I have a trait that applies observer that checks to see if the user creating the model owns that model
trait OnlyOwnerCanSaveDel
{
/**
* Automatically boot with Model, and register Events handler.
*/
protected static function bootOnlyOwnerCanSaveDel()
{
static::creating(function (Model $model) {
//dd(app(\Illuminate\Http\Request::class));
$self_source;
if($self_source) return true;
//$model is the one being created, but havent insert into db
if(Auth::user()->id != $model->user->id) {
abort(400, "You can only create " . basename(str_replace('\\', '/', static::class)) . " for yourself");
return false;
}
return true;
});
Auth::user() fetches the user from JWT token supplied from a request. The problem happens when I create models inside my application code where there is no request made by user (cron, seeders). Auth::user() returns null and everything fails.
I create some models that use this trait in artisan tinker and dumped the \Illuminate\Http\Request. What I saw was
Illuminate\ Http\ Request {
# parameters: array: 58[
"SERVER_NAME" => "localhost"
"SERVER_PORT" => 80 "HTTP_HOST" => "localhost"
"HTTP_USER_AGENT" => "Symfony/3.X"
"HTTP_ACCEPT" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
"HTTP_ACCEPT_LANGUAGE" => "en-us,en;q=0.5"
"HTTP_ACCEPT_CHARSET" => "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
"REMOTE_ADDR" => "127.0.0.1"
"SCRIPT_NAME" => "artisan"
"SCRIPT_FILENAME" => "artisan"
"SERVER_PROTOCOL" => "HTTP/1.1"
"REQUEST_TIME" => 1482811118 "XDG_SESSION_ID" => "3074"
"TERM" => "cygwin"
"SHELL" => "/bin/bash"
"SSH_CLIENT" => "10.0.2.2 57384 22"
"OLDPWD" => "/home/vagrant/Code"
"SSH_TTY" => "/dev/pts/0"
"LC_ALL" => "en_US.UTF-8"
"USER" => "vagrant"
"MAIL" => "/var/mail/vagrant"
"PATH" => "/home/vagrant/.composer/vendor/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
"PWD" => "/home/vagrant/Code/hardsets"
"LANG" => "en_US"
"NODE_PATH" => "/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript"
"SHLVL" => "1"
"HOME" => "/home/vagrant"
"LANGUAGE" => "en_US:"
"LOGNAME" => "vagrant"
"SSH_CONNECTION" => "10.0.2.2 57384 10.0.2.15 22"
"LESSOPEN" => "| /usr/bin/lesspipe %s"
"XDG_RUNTIME_DIR" => "/run/user/900"
"LESSCLOSE" => "/usr/bin/lesspipe %s %s"
"_" => "/usr/bin/php"
"PHP_SELF" => "artisan"
"PATH_TRANSLATED" => "artisan"
"DOCUMENT_ROOT" => ""
"REQUEST_TIME_FLOAT" => 1482811118.1739 "argv" => array: 2[
0 => "artisan"
1 => "tinker"
]
"argc" => 2 "APP_ENV" => "local"
"APP_DEBUG" => "true"
"APP_KEY" => "ywf9eUZLp***********"
"DB_HOST" => "192.168.10.10"
"DB_DATABASE" => "hardsets"
"DB_USERNAME" => "homestead"
"DB_PASSWORD" => "top35453sec"
"FACEBOOK_APP_ID" => "568718***********"
"FACEBOOK_APP_SECRET" => "89097b402e8f92d52***********"
"JSON_EXCEPTION" => "true"
"ENFORCE_OWNERSHIP" => "true"
"JWT_TTL" => "60"
"JWT_SECRET" => "TjKIsXi9CpS5cDcZF***********"
"PATH_INFO" => ""
"REQUEST_METHOD" => "GET"
"REQUEST_URI" => "/"
"QUERY_STRING" => ""
So I am planning to just check if "APP_KEY" in the request matches my env("APP_KEY"), if yes then set $self_source=true thus passing the observer.
It this safe and the correct way to go about this?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire