Home > Article > Backend Development > A brief analysis of the complete guide to using RBAC in Yii (user role permission control)_PHP tutorial
written in front
* My feed address has been changed to: http://feeds.imdong.net, please update your reader.
* The following content is suitable for Yii 1.0.x, other versions may have slight differences.
* Based on your comments and feedback, this article will be continuously modified and supplemented to facilitate new learners.
Get started
Yii provides a powerful configuration mechanism and many ready-made class libraries. Using RBAC in Yii is very simple, and there is no need to write RBAC code at all. So the preparation is to open the editor and follow me.
Set parameters and create database
In the configuration array, add the following content:
三个概念
你需要了解的是,授权项目可分为operations(行动),tasks(任务)和 roles(角色)。
一个用户拥有一个或者多个角色,比如,我们这里有三个角色:银行行长、银行职员、顾客。我们假设:
* 张行长 有角色:银行行长、银行职员、顾客(人家自己可以存钱嘛)。
* 王职员 有角色:银行职员、顾客。
* 小李 有角色:顾客。
那么,相应的,只要顾客可以做的事情,小李就可以做,王职员和张行长也可以。银行职员可以做的事情,王职员和张行长都可以做,小李就不可以了。
比如,一个“顾客”可以存钱,那么拥有“顾客”角色的张行长、王职员、小李都可以存钱。“银行职员”可以打印顾客的交易记录,那么有“银行职员”角色的张行长和王职员都可以,而小李不行,必须找一个有“银行职员”角色的人才可以打印详细的交易记录。一个“银行行长”才可以进入银行钱库提钱,那么只有张行长可以,因为它才有“银行行长”的角色。
这就是基于角色的认证体系,简称RBAC。
角色的继承
角色是可以继承的,比如我们规定如下:
* 凡是“银行行长”都是“银行职员”,也就是说,只要银行职员可以做的事情,银行行长都可以做。
* 凡是“银行职员”都是顾客,同上,顾客可以做的事情银行职员也可以做。
那么角色关系就变成了:
* 张行长 有角色:银行行长。
* 王职员 有角色:银行职员。
* 小李 有角色:顾客。
这样更简单了,这就是角色的继承。
任务的继承
一个任务(task)是可以包含另外一个任务的,我们举个例子,比如“进入银行”。
我们设定“顾客”这个角色有“进入银行”的权限。也就是说,“顾客”可以执行“进入银行”的任务。接下来,我们假设“进入柜台”是进入银行的父权限,也就是说,“进入柜台”包含“进入银行”。只要能“进入柜台”的人都可以“进入银行”。我们把“进入柜台”这个任务权限给“银行职员”。
那么从角色上来说,王职员可以进入银行,因为王职员的角色是“银行职员”,而“银行职员”包含了“顾客”的角色。那么“顾客”可以进行的“任务”对于“银行职员”来说也是可以进行的。而“顾客”可以“进入银行”,那么王职员也可以“进入银行”。这是角色的继承带来的。
我们再假设有个赵领导,是上级领导,可以进入柜台进行视察。那么,我们的任务关系是:
* 赵领导 有任务:进入柜台。
那么,赵领导就可以“进入银行”。因为“进入银行”是被“进入柜台”包含的任务。只要可以执行“进入柜台”的人都可以执行“进入银行”。这就是任务的继承。
关于行动
行动是不可划分的一级。也就是说。而一个行动是不能包含其他行动的。假设我们有个行动叫“从银行仓库中提钱”。我们把这个行动作包含“进入柜台”。那么只要可以执行“从银行仓库中提钱”的角色都可以执行“进入柜台”这个任务。
Relationship among the three
* A role can contain another one or several roles.
* A role can contain another one or several tasks.
* A character can contain another one or several actions.
*
* A task can contain another one or several tasks.
* A task can contain another one or several actions.
*
* An action can only be included by a role or task. An action cannot include other actions, nor can it be subdivided.
In this way, a permission management system is formed. When it comes to "task" and "action," you don't have to think about the literal meaning. These two form two levels of permissions.
Empowerment
We have established RBAC permission management, and we need to perform WEB management of permissions. These require you to write the code yourself.
Call one of the following methods to define authorization items based on different types of items:
* CAuthManager::createRole
* CAuthManager::createTask
* CAuthManager::createOperation
Once we have a set of authorizations project, we can call the following methods to establish an authorized project relationship:
* CAuthManager::addItemChild
* CAuthManager::removeItemChild
* CAuthItem::addChild
* CAuthItem::removeChild
Finally, we Call the following methods to assign role items to each user:
* CAuthManager::assign
* CAuthManager::revoke
Below we will show an example of establishing an authorization level using the provided API:
Permission check
Assuming you have granted permissions in your management interface, you can check permissions in the program:
Others
Many people who say that the Yii permission system RBAC is not easy to use actually do not understand the documentation. Based on my experience, I feel that the RBAC of the Yii framework is the best among the frameworks I have used. And it requires minimal writing of code yourself.
Yii's RBAC has more advanced usage, such as "Business Rules" and "Default Role". You can refer to the official documentation.
I know that some people still don’t understand RBAC, or they don’t know how to use Yii’s RBAC. It doesn’t matter, you can ask questions in the comment box below.
Happy Yii!