{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 男人必须洒脱 的问题《Laravel 5: check if user belongs to the moderators》','https://www.manongdao.com/q-957787.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using Gate authorization to check if the user has permissions to access or see something.
For example I have a update-post gate definition that checks if the user owns the post or owns the sub, if yes, he will be able to see the "Edit" link and access the Edit route. If not, he won't be able to see anything.
I am now trying to add another permissions to check if the user belongs to the "moderators" table, if yes, he will also be able to see the "Edit" link on subreddit/show
It works great for the first 2 checks, but fails on the third and the "Edit" link is always visible now, even though I cannot access the edit route of posts that aren't mine or belong to the subreddit I own.
EDIT: I have edited $moderators_list it now check if the logged in user is a moderator of the subreddit that the post he's viewing. dd($moderators_list gets me a list with correct values. But I can't use $moderators_list->user_id that will give Undefined property: Illuminate\Database\Eloquent\Collection::$user_id
EDIT 2: I have fixed the query that gets the user_id of the user who is a moderator in a subreddit. So now using $moderators_list->user-id gets me the id of 3 which is the user id of the current logged in. But the gate checking still fails, unable to edit posts in the subreddit I am moderator in.
My tables
users: id, name, email...
subreddits: id, user_id...
posts: id, user_id, subreddit_id...
moderators: id, user_id, subreddit_id...
This is the $gate definitions
$gate->define('update-post', function ($user, $post, $moderators_list) {
// Check if user is subreddit owner
if ($user->id === $post->subreddit->user->id) {
return true;
}
// Check if user is the post author
if ($user->id === $post->user_id) {
return true;
}
// Check if user is a moderator of a subreddit
if ($user->id === $moderators_list->user_id) {
return true;
}
return false;
});
And this is show() method on PostsController
Please note that dd($moderators_list) will output a list of all moderators of the subreddit this post is located in, so I am getting the correct result.
public function show(Post $post, Subreddit $subreddit, Moderator $moderator)
{
$post = Post::with('user.votes')->findOrFail($post->id);
$moderator = Moderator::where('user_id', '=', Auth::id())->first();
$moderators_list = Moderator::where('subreddit_id', '=', $post->subreddit->id)->where('user_id', '=', Auth::id())->first();
return view('post/show')->with('post', $post)
->with('moderator', $moderator)
->with('moderators_list', $moderators_list);
}
And this is how I check to see if user has access to see the "Edit" link on the view
@can('update-post', [$post, $moderator, $moderators_list])
<a href="{{ action('PostsController@edit', $post->id) }}">Edit</a>
@endcan
Now you will need to add ->toArray(); after the ->get() in the $moderators_list query:
You can check if the user is a moderator directly in the DB: