我想创建一条语句来确保用户只能查看自己的call_center数据,除非他们的role_id为2、3或4。如果URL为venture.local /?call_center = 77,并且用户为URL,则截至目前将URL更改为venture.local /?call_center = 22,任何role_id都可以看到其他call_center数据。我希望页面返回到用户自己的call_center,除非他们的role_id为2、3或4。我不确定执行此工作的最佳速度是JavaScript还是我的dashboardcontroller.php?我加入了控制器,因为我认为我可以做这样的事情:
if($role_id['id'] != '2' || $role_id['id'] != '3' || $role_id['id'] != '4')
{
$pending->where($call_center, '=', $user_id);
$active->where($call_center, '=', $user_id);
$cancelled_contracts->where($call_center, '=', $user_id);
$late_contracts->where($call_center, '=', $user_id);
$back_out_contracts->where($call_center, '=', $user_id);
$pending_late->where($call_center, '=', $user_id);
$pending_cancellation->where($call_center, '=', $user_id);
}
我的方向正确吗?还是有人可以将我的方向正确引导?任何帮助表示赞赏。
Dashboardcontroller.php
public function __construct()
{
setlocale(LC_MONETARY, 'en_US.utf8');
$this->middleware('acl:view_dash', ['only' => ['index']]);
}
public function index()
{
$input = Input::all();
$user_id = Auth::user()->id;
$role_id = User::UserRoleData()->where('user_id', '=', $user_id)->first();
$call_center = Auth::user()->call_center;
$call_center = ($call_center == null ? '' : $call_center);
$call_center = !empty($input['call_center']) ? $input['call_center'] : $call_center;
$month = !empty($input['month']) ? $input['month'] : 'twentyfour';
$sellertype = !empty($input['sellertype']) ? $input['sellertype'] : 'seller';
$companies = Company::DistinctCompanies()->orderby('name')->get();
$date = date('Y-m-d', strtotime('now -24 months'));
if($user_id()->call_center)
{
$user
}
$pending = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Pending')
->where('hold', '=', '0');
$active = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Active')
->where('hold', '=', '0');
$cancelled_contracts = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Cancelled')
->where('hold', '=', '0');
$late_contracts = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Late')
->where('hold', '=', '0');
$back_out_contracts = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Back Out')
->where('hold', '=', '0');
$pending_late = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Pending Late')
->where('hold', '=', '0');
$pending_cancellation = Contract::GetData()
->select(DB::raw('count(*) as total'))
->where('system_status', '=', 'Awaiting Cancellation')
->where('hold', '=', '0');
if($sellertype == 'dealership')
{
$pending->where("type", "=", 'dealership');
$active->where("type", "=", 'dealership');
$cancelled_contracts->where("type", "=", 'dealership');
$late_contracts->where("type", "=", 'dealership');
$back_out_contracts->where("type", "=", 'dealership');
$pending_late->where("type", "=", 'dealership');
$pending_cancellation->where("type", "=", 'dealership');
}
if($month == 'twentyfour' || $month != 'all')
{
$pending->where("sold_date", ">=", $date);
$active->where("sold_date", ">=", $date);
$cancelled_contracts->where("sold_date", ">=", $date);
$late_contracts->where("sold_date", ">=", $date);
$back_out_contracts->where("sold_date", ">=", $date);
$pending_late->where("sold_date", ">=", $date);
$pending_cancellation->where("sold_date", ">=", $date);
}
if($call_center == '52')
{
$asi_contracts = array('26', '35', '4', '42', '45', '46', '47', '49', '50', '51');
$pending
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$active
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$cancelled_contracts
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$late_contracts
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$back_out_contracts
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$pending_late
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
$pending_cancellation
->where('contracts.moxy_contract_id', 'not like', 'EACP%')
->where('contracts.moxy_contract_id', 'not like', '9466%')
->where('contracts.moxy_contract_id', 'not like', '9836%');
}
if($role_id['id'] == '5' || $role_id['id'] == '6' || $role_id['id'] == '7' || $role_id['id'] == '8' || $role_id['id'] == '9' || $role_id['id'] == '10')
{
{
$pending->where('contracts.call_center', '=', $call_center);
$active->where('contracts.call_center', '=', $call_center);
$cancelled_contracts->where('contracts.call_center', '=', $call_center);
$late_contracts->where('contracts.call_center', '=', $call_center);
$back_out_contracts->where('contracts.call_center', '=', $call_center);
$pending_late->where('contracts.call_center', '=', $call_center);
$pending_cancellation->where('contracts.call_center', '=', $call_center);
}
}
else
{
if($role_id['id'] == '2' && !empty($input['call_center']))
{
$call_center = $input['call_center'];
{
$pending->where('contracts.call_center', '=', $call_center);
$active->where('contracts.call_center', '=', $call_center);
$cancelled_contracts->where('contracts.call_center', '=', $call_center);
$late_contracts->where('contracts.call_center', '=', $call_center);
$back_out_contracts->where('contracts.call_center', '=', $call_center);
$pending_late->where('contracts.call_center', '=', $call_center);
$pending_cancellation->where('contracts.call_center', '=', $call_center);
}
}
}
答案 0 :(得分:0)
首先停止像URL中那样传递数据。如果可能,请在用户登录时使用会话来处理此问题。
如果您不喜欢上述方法,则可以为此目的使用加密/解密。切勿在网址中传递原始数字,例如22或33。不要让最终用户感到好奇。
use Illuminate\Support\Facades\Crypt;
$encrypted = Crypt::encryptString('123');
$decrypted = Crypt::decryptString($encrypted);
此外,您可以阅读Laravel授权文档,它对于您所面临的确切问题很有用。
答案 1 :(得分:0)
在用户模型内部,如果尚未将角色设置为关系,则可以执行以下操作:
public function roles()
{
return $this->belongsToMany('App\Role');
}
public function hasRole($roleName) : bool
{
// you could always change this function so it could take
// an array of role IDs instead of the name
$roles = $this->roles()->where('name', roleName)->firstOrFail();
if ($roles) {
return true;
}
return false;
}
在呼叫中心模型中,您可以设置如下功能:
public function canBeViewedBy(User $user) : bool
{
// customise role name to whichever roles you want
if ($user->hasRole('canViewAllCentres') {
return true;
}
// you can add additional custom logic here
return false;
}
然后在Dashboard控制器中的函数内部:
if (!$call_center->canBeViewedBy(Auth::user()) {
return abort(403, 'Forbidden');
}