博客教程文档 isAuthorized 缺少 return false?
Blog tutorial docs isAuthorized missing return false?
// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
}
return parent::isAuthorized($user);
}
如果 isOwnedBy() 测试失败,我需要 return false 吗?像这样:
// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
return false;
}
return parent::isAuthorized($user);
}
我在以下位置找到了这段代码:
http://book.cakephp.org/3.0/en/tutorials-and-examples/blog-auth-example/auth.html#authorization-who-s-allowed-to-access-what
如果仔细观察,父 isAuthorized() 方法将为所有非管理员return false
public function isAuthorized($user)
{
// Admin can access every action
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
// Default deny
return false;
}
所以在那种特定情况下,不,你不必,确切地说,你 必须 不,因为这会导致只有所有者才能编辑任何内容全部,因为不再检查管理员角色。
ps。这类问题可能更适合 IRC 或 Google 组。
// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
}
return parent::isAuthorized($user);
}
如果 isOwnedBy() 测试失败,我需要 return false 吗?像这样:
// src/Controller/ArticlesController.php
public function isAuthorized($user)
{
// All registered users can add articles
if ($this->request->action === 'add') {
return true;
}
// The owner of an article can edit and delete it
if (in_array($this->request->action, ['edit', 'delete'])) {
$articleId = (int)$this->request->params['pass'][0];
if ($this->Articles->isOwnedBy($articleId, $user['id'])) {
return true;
}
return false;
}
return parent::isAuthorized($user);
}
我在以下位置找到了这段代码: http://book.cakephp.org/3.0/en/tutorials-and-examples/blog-auth-example/auth.html#authorization-who-s-allowed-to-access-what
如果仔细观察,父 isAuthorized() 方法将为所有非管理员return false
public function isAuthorized($user)
{
// Admin can access every action
if (isset($user['role']) && $user['role'] === 'admin') {
return true;
}
// Default deny
return false;
}
所以在那种特定情况下,不,你不必,确切地说,你 必须 不,因为这会导致只有所有者才能编辑任何内容全部,因为不再检查管理员角色。
ps。这类问题可能更适合 IRC 或 Google 组。