// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
}
return parent::isAuthorized($user);
}
如果isOwnedBy()测试失败,我是否需要返回false?像这样:
// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
return false;
}
return parent::isAuthorized($user);
}
答案 0 :(得分:1)
如果你密切关注,父isAuthorized()
方法将为所有非管理员返回false
public function isAuthorized($user)
{
// Admin can access every action
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
// Default deny
return false;
}
因此,在特定情况下,不,您不必确切地说,必须,因为这会导致只有所有者能够编辑任何内容,因为管理员角色不再被检查。
PS。这类问题可能更适合IRC或Google小组。