php - How is Model::find($id) secure in Laravel?
问题描述
I have an app where I create entries based on who is signed in. If I use the find($id)
method it returns json
response. The function is like this:
public function edit($id)
{
$chore = Chore::find($id);
return response()->json($chore);
}
Now if I where to edit the id value I might be able to access other user's data which isn't secure at all.
So I added and extra column user_id
that checks who is signed in:
public function edit($id)
{
$chore = Chore::find($id)
->where('user_id', Auth::id());
return response()->json($chore);
}
But of course laravel can't make it easy so it doesn't work. Adding ->get()
returns an array instead of a json response.
First of all how is find($id)
ever secure in any app that uses authentication and secondly how do I add another condition under the find($id)
clause? I need data returned in JSON
otherwise I will need to rewrite all my front-end which isn't ideal at this point.
I also tried:
public function edit($id)
{
$chore = Chore::where('id', $id)
->where('user_id', Auth::id());
return response()->json($chore);
}
but no luck
解决方案
如果 Chore 与您的 User 模型是一对一的关系,那么您可以在您的User.php
模型中创建关系。
public function chore() {
return $this->hasOne(Chore::class);
}
然后在您的控制器中,您可以简单地调用auth()->user()->chore
.
Eloquent 的find()
方法仅通过主键查找一条记录。如果您使用额外的验证,它是非常安全的。您可以使用路由模型绑定来简化代码。
网页.php
Route::get('/chore/{chore}/', 'ChoreController@edit');
然后在你的控制器中
public function edit(Chore $chore)
{
if (! $chore->user_id === auth()->id()) {
// throw error or redirect, or whetever
}
return response()->json($chore);
}
为了进一步简化控制器,您可以创建一个表单请求并将其作为常规请求注入到控制器的方法中。(https://laravel.com/docs/7.x/validation#authorizing-form-requests)
然后您可以将验证移动到您的表单请求中。它应该看起来像这样:
public function authorize() {
return $this->route('chore')->user_id === $this->user()->id
}
推荐阅读
- javascript - 如何修复“XLSX.utils.json_to_sheet 不是函数”错误?
- r - 在R中按组循环
- angular - 无法通过自动搜索为 Angular 组合框选择元素
- c++ - 如何有条件地定义一个 lambda?
- android - expo / turtle cli在构建时不更新android versionCode(独立应用程序)
- vue.js - 来自 api 的动态渲染 url 图像
- ubuntu - graphviz 安装失败并出现 libtiff5_4.0.6-1ubuntu0.5_amd64.deb 404 Not Found
- java - CDT Lexer:获取用于评论的令牌
- python-3.x - Flask AttributeError:模块对象没有属性'app'
- ruby-on-rails - 如何使用复选框选择表中的行并作为参数传递给控制器