policy 策略中 destroy (User $user, Sentence $sentence)，User 从哪里来的？

看一下 authorize 方法就明白了

固定的写法,框架会自动注入当前登录用户的实例,就是那个$user代表当前登录用户

• 在\Illuminate\Auth\Access\Gate::raw方法：

      public function raw($ability, $arguments = [])
      {
          $arguments = Arr::wrap($arguments);
  
          $user = $this->resolveUser();
  
          // First we will call the "before" callbacks for the Gate. If any of these give
          // back a non-null response, we will immediately return that result in order
          // to let the developers override all checks for some authorization cases.
          $result = $this->callBeforeCallbacks(
              $user, $ability, $arguments
          );
  
          if (is_null($result)) {
              $result = $this->callAuthCallback($user, $ability, $arguments);
          }
  
          // After calling the authorization callback, we will call the "after" callbacks
          // that are registered with the Gate, which allows a developer to do logging
          // if that is required for this application. Then we'll return the result.
          return $this->callAfterCallbacks(
              $user, $ability, $arguments, $result
          );
      }

• 可以看出 $user = $this->resolveUser(); 这句就取出了当前user， $this->callAuthCallback($user, $ability, $arguments); 这个就是调用回调函数，最终是在\Illuminate\Auth\Access\Gate::callPolicyMethod的$policy->{$method}($user, ...$arguments)这里调用的。看到第一个$user参数了吧，这就是框架注入的$user.

  /**
      * Call the appropriate method on the given policy.
      *
      * @param  mixed  $policy
      * @param  string  $method
      * @param  \Illuminate\Contracts\Auth\Authenticatable|null  $user
      * @param  array  $arguments
      * @return mixed
      */
      protected function callPolicyMethod($policy, $method, $user, array $arguments)
      {
          // If this first argument is a string, that means they are passing a class name
          // to the policy. We will remove the first argument from this argument array
          // because this policy already knows what type of models it can authorize.
          if (isset($arguments[0]) && is_string($arguments[0])) {
              array_shift($arguments);
          }
  
          if (! is_callable([$policy, $method])) {
              return null;
          }
  
          if ($this->canBeCalledWithUser($user, $policy, $method)) {
              return $policy->{$method}($user, ...$arguments); //就是这里
          }
      }

• Trace如下：

      App\Policies\TopicPolicy->update()
      Illuminate\Auth\Access\Gate->callPolicyMethod()
      Illuminate\Auth\Access\Gate->callAuthCallback()
      Illuminate\Auth\Access\Gate->raw()
      Illuminate\Auth\Access\Gate->authorize()
      App\Http\Controllers\Api\TopicsController->authorize()
      App\Http\Controllers\Api\TopicsController->update()