0

鉴于我是 CakePHP 的新手,我不禁注意到授权中的明显失败。同样,当我添加授权代码并以 user1 身份登录到文章/添加页面时,继续CMS 教程,一切都很好。然后我从下拉列表中选择用户(在运行cake bake all articles命令并按照教程重新修改 ArticlesController.php 并且不修改 '.ctp 文件后),用户 ID = 2,创建文章并能够保存它同样,虽然我以 user1 的身份登录,用户 ID = 1!我也觉得很奇怪。然后我尝试编辑 user2 的文章,它正确地给出了“未经授权的访问错误”,但是当我尝试编辑 user1 自己的文章时,它给出了如下错误:

Notice (8): Trying to get property 'user_id' of non-object [APP/Controller\ArticlesController.php, line 154]

Warning (512): Unable to emit headers. Headers sent in file=D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php line=856 [CORE\src\Http\ResponseEmitter.php, line 51]

Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 152]

Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]

Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]

Warning (2): Cannot modify header information - headers already sent by (output started at D:\dev\cakePHP\projects\cake_cms\vendor\cakephp\cakephp\src\Error\Debugger.php:856) [CORE\src\Http\ResponseEmitter.php, line 181]

错误信息(ArticlesController.php,第 154 行)对应的代码如下:

public function isAuthorized($user)
{
    $action = $this->request->getParam('action');
    // The add and tags actions are always allowed to logged in users.
    if (in_array($action, ['add', 'tags'])) {
        return true;
    }

    // All other actions require a slug.
    $slug = $this->request->getParam('pass.0');
    if (!$slug) {
        return false;
    }

    // Check that the article belongs to the current user.
    $article = $this->Articles->findBySlug($slug)->first();

<**line 154**>    return $article->user_id === $user['id'];
}

这意味着无论哪个用户登录,编辑功能都不起作用。

So here is my question:
  1. 当一个用户(比如 user1)尝试使用除他自己以外的用户 ID 保存文章时,授权如何工作?
  2. 为什么授权码不允许user1编辑自己的文章?

在此先感谢,斯鲁普

4

1 回答 1

0

失败消息(第 154 行)表明$article从未获得应有的正确值,这意味着$slug从未获得正确的值,尽管是非零值。我发现了问题。事实证明,我使用的是按 Id 查找(自动代码生成),而不是findBySlug()edit()文章中建议的代码中,因此对该函数的调用$slug = $this->request->getParam('pass.0');返回文章的 Id 而不是$slug值。如果一个人使用bin\cake bake all articles命令来自动生成大部分代码,它会带有 find by Id 而不是findBySlug()。因此,授权代码应如下所示:

    public function isAuthorized($user)
    {
        $action = $this->request->getParam('action');
        // The add and tags actions are always allowed to logged in users.
        if (in_array($action, ['add', 'tags'])) {
            return true;
        }

        // All other actions require a slug.
        $id = $this->request->getParam('pass.0');
        if (!$id) {
            return false;
        }

        // Check that the article belongs to the current user.
        $article = $this->Articles->get($id);

        return $article->user_id === $user['id'];
    }

通过上述更改,只允许授权用户进行编辑,阻止所有其他用户。

这仅回答了第二个问题,第一个问题仍然悬而未决。

于 2019-11-16T20:39:48.690 回答