博客教程文档isAuthorized缺少返回false?

时间:2015-05-13 14:01:07

标签: php cakephp-3.0

// src/Controller/ArticlesController.php

public function isAuthorized($user)
{
    // All registered users can add articles
    if ($this->request->action === 'add') {
        return true;
    }

    // The owner of an article can edit and delete it
    if (in_array($this->request->action, ['edit', 'delete'])) {
        $articleId = (int)$this->request->params['pass'][0];
        if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
            return true;
        }
    }

    return parent::isAuthorized($user);
}

如果isOwnedBy()测试失败,我是否需要返回false?像这样:

// src/Controller/ArticlesController.php

public function isAuthorized($user)
{
    // All registered users can add articles
    if ($this->request->action === 'add') {
        return true;
    }

    // The owner of an article can edit and delete it
    if (in_array($this->request->action, ['edit', 'delete'])) {
        $articleId = (int)$this->request->params['pass'][0];
        if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
            return true;
        }
        return false;
    }

    return parent::isAuthorized($user);
}

我发现此代码位于: http://book.cakephp.org/3.0/en/tutorials-and-examples/blog-auth-example/auth.html#authorization-who-s-allowed-to-access-what

1 个答案:

答案 0 :(得分:1)

如果你密切关注,父isAuthorized()方法将为所有非管理员返回false

public function isAuthorized($user)
{
    // Admin can access every action
    if (isset($user['role']) && $user['role'] === 'admin') {
        return true;
    }

    // Default deny
    return false;
}

因此,在特定情况下,不,您不必确切地说,必须,因为这会导致只有所有者能够编辑任何内容,因为管理员角色不再被检查。

PS。这类问题可能更适合IRC或Google小组。