限制特定用户对POST,DELETE,PATCH,PUT的访问

时间:2018-04-08 12:00:46

标签: laravel postgresql forge php-7.2

我安装了Laravel 5.6。

我想向用户提供Demo帐户,除了查看所有内容之外,用户不能插入或更新任何内容。

我的系统中没有一组角色。我只想在某处硬编码用户ID并限制这些操作。

我用Google搜索并发现了许多不同的方法(https://laracasts.com/discuss/channels/laravel/protecting-route-for-specific-user),这远远超出我的需要。我只想将此功能限制在所有网站的特定用户。

Domain | Method    | URI                                                   | Name                            | Action                                                                             | Middleware                                       |
+--------+-----------+-------------------------------------------------------+---------------------------------+------------------------------------------------------------------------------------+--------------------------------------------------+
|        | GET|HEAD  | /                                                     |                                 | Closure                                                                            | web                                              |
|        | GET|HEAD  | _debugbar/assets/javascript                           | debugbar.assets.js              | Barryvdh\Debugbar\Controllers\AssetController@js                                   | Barryvdh\Debugbar\Middleware\DebugbarEnabled     |
|        | GET|HEAD  | _debugbar/assets/stylesheets                          | debugbar.assets.css             | Barryvdh\Debugbar\Controllers\AssetController@css                                  | Barryvdh\Debugbar\Middleware\DebugbarEnabled     |
|        | DELETE    | _debugbar/cache/{key}/{tags?}                         | debugbar.cache.delete           | Barryvdh\Debugbar\Controllers\CacheController@delete                               | Barryvdh\Debugbar\Middleware\DebugbarEnabled     |
|        | GET|HEAD  | _debugbar/clockwork/{id}                              | debugbar.clockwork              | Barryvdh\Debugbar\Controllers\OpenHandlerController@clockwork                      | Barryvdh\Debugbar\Middleware\DebugbarEnabled     |
|        | GET|HEAD  | _debugbar/open                                        | debugbar.openhandler            | Barryvdh\Debugbar\Controllers\OpenHandlerController@handle                         | Barryvdh\Debugbar\Middleware\DebugbarEnabled     |
|        | GET|HEAD  | api/user                                              |                                 | Closure                                                                            | api,auth:api                                     |
|        | GET|HEAD  | giris                                                 |                                 | Closure                                                                            | web                                              |
|        | GET|HEAD  | horizon/api/jobs/failed                               | horizon.failed-jobs.index       | Laravel\Horizon\Http\Controllers\FailedJobsController@index                        | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/jobs/failed/{id}                          | horizon.failed-jobs.show        | Laravel\Horizon\Http\Controllers\FailedJobsController@show                         | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/jobs/recent                               | horizon.recent-jobs.index       | Laravel\Horizon\Http\Controllers\RecentJobsController@index                        | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | POST      | horizon/api/jobs/retry/{id}                           | horizon.retry-jobs.show         | Laravel\Horizon\Http\Controllers\RetryController@store                             | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/masters                                   | horizon.masters.index           | Laravel\Horizon\Http\Controllers\MasterSupervisorController@index                  | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/metrics/jobs                              | horizon.jobs-metrics.index      | Laravel\Horizon\Http\Controllers\JobMetricsController@index                        | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/metrics/jobs/{id}                         | horizon.jobs-metrics.show       | Laravel\Horizon\Http\Controllers\JobMetricsController@show                         | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/metrics/queues                            | horizon.queues-metrics.index    | Laravel\Horizon\Http\Controllers\QueueMetricsController@index                      | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/metrics/queues/{id}                       | horizon.queues-metrics.show     | Laravel\Horizon\Http\Controllers\QueueMetricsController@show                       | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | POST      | horizon/api/monitoring                                | horizon.monitoring.store        | Laravel\Horizon\Http\Controllers\MonitoringController@store                        | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/monitoring                                | horizon.monitoring.index        | Laravel\Horizon\Http\Controllers\MonitoringController@index                        | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/monitoring/{tag}                          | horizon.monitoring-tag.paginate | Laravel\Horizon\Http\Controllers\MonitoringController@paginate                     | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | DELETE    | horizon/api/monitoring/{tag}                          | horizon.monitoring-tag.destroy  | Laravel\Horizon\Http\Controllers\MonitoringController@destroy                      | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/stats                                     | horizon.stats.index             | Laravel\Horizon\Http\Controllers\DashboardStatsController@index                    | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/api/workload                                  | horizon.workload.index          | Laravel\Horizon\Http\Controllers\WorkloadController@index                          | web,Laravel\Horizon\Http\Middleware\Authenticate |
|        | GET|HEAD  | horizon/{view?}                                       | horizon.index                   | Laravel\Horizon\Http\Controllers\HomeController@index                              | web,Laravel\Horizon\Http\Middleware\Authenticate |

1 个答案:

答案 0 :(得分:2)

最快的方法是创建一个简单的中间件,如果它是特定用户就会中止。

要创建中间件,您可以使用artisan命令make:middleware

php artisan make:middleware LimitUserIdX

在新创建的文件(app / Http / Middleware / LimitUserIdX.php)中,您只需检查authentify用户ID是否为X,如果是,则中止错误代码403(权限被拒绝),如下所示:

public function handle($request, Closure $next)
{
    $userId = Auth::id();
    if($userId == 5) {
        abort(403);
    }

    return $next($request);
}

将5更改为您要限制的用户。

编辑:我错过了解问题,这是一个纠正。

您应该将新创建的中间件添加到Laravel全局中间件列表中。只需转到App / Http / Kernel.php并将该类添加到$ middleware var。这将使Laravel在您的应用程序的所有HTTP请求上运行您的中间件(无需将其添加到每个路由定义)。

然后,您还需要编辑中间件本身以在中止之前检查所请求的方法,如下所示:

public function handle($request, Closure $next)
{
    $userId = Auth::id();
    if(request()->method() != "GET" && request()->method() != "HEAD" && $userId == 5) {
        abort(403);
    }

    return $next($request);
}