場景:當前用戶創建的訂單,只能當前用戶自己看,可以通過授權策略類(Policy)來實現
1.php artisan make:policy OrderPolicy
成功后,默認只有一個構造方法.因為涉及到用戶 ,訂單,所以要注入用戶與訂單.只有當二者關聯ID相等時才算通過.
class OrderPolicy
{
use HandlesAuthorization;
public function own(User $user, Order $order)
{
return $order->user_id == $user->id;
}
}
2.在控制器中使用方法如下:
$this->authorize('own', $order);
3.由於5.8的版本可以配置自動加載,所以不需要再注冊policy
porviders/AuthServiceProvide.php
class AuthServiceProvider extends ServiceProvider
{
/**
* The policy mappings for the application.
*
* @var array
*/
protected $policies = [
// 'App\Model' => 'App\Policies\ModelPolicy',
];
/**
* Register any authentication / authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
Gate::guessPolicyNamesUsing(function($class){
return '\\App\\Policies\\'.class_basename($class).'Policy';
});
}
}