2

我知道,这是一个复杂的案例,但也许你们中的一个人可能对如何做到这一点有所了解。

概念

我的 API 中有以下过程:

  1. 处理查询字符串参数 ( FormRequest)
    • 用首选键替换键别名
    • 如果需要数组,则将字符串参数映射到数组
    • 设置默认值(包括基于Auth::user()forid的参数)
    • 等等
  2. 检查是否允许用户执行请求 ( Middleware)
    • 使用已处理(已验证和已清理)的查询参数 → 否则我必须对每个可能的别名和映射进行异常处理,并检查是否检查了参数,这对我来说似乎不合理。

问题

然而,如果你只是将中间件分配给->middleware('middlewareName')路由,并通过依赖注入将 FormRequest 分配给控制器方法,则首先调用中间件,然后调用 FormRequest。如上所述,这不是我需要的。

解决方法

我首先在中间件上尝试了依赖注入,但没有成功。

我的解决方案是在控制器构造函数中分配中间件。依赖注入在这里有效,但突然Auth::user()返回null

然后,我遇到了FormRequest::createFrom($request)方法 in以及将对象传递给中间件方法\Illuminate\Foundation\Providers\FormRequestServiceProvider.php:34的可能性。结果如下所示:$requesthandle()

public function __construct(Request $request)
{
    $middleware = new MyMiddleware();

    $request = MyRequest::createFrom($request);

    $middleware->handle($request, function() {})
}

但现在该请求尚未验证。只是调用$request->validated()什么都不返回。所以我深入挖掘了一下,发现$resolved->validateResolved();已经完成,\Illuminate\Foundation\Providers\FormRequestServiceProvider.php:30但这似乎并没有触发验证,因为它抛出了一个异常,说这个方法不能被调用,null但 $request 不是null

在 null 上调用成员函数 valid()

现在,我完全被难住了。有谁知道如何解决这个问题,还是我做错了?

提前致谢!

4

1 回答 1

0

我想,我想出了一个更好的方法来做到这一点。

我的误解

在中间件进行身份验证时,我正在那里进行授权,因此我必须使用Gate

结果代码

控制器

...
public function getData(MyRequest $request)
{
    $filters = $request->query();
    // execute queries
}
...

表单请求

class MyRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        return Gate::allows('get-data', $this);
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array
     */
    public function rules()
    {
        return [
            // ...
        ];
    }

    /**
     * Prepare the data for validation.
     *
     * @return void
     */
    protected function prepareForValidation()
    {
        $this->replace($this->cleanQueryParameters($this->query()));
    }

    private function cleanQueryParameters($queryParams): array
    {
        $queryParams = array_filter($queryParams, function($param) {
            return is_array($param) ? count($param) : strlen($param);
        });
        $defaultStartDate = (new \DateTime())->modify('monday next week');
        $defaultEndDate = (new \DateTime())->modify('friday next week');
        $defaults = [
            'article.created_by_id' => self::getDefaultEmployeeIds(),
            'date_from' => $defaultStartDate->format('Y-m-d'),
            'date_to' => $defaultEndDate->format('Y-m-d')
        ];
        $aliases = [
            // ...
        ];
        $mapper = [
            // ...
        ];
        foreach($aliases as $alias => $key) {
            if (array_key_exists($alias, $queryParams)) {
                $queryParams[$key] = $queryParams[$alias];
                unset($queryParams[$alias]);
            }
        }
        foreach($mapper as $key => $fn) {
            if (array_key_exists($key, $queryParams)) {
                $fn($queryParams, $key);
            }
        }
        $allowedFilters = array_merge(
            Ticket::$allowedApiParameters,
            array_map(function(string $param) {
                return 'article.'.$param;
            }, TicketArticle::$allowedApiParameters)
        );
        $arrayProps = [
            // ..
        ];
        foreach($queryParams as $param => $value) {
            if (!in_array($param, $allowedFilters) && !in_array($param, ['date_from', 'date_to'])) {
                abort(400, 'Filter "'.$param.'" not found');
            }
            if (in_array($param, $arrayProps)) {                
                $queryParams[$param] = guarantee('array', $value);
            }
        }
        return array_merge($defaults, $queryParams);
    }
}



class MyGate
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Auth\Access\Response|Void
     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
     */
    public function authorizeGetDataCall(User $user, MyRequest $request): Response
    {
        Log::info('[MyGate] Checking permissions …');

        if (in_array(LDAPGroups::Admin, session('PermissionGroups', []))) {
            // no further checks needed
            Log::info('[MyGate] User is administrator. No further checks needed');
            return Response::allow();
        }

        if (
            ($request->has('group') && !in_array(Group::toLDAPGroup($request->get('group')), session('PermissionGroups', []))) ||
            $request->has('owner.department') && !in_array(Department::toLDAPGroup($request->query('owner.department')), session('PermissionGroups', [])) ||
            $request->has('creator.department') && !in_array(Department::toLDAPGroup($request->query('creator.department')), session('PermissionGroups', []))
        ) {
            Log::warning('[MyGate] Access denied due to insufficient group/deparment membership', [ 'group/department' =>
                $request->has('group') ?
                    Group::toLDAPGroup($request->get('group')) :
                ($request->has('owner.department') ?
                    Department::toLDAPGroup($request->query('owner.department')) :
                ($request->has('creator.department') ?
                    Department::toLDAPGroup($request->query('creator.department')) :
                null))
            ]);
            return Response::deny('Access denied');
        }
        if ($request->has('customer_id') || $request->has('article.created_by_id')) {
            $ids = [];
            if ($request->has('customer_id')) {
                $ids = array_merge($ids, $request->query('customer_id'));
            }
            if ($request->has('article.created_by_id')) {
                $ids = array_merge($ids, $request->query('article.created_by_id'));
            }
            $users = User::find($ids);
            $hasOtherLDAPGroup = !$users->every(function($user) {
                return in_array(Department::toLDAPGroup($user->department), session('PermissionGroups', []));
            });
            if ($hasOtherLDAPGroup) {
                Log::warning('[MyGate] Access denied due to insufficient permissions to see specific other user\'s data', [ 'ids' => $ids ]);
                return Response::deny('Access denied');;
            }
        }
        if ($request->has('owner.login') || $request->has('creator.login')) {
            $logins = [];
            if ($request->has('owner.login')) {
                $logins = array_merge(
                    $logins,
                    guarantee('array', $request->query('owner.login'))
                );
            }
            if ($request->has('creator.login')) {
                $logins = array_merge(
                    $logins,
                    guarantee('array', $request->query('creator.login'))
                );
            }
            $users = User::where([ 'samaccountname' => $logins ])->get();
            $hasOtherLDAPGroup = !$users->every(function($user) {
                return in_array(Department::toLDAPGroup($user->department), session('PermissionGroups', []));
            });
            if ($hasOtherLDAPGroup) {
                Log::warning('[MyGate] Access denied due to insufficient permissions to see specific other user\'s data', [ 'logins' => $logins ]);
                return Response::deny('Access denied');
            }
        }
        Log::info('[MyGate] Permission checks passed');
        return Response::allow();
    }
}
于 2021-03-22T13:16:12.540 回答