• 當(dāng)一個(gè)web系統(tǒng)有登錄功能時(shí)，那么有些頁面只有當(dāng)用戶登錄后才能訪問趁舀，有些頁面登錄后就不能再訪問赖捌，這個(gè)時(shí)候laravel的中間件限制越權(quán)訪問功能就派上用場(chǎng)了，上代碼。

• 未登錄用戶不能訪問http://student.dev/admin/index越庇，控制器位于app/Http/Controllers/Admin/IndexController.php

<?php

namespace App\Http\Controllers\Admin;

class IndexController extends BaseController
{
    public function __construct()
    {
        // 未登錄用戶只能訪問index頁面罩锐，訪問其他頁面即跳轉(zhuǎn)至登錄頁面
        $this->middleware('auth', [
            'except' => ['index']
        ]);

        // 只準(zhǔn)未登錄用戶訪問，已登錄用戶不能訪問
        $this->middleware('guest', [
            'only' => ['index', 'login']
        ]);
    }

    public function index()
    {
        return view('admin.index');
    }
}

• 用戶只能編輯自己的資料

$ php artisan make:policy UserPolicy

• 讓我們?yōu)槟J(rèn)生成的用戶授權(quán)策略添加 update 方法卤唉，用于用戶更新時(shí)的權(quán)限驗(yàn)證涩惑。app/Policies/UserPolicy.php

<?php

namespace App\Policies;

use Illuminate\Auth\Access\HandlesAuthorization;
use App\Models\User;

class UserPolicy
{
    use HandlesAuthorization;

    public function update(User $currentUser, User $user)
    {
        return $currentUser->id === $user->id;
    }
}

• 為用戶模型 User 指定授權(quán)策略 UserPolicy：app/Providers/AuthServiceProvider.php

<?php

namespace App\Providers;
.
,
.
class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        'App\Model' => 'App\Policies\ModelPolicy',
        \App\Models\User::class  => \App\Policies\UserPolicy::class,
    ];
}

• 在用戶控制器中使用 authorize 方法來驗(yàn)證用戶授權(quán)策略:app/Http/Controllers/UsersController.php

<?php

namespace App\Http\Controllers;
.
.
.
class UsersController extends Controller
{
    .
    .
    .
    public function edit(User $user)
    {
        $this->authorize('update', $user);
        return view('users.edit', compact('user'));
    }

    public function update(User $user, Request $request)
    {
        $this->validate($request, [
            'name' => 'required|max:50',
            'password' => 'nullable|confirmed|min:6'
        ]);

        $this->authorize('update', $user);

        $data = [];
        $data['name'] = $request->name;
        if ($request->password) {
            $data['password'] = bcrypt($request->password);
        }
        $user->update($data);

        session()->flash('success', '個(gè)人資料更新成功！');

        return redirect()->route('users.show', $user->id);
    }
}