Question

在我的Laravel应用程序中，User可以拥有一个Profile，他们或具有特权的用户可以对其进行更新。

这两个模型的关系在此方法中定义：

/**
 * Get the profile associated with this user
 */
public function profile()
{
    return $this->hasOne(Profile::class, 'user_username', 'username');
}

这是更新用户个人资料的方法：

/**
 * Update the specified resource in storage.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \App\Profile  $profile
 * @return \Illuminate\Http\Response
 */
public function update(UpdateProfile $request, User $user)
{
    if ($user) {
        // Only proceed if there is a logged in user
        $profile = $user->profile;

        // If there is no profile, create one for this user as they'll need one.
        if (!empty(request()->get('background'))) {
            $profile->background = clean($request->get('background'));
        }

        if (!empty(request()->get('skills'))) {
            $profile->skills = clean($request->get('skills'));
        }

        if (!empty(request()->get('filepath'))) {
            $profile->displayPicture = $request->get('filepath');
        }

        if (!empty(request()->get('linkedInUrl'))) {
            $socialProfilesDecoded = json_decode($user->profile->socialProfiles, true);
            $socialProfilesDecoded["LinkedIn"] = $request->get('linkedInUrl');
            $profile->socialProfiles = json_encode($socialProfilesDecoded);
        }

        if (!empty(request()->get('twitterUrl'))) {
            $socialProfilesDecoded = json_decode($user->profile->socialProfiles, true);
            $socialProfilesDecoded["Twitter"] = $request->get('twitterUrl');
            $profile->socialProfiles = json_encode($socialProfilesDecoded);
        }

        $user->profile()->save($profile);

        return redirect()->back()->withSuccess('Your profile has been successfully updated');
    }
}

更新个人资料的途径是：

Route::post('profile/{user}', 'ProfileController@update');

引起我注意的是，暴露用户名会带来一个漏洞，就好像您可以通过Web代理抓住请求一样，您只需更改用户名并更新其他用户的个人资料即可。

在不更改URL的情况下，我是否可以制定政策来检查以下内容：

用户有权更新所述个人资料
正在更新的个人资料是正确的个人资料（并且该请求未被篡改。

或者，我是否应该更改URL并只能在管理区域中编辑个人资料？

此外，由于配置文件与用户相关联，特权用户如何访问另一个用户的配置文件？

也许是隐藏的输入？

更新：

if ($request->is('admin/*')) {
    //
}

我可以检查它是否与POST请求匹配？

更新2

添加了一个简单的检查，以确保登录的用户有权更新配置文件。

/**
 * Update the specified resource in storage.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \App\Profile  $profile
 * @return \Illuminate\Http\Response
 */
public function update(UpdateProfile $request, User $user)
{
    // Check this user
    if(auth()->user() == $user || auth()->user()->can('Approve user profile')){
        if ($user) {
            // Only proceed if there is a logged in user
            $profile = $user->profile;

            // If there is no profile, create one for this user as they'll need one.
            if (!empty(request()->get('background'))) {
                $profile->background = clean($request->get('background'));
            }

            if (!empty(request()->get('skills'))) {
                $profile->skills = clean($request->get('skills'));
            }

            if (!empty(request()->get('filepath'))) {
                $profile->displayPicture = $request->get('filepath');
            }

            if (!empty(request()->get('linkedInUrl'))) {
                $socialProfilesDecoded = json_decode($user->profile->socialProfiles, true);
                $socialProfilesDecoded["LinkedIn"] = $request->get('linkedInUrl');
                $profile->socialProfiles = json_encode($socialProfilesDecoded);
            }

            if (!empty(request()->get('twitterUrl'))) {
                $socialProfilesDecoded = json_decode($user->profile->socialProfiles, true);
                $socialProfilesDecoded["Twitter"] = $request->get('twitterUrl');
                $profile->socialProfiles = json_encode($socialProfilesDecoded);
            }

            $user->profile()->save($profile);

            return redirect()->back()->withSuccess('Your profile has been successfully updated');
        }
    }
}

用政策限制行动

0 个答案: