laravel - 基于 Laravel/Spatie 权限的访问控制器资源

问题描述

我正在研究 Laravel 护照 API，其中我使用 spatie 包来获取用户角色和权限。我必须根据用户权限执行某些操作（'store'、'view'、'update'、'delete'）。为此，我创建了一个特征并在控制器中使用，但它无法正常工作。在每个 api 请求上，无论用户是否有权限，它都会抛出一个异常“此操作未经授权”。

授权特征：

<?php

namespace App;
/*
 * A trait to handle authorization based on users permissions for given controller
 */

trait Authorizable
{
    /**
     * Abilities
     *
     * @var array
     */
    private $abilities = [
        'index' => 'view',
        'edit' => 'edit',
        'show' => 'view',
        'update' => 'edit',
        'create' => 'add',
        'store' => 'add',
        'destroy' => 'delete'
    ];

    /**
     * Override of callAction to perform the authorization before it calls the action
     *
     * @param $method
     * @param $parameters
     * @return mixed
     */
    public function callAction($method, $parameters)
    {
        if( $ability = $this->getAbility($method) ) {
            $this->authorize($ability);
        }

        return parent::callAction($method, $parameters);
    }

    /**
     * Get ability
     *
     * @param $method
     * @return null|string
     */
    public function getAbility($method)
    {
        $routeName = explode('.', \Request::route()->getName());
        $action = array_get($this->getAbilities(), $method);

        return $action ? $action . '_' . $routeName[0] : null;
    }

    /**
     * @return array
     */
    private function getAbilities()
    {
        return $this->abilities;
    }

    /**
     * @param array $abilities
     */
    public function setAbilities($abilities)
    {
        $this->abilities = $abilities;
    }
}

路线：

Route::middleware('auth:api')->group(function () {
        Route::post('user', 'ApiController@user');
        Route::post('view_department', 'DepartmentController@index');
        Route::post('add_department', 'DepartmentController@store');
        Route::post('edit_department', 'DepartmentController@update');
        Route::post('delete_department', 'DepartmentController@destroy');

        Route::post('/logout', 'ApiController@logout');
    }); // auth middleware ends

控制器：

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Carbon\Carbon;
use App\User;
use App\Authorizable;
use Illuminate\Support\Facades\Validator;
use App\Department;
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

class DepartmentController extends Controller
{
     use Authorizable;

        //
    public function index(Request $request) {

        // return response
        return response()->json([
            'success' => 'You have the permission to view departments!']);
    }

    //
    public function store(Request $request) {
        // validate the posted data
        $validator = Validator::make($request->all(), [
            'name' => 'required|string|unique:departments',
        ]);
        // return errors
        if ($validator->fails())
        {
            return response(['errors'=>$validator->errors()->all()]);
        }

        $department = new Department;
        $department->name = $request->name;
        $department->save();

        // return response
        return response()->json([
            'success' => 'Successfully created department!']);
    }
}

我的堆栈很糟糕，不知道我哪里出错了。如果有人指导我完成此操作，我将不胜感激。谢谢，

标签： laravelpermissionstraitslaravel-permission