Laravel Spatie无法限制UserController

时间:2019-10-03 07:50:48

标签: php laravel permissions user-roles spatie

目前,我有要限制的users.index刀片。但是,我没有限制它。

我试图创建另一个测试刀片和一个TestController,并且已经为其设置了权限,并且效果很好。

但是,对于UserController,没有任何方法可以限制用户访问它:

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;
use DB;

    class TestController extends Controller
    {
        /**
         * Restricting pages
         */
            public function __construct()
        {
            $this -> middleware('permission:test-list', ['only' => ['index']]);
        }
        /**
         * Display a listing of the resource.
         *
         * @return \Illuminate\Http\Response
         */
        public function index()
        {
            return view('test.index');
        }

        /**
         * Show the form for creating a new resource.
         *
         * @return \Illuminate\Http\Response
         */
        public function create()
        {
            //
        }

        /**
         * Store a newly created resource in storage.
         *
         * @param  \Illuminate\Http\Request  $request
         * @return \Illuminate\Http\Response
         */
        public function store(Request $request)
        {
            //
        }

        /**
         * Display the specified resource.
         *
         * @param  int  $id
         * @return \Illuminate\Http\Response
         */
        public function show($id)
        {
            //
        }

        /**
         * Show the form for editing the specified resource.
         *
         * @param  int  $id
         * @return \Illuminate\Http\Response
         */
        public function edit($id)
        {
            //
        }

        /**
         * Update the specified resource in storage.
         *
         * @param  \Illuminate\Http\Request  $request
         * @param  int  $id
         * @return \Illuminate\Http\Response
         */
        public function update(Request $request, $id)
        {
            //
        }

        /**
         * Remove the specified resource from storage.
         *
         * @param  int  $id
         * @return \Illuminate\Http\Response
         */
        public function destroy($id)
        {
            //
        }
    }

views / test / index.blade.php

@extends('layouts.app')
@section('content') 


<p>Testing Page</p>
@endsection

这些是如果我不允许特定的用户角色访问此页面的结果。

enter image description here

enter image description here

因此,以上是正确的行为。 但是,当涉及到user.index时,我在UserController的构造函数中应用了相同的技术,但是它不起作用

app / Http / Controllers / UserController

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use App\User;
use Spatie\Permission\Models\Role;
use DB;
use Hash;

class UserController extends Controller
{
    public function construct() 
    {
        $this -> middleware('permission:user-list', ['only' => ['index']]);

    }
    /**
     * Display a listing of the resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function index(Request $request)
    {
        $data = User::orderBy('id','DESC') -> paginate(5);
        return view('users.index' , compact('data')) -> with('i' , ($request->input('page', 1) - 1) * 5);
    }

    /**
     * Show the form for creating a new resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function create()
    {
        $roles = Role::pluck('name','name') -> all();
        return view('users.create',compact('roles'));
    }

    /**
     * Store a newly created resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function store(Request $request)
    {
        $this->validate($request, [
            'name' => 'required',
            'email' => 'required|email|unique:users,email',
            'password' => 'required|same:confirm-password',
            'roles' => 'required'
        ]);
        $input = $request -> all();
        $input['password'] = Hash::make($input['password']);
        $user = User::create($input);
        $user -> assignRole($request -> input('roles'));
        return redirect() -> route('users.index') -> with('success','User created successfully');
    }

    /**
     * Display the specified resource.
     *
     * @param  int  $id
     * @return \Illuminate\Http\Response
     */
    public function show($id)
    {
        $user = User::find($id);
        return view('users.show',compact('user'));
    }

    /**
     * Show the form for editing the specified resource.
     *
     * @param  int  $id
     * @return \Illuminate\Http\Response
     */
    public function edit($id)
    {
        $user = User::find($id);
        $roles = Role::pluck('name','name') -> all();
        $userRole = $user->roles -> pluck('name','name') -> all();
        return view('users.edit',compact('user','roles','userRole'));
    }

    /**
     * Update the specified resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  int  $id
     * @return \Illuminate\Http\Response
     */
    public function update(Request $request, $id)
    {
        $this -> validate($request, [
            'name' => 'required',
            'email' => 'required|email|unique:users,email,'.$id,
            'password' => 'same:confirm-password',
            'roles' => 'required'
        ]);
        $input = $request->all();
        if( ! empty($input['password'])) { 
            $input['password'] = Hash::make($input['password']);
        } else {
            $input = array_except($input,array('password'));    
        }
        $user = User::find($id);
        $user -> update($input);
        DB::table('model_has_roles') -> where('model_id',$id) -> delete();
        $user -> assignRole($request -> input('roles'));
        return redirect() -> route('users.index') -> with('success','User updated successfully');
    }

    /**
     * Remove the specified resource from storage.
     *
     * @param  int  $id
     * @return \Illuminate\Http\Response
     */
    public function destroy($id)
    {
        User::find($id) -> delete();
        return redirect() -> route('users.index')  -> with('success','User deleted successfully');
    }
}

结果[尽管没有查看此页面的权限,我仍然可以在前端查看此Blade]

enter image description here

这是我的角色拥有权限表role-has-permission

这是我的角色表 role

这是我的权限表 permissions

这是我的具有模型的表model-has-roles

这是我的模型拥有权限表model-has-permissions

1 个答案:

答案 0 :(得分:0)

如果您想限制特定的路线或全部操作,可以执行以下操作:

Route::middleware(['auth', 'permission:user-list'])->group(function (){

Route::get('/create', 'WelcomeController@create')->name('welcome');
 ...
 ...
 ..

});

或者您可以替换

public function construct() 
{
    $this -> middleware('permission:user-list', ['only' => ['index']]);

}

public function construct() 
{
    $this -> middleware('permission:user-list')->except(['index']);

}