- Parent view
// auth()->user()可以获取当前用户信息
<a href="{{route('user.edit', auth()->user())}}" class="btn btn-danger my-2 my-sm-0 mr-2">修改</a>
- edit method (responsible for modifying the page) resource controller
public function edit(User $user)
{
return view('user.edit', compact('user'));
}
- Child view
@extends('layouts.default')
@section('content')
<form action={{route('user.update', $user)}} method="post">
@csrf
{{-- 模拟put方法--}}
@method('PUT')
<div class="card">
<div class="card-body">
<div class="form-group">
<label for="">昵称</label>
<input type="text" class="form-control" name="name" value={{$user->name}}>
</div>
<div class="form-group">
<label for="">密码</label>
<input type="text" class="form-control" name="password">
</div>
<div class="form-group">
<label for="">确认密码</label>
<input type="text" class="form-control" name="password_confirmation">
</div>
</div>
<div class="card-footer text-muted">
<button type="submit" class="btn btn-success">修改</button>
</div>
</div>
</form>
@endsection
- update method resource controller (responsible for validating and updating)
public function update(Request $request, User $user)
{
$request->validate([
'name' => 'required|min:3',
'password' => 'nullable|min:5|confirmed'
]);
session()->flash('success', '修改成功');
// 数据更新
$user->name = $request->name;
if ($request->password) {
$user->password = bcrypt($request->password);
}
$user->save();
return redirect()->route('user.show', $user);
}
save and create methods can be used to create data, but save can be used to update the data
- Additional auth middleware in the controller, did not prevent the landing of the user to modify the data
public function __construct()
{
$this->middleware('auth')->except('create', 'index', 'show');
}
The following three methods similar
// except为排除'create', 'index', 'show'方法执行中间件
$this->middleware('auth')->except('create', 'index', 'show');
$this->middleware('auth', [
'except' => ['create', 'index', 'show']
]);
// only为只对'show'方法执行中间件
$this->middleware('auth')->only('show');
- Using the model to handle user authorization policy actions to prevent unauthorized users from modifying information
Policy checksum logic is actually transferred from the controller to the model corresponding to the policy (UserPolicy) in.
Policy document generation
// 添加--modle使之与模型关联
php artisan make:policy --modle=User UserPolicy
Registration Policy document
registered in the policies of the strategy array app / Providers / AuthServiceProvider.php, the User model will be bundled with UserPolicy corresponding strategies.
Before Laravel 5.8 version, the relationship between the model and the strategies to be displayed bind
protected $policies = [
// 'App\Model' => 'App\Policies\ModelPolicy',
'App\User' => UserPolicy::class,
];
5.8 auto-discovery mechanism introduced model strategy, but need to follow certain norms, that policy must be in class Policies Catalog model class resides. For example App \ User corresponds App \ Policies \ UserPolicy, if it is App \ Models \ User, then it needs to correspond App \ Models \ Policies \ UserPolicy.
Writing validation logic
public function update(User $user, User $model)
{
return $user->id == $model->id;
}
Model strategy implemented in the controller
public function edit(User $user)
{
// 使用模型策略
$this->authorize('update', $user);
The first parameter representation authorize verified using this update method UserPolicy inside.
