$this->authorize ('update', $topic); 方法未能正确授权,过滤无权限的用户,怎么办?
如题$this->authorize('update', $topic);的方法未能正确的起作用,我用ID为1的用户登陆,结果所有的话题都能被更改
class TopicsController extends Controller
{
...
public function update(TopicRequest $request,Topic $topic)
{
$this->authorize('update', $topic);//这一句没有起作用
return '通过';
}
}
POSTMAN中运行结果如下图,故意选择了topic的ID 为8
路由截图如下
$api->patch('topics/{topic}', 'TopicsController@update')->name('api.topics.update');
数据库数据截图如下
TopicPolicy 截图如下
class TopicPolicy extends Policy
{
public function update(User $user, Topic $topic)
{
return $topic->user_id === $user->id;
}
}
输出$topic如下
public function update(TopicRequest $request,Topic $topic)
{
$this->authorize('update', $topic);
return $this->response->item($topic, new TopicTransformer());
}
输出当前用户如下
public function update(TopicRequest $request,Topic $topic)
{
$this->authorize('update', $topic);
$user = $this->user();
return $this->response->item($user, new UserTransformer());
}
我是用ID为1的用户登陆的,为何还能修改topic的ID为8的帖子呢??
推荐文章: