Question

我有这条路线：

Route::get('/conference/{id}/{slug?}/payment/registration/{registrationID}', [
    'uses' => 'PaymentController@payment',
    'as'   =>'conferences.payment'
]);

当用户通过＆＃34; http://proj.test/conference/2/conference-title/payment/registration/1＆＃34;访问此路线时它似乎是一个多步形式，因此用户可以输入一些数据来支付他在会议中所做的注册。

当用户访问＆＃34; http://proj.test/conference/2/conference-title/payment/registration/1＆＃34;它似乎是多步形式。

问题在于，例如，如果另一个用户在用户表中具有不同的ID，他也可以访问＆＃34; http://proj.test/conference/2/title/payment/registration/1＆＃34;并使用id＆＃34; 1＆＃34;支付相同的注册费用属于另一个用户。

因此，任何用户都可以支付任何注册费用，但用户应该只能支付他所做的注册。

你知道如何解决这个问题吗？

PaymentController：

class PaymentController extends Controller
{

    public function payment($id, $slug, $regID)
    {

        $registrationTypeDetails = Registration::with(['participants.registration_type',
            'participants' => function ($query) use ($regID) {
                $query->select('id', 'registration_type_id', 'registration_id')->where('registration_id', $regID);
            }
        ])->find($regID);

        $registrationTypes = [];


        return view('conferences.payment', compact('registrationTypeDetails', 'id', 'slug'));
    }
}

$ registrationTypeDetails显示：

Registration {#259 ▼
...
  #relations: array:1 [▼
    "participants" => Collection {#263 ▼
      #items: array:2 [▼
        0 => Participant {#270 ▼
         ...
          #relations: array:1 [▼
            "registration_type" => RegistrationType {#276 ▼
              ....
              #attributes: array:12 [▼
                "id" => 2
                "name" => "free"
                "price" => 0
                "conference_id" => 2
              ]
              ...
            }
          ]
         ...
        }
        1 => Participant {#272 ▼
          ...
          #relations: array:1 [▼
            "registration_type" => RegistrationType {#278 ▼
            ...
              #attributes: array:12 [▼
                "id" => 3
                "name" => "paid"
                "price" => 1
                "conference_id," => 2
              ]
             ...
            }
          ]
        }
      ]
    }
  ]
...
}

Answer 1

使用Laravel身份验证系统，您可以获取当前经过身份验证的用户，并检查其ID是否与注册时的user_id匹配。我假设用户和他创建的注册之间存在关系，如果没有，应该有。

会是这样的：

use Auth;
// ...all your other imports

class PaymentController extends Controller
{

    public function payment($id, $slug, $regID)
    {
        // get the current user
        $user_id = Auth::id();

        $registrationTypeDetails = Registration::with(['participants.registration_type',
            'participants' => function ($query) use ($regID) {
                $query->select('id', 'registration_type_id', 'registration_id')->where('registration_id', $regID);
            }
        ])->find($regID);

        // check if the user id matches
        if ($registrationTypeDetails->main_participant_id != $user_id) {
            // user didn't create this registration
            // ...do whatever you need to
        }
        else {
            $registrationTypes = [];

            return view('conferences.payment', compact('registrationTypeDetails', 'id', 'slug'));
        }
    }
}

用户应该只能支付他所做的注册

1 个答案: