本文深入探讨了Laravel授权机制,从初始化类开始,通过跟踪代码发现授权过程涉及的参数设置。在不同文件中找到设置这些参数的地方,尤其是通过Cookie和Session获取当前用户信息的方式。虽然未完全揭示授权策略的全部细节,但已找到理解这一机制的关键点。
RequestGuard.php
public function user()
{
// If we've already retrieved the user for the current request we can just
// return it back immediately. We do not want to fetch the user data on
// every call to this method because that would be tremendously slow.
if (! is_null($this->user)) {
return $this->user;
}
return $this->user = call_user_func(
$this->callback, $this->request
);
}接着就是其$this->callback参数:
public function __construct(callable $callback, Request $request)
{
$this->request = $request;
$this->callback = $callback;
}然后其实是在AuthManager.php中初始化RequestGuard类:
public function viaRequest($driver, callable $callback)
{
return $this->extend($driver, function () use ($callback) {
$guard = new RequestGuard($callback, $this->app['request']);
$this->app->refresh('request', $guard, 'setRequest');
return $guard;
});
}但是线索断了,Laravel中没有调用过该函数,那么我们上面走错了,回到最开始的函数:
if (! is_null($this->user)) {
return $this->user;
}这里的$this->user是怎么设值的呢?这个值来自trait GuardHelpers,那么有没有可能是在别的地方设置过参数呢?不搜不知道,在另外两个文件中都设置过该值:
第一个文件:Illuminate\Auth\SessionGuard.php
第二个文件:Illuminate\Auth\TokenGuard.php
下面分别来看这两个文件,第一个:
public function user()
{
if ($this->loggedOut) {
return;
}
// If we've already retrieved the user for the current request we can just
// return it back immediately. We do not want to fetch the user data on
// every call to this method because that would be tremendously slow.
if (! is_null($this->user)) {
return $this->user;
}
// 这里是从session中获取特定的设置值,假设这里就是获取id
$id = $this->session->get($this->getName());
// First we will try to load the user using the identifier in the session if
// one exists. Otherwise we will check for a "remember me" cookie in this
// request, and if one exists, attempt to retrieve the user using that.
$user = null;
if (! is_null($id)) {
// 这里是使用数据库驱动从从数据库中获取值
if ($user = $this->provider->retrieveById($id)) {
$this->fireAuthenticatedEvent($user);
}
}
// If the user is null, but we decrypt a "recaller" cookie we can attempt to
// pull the user data on that cookie which serves as a remember cookie on
// the application. Once we have a user we can return it to the caller.
$recaller = $this->recaller();
if (is_null($user) && ! is_null($recaller)) {
$user = $this->userFromRecaller($recaller);
if ($user) {
$this->updateSession($user->getAuthIdentifier());
$this->fireLoginEvent($user, true);
}
}
return $this->user = $user;
}接着就是第二个:
public function user()
{
// If we've already retrieved the user for the current request we can just
// return it back immediately. We do not want to fetch the user data on
// every call to this method because that would be tremendously slow.
if (! is_null($this->user)) {
return $this->user;
}
$user = null;
$token = $this->getTokenForRequest();
if (! empty($token)) {
$user = $this->provider->retrieveByCredentials(
[$this->storageKey => $token]
);
}
return $this->user = $user;
}不用深究这两个函数具体的工作原理,只需要知道这两个函数其实是通过以下途径获取当前用户信息的:
- Cookie
- Session
其中至少有一个保存着当前用户的个人信息,这下回到最开始的Policies下的函数中来:
public function edits(User $currentUser,User $user){
return $currentUser->id===$user->id;
}其中的第一个$currentUser是从Cookie或者Session中获取的值,而第二个参数$user则是我们外部传递进去的函数。虽然不算完美的解释了策略的原理,但是起码找到了突破口了,之后有机会再深入学习吧,现在到此为止了,后面有时间会整理一下,没时间的话,那么只能算了。。。。。。。
扫一扫
1430
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
