多个AdminMiddleware歧义

Question

我有多个管理系统:一个是超级管理员,另一个是普通管理员,由is_admin用户表中的属性区分.

而这两个中间件: SuperAdminMiddleware.php

public function handle($request, Closure $next, $guard = null)
{
    if(Auth::check())
    {
        if($request->user()->is_admin==1)
        {
           return $next($request);
        }
         return redirect('/login');    
    }
    else 
    {
      return redirect('/login');   
    }
}

和,NormalAdminMiddleware.php

public function handle($request, Closure $next, $guard = null)
{
    if(Auth::check())
    {
        if($request->user()->is_admin==2)
        {
           return $next($request);
        }
         return redirect('/login');    
    }
    else 
    {
      return redirect('/login');   
    }
}

并在loginController中:

protected function authenticated()
{
  if (auth()->user()->is_admin==1) {
    return redirect('/super-admin');
  } 

  else if(auth()->user()->is_admin==2){
    return redirect('/normal-admin'); 
  }

  else {
    return redirect('/home');
  }
}

现在,删除和阅读的设计应该是超级管理员可以删除并查看所有用户的详细信息,而普通管理员只能看到他们城市的用户.

id  name city   is_admin
1   Non  Maety  1
3   Pom  Lorey  2
4   Rom  Lorey  0
2   Yer  Easter 0

非应该能够看到所有.而Pom应该只看到id 3和4.

如果我在SuperAdminMiddleware下放置显示和删除路线,普通管理员无法看到他们城市的记录.

Route::group(['middleware' => ['App\Http\Middleware\SuperAdminMiddleware']], function () {
    Route::get('/show/{id}', 'MyController@show');      
    Route::post('/delete', 'MyController@delete');
  });

如果我将这些路由放在SuperAdminMiddleware和NormalAddminMiddleware下.NormalAdminMiddleware还可以查看其他城市的记录.

 Route::group(['middleware' => ['App\Http\Middleware\NormalAdminMiddleware']], function () {
        Route::get('/show/{id}', 'MyController@show');      
        Route::post('/delete', 'MyController@delete');
      });

我该如何克服这种情况？

Answer 1

您可以使用以下政策解决此问题:

class UserPolicy
{

    /**
     * Determine if the given user can be viewed by the user.
     *
     * @param  \App\User  $user
     * @param  \App\User $account
     * @return bool
     */
    public function view(User $user, User $account)
    {
        switch($user->is_admin) {
            case 1:
                return true;
            case 2:
                return $user->city == $account->city;
            default:
            return 0;

        }
    }

    /**
     * Determine if the given user can be updated by the user.
     *
     * @param  \App\User  $user
     * @param  \App\User $account
     * @return bool
     */
    public function update(User $user, User $account)
    {
        switch($user->is_admin) {
            case 1:
                return true;
            case 2:
                return $user->city == $account->city;
            default:
            return 0;

        }
    }
}

用户将是经过身份验证的用户模型,帐户将是应该查看的用户模型.

注册策略后(https://laravel.com/docs/5.4/authorization#registering-policies),您可以在控制器的功能中调用它,如:

public function show(User $user) {
    $this->can('view', $user);
}