserController@show'
));
// Route::group(array('before' => 'user'), function(){
Route::get('admin/dashboard', array(
'as' =>'admin-dashboard',
'uses' => 'AdminController@getAdmin'
));
// });
Route::group(array('before' => 'business'), function(){
Route::get('business/dashboard', array(
'as' =>'business-dashboard',
'uses' => 'BusinessController@getBusiness'
));
});
在AdminController.php我添加了以下内容:
public function show($id){
$user = User::find($id);
return View::make('admin.show')
->with('title', 'admin dashboard')
->with('user', $user);
}
在admin/show.blade.php文件中,我添加了以下内容:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<div class="container">
<h1>{{ $user->email }}</h1>
@else
<p> you are not signed in</p>
@endif
@else
<?php return Redirect::route('login') ?>
@endif
@stop
在UserController.php我添加了以下内容:
public function show(){
return View::make('users.index')
->with('title', 'dashboard');
}
在users/index.blade.php我添加了以下内容:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
...........
@else
<div class="container">
<h3>your are not signed in</h3>
</div>
@endif
@else
<?php return Redirect::route('login')->with('global', 'your not allowed here') ?>
@endif
@stop
并且业务角色以相同的方式完成。
在admin的视图文件中:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==1)
<h2>welcome {{ Auth::user()->email }}, you are logged in as an administrator </h2>
@else
<p> you are not signed in</p>
@endif
@else
<p><?php return Redirect::route('login')->with('global', 'your not allowed here') ?></p>
@endif
@stop
对于用户:
@extends('layouts.default')
@section('content')
@if(Auth::check())
@if(Auth::user()->role==2)
<h2>welcome {{ Auth::user()->email }}, you are logged in as an user </h2>
@else
<p> you are not signed in</p>
@endif
@else
<p><?php return Redirect::route('login')->with('global', 'your not allowed here') ?></p>
@endif
@stop
答案 0 :(得分:1)
首先,您不需要在每个过滤器中检查Auth::guest(),而是将现有的auth过滤器与其他过滤器结合使用,如下所示:
Route::group(array('before' => 'auth|admin'), function() {});
或使用此备用数组语法:
Route::group(array('before' => array('auth', 'admin')), function() {});
我不确定admin/dashboard路线周围的路线组的评论是否是故意的,但是评论说该路线没有路线过滤器,所以请记住,你可能需要取消注释。
此外,视图中不需要Auth::check()和return Redirect::route('login') - 身份验证应该在控制器中或通过路由过滤器完成,如果用户不是,则甚至不应该呈现视图登录。
除此之外,代码的这些部分看起来非常安全,但如果出现问题,不要责怪我或Stack Exchange,如果有疑问请咨询专业人士。