Home  >  Article  >  php教程  >  Detailed explanation of the usage of Yii's Srbac plug-in

Detailed explanation of the usage of Yii's Srbac plug-in

高洛峰
高洛峰Original
2016-12-30 16:05:431509browse

The example in this article describes the usage of Yii's Srbac plug-in. I would like to share it with you for your reference. The details are as follows:

Yii's rbac, from the beginning of installing the arbc module extension to debugging and analyzing its principles, it took a lot of time intermittently. Of course, after you understand it, you will find that Yii's abrc is very convenient and allows you to easily implement resource control access, which is very powerful. Now I will sort out my study notes and share them. Although the authMangner component implements rbac, it does not implement visual editing management. Currently, there are two official extension modules, Srbac and Right. We use them to visually manage roles, tasks, and operations very conveniently.

Role-Based Access Control is a simple yet powerful centralized access control. The authManager component based on Yii Framework implements hierarchical RBAC, which can help us solve some resource control access problems encountered during development.

For these two extension modules, the functions are actually similar, but the interface is different. Depending on what style you like, just choose that module to test. As for installation and debugging, you only need to download them, and there are detailed introductions inside. Let's analyze the principle of authManager component implementation.

Authorization project is to determine whether a user is allowed to operate a specific resource by checking whether the user belongs to a role that has permission to access the resource. Here we need to understand the relationship between authorized projects, roles, tasks, and operations.

1. Authorization projects can be divided into roles, tasks, and operations;
2. A role can be composed of several tasks;
3. A task can be composed of several operations;
4 .The operation is a permission and cannot be divided.

It should also be mentioned here that the issue of business rules is actually a piece of PHP code that will be executed when checking permissions.

Let’s analyze the rbac implementation, which requires three tables: the structure of authhassignment, authitem, and authitemchild:

itemname varchar(64) role name, case-sensitive
userid varchar( 64) User ID is the id of the user table in your own project
bizrule text Business rule, a piece of php code
data text Serialized array used to provide parameters to bizrule

name varchar( 64) The itemname in authassignment is the same

type integer Type identification (0,1,2)
|
|-------- 0 means Operation
|-- ------ 1 means Task task
|-------- 2 means Role role

description text Related description
bizrule text Business rule, a piece of php code
data text Serialized array, used to provide parameters to bizrule

parent varchar(64) parent name, [role name, can also be a task];
children varchar(64) child object name . [Task name, can also be an operation];

Use the verification method CWebUser::checkAccess(). The following is a demo code description:

if(Yii::app()->user->checkAccess(what,$params)) {
  //what  --- role,或者task,也可以是operation,
  //params --- 是传进业务规则的参数key-value;
}

The following will demonstrate the specific operation of a user deleting articles:

$params=array('uid'=>$id);
if(Yii::app()->user->checkAccess('delArticle',$params)) {
  //检查当前用户是否有删除文章权限
  //并且使用业务规则,检查用户id等于文章里面的作者id
  //通过验证,就执行删除操作
}

##Yii-srbac- Permission expansion module working principle

1 . Set the permission rule table: it can be placed in the module module configuration file

public function init() {
  //操作权限表,必须存在以下字段:
  //itemname角色名/ID,
  //type授权项目类型/1(任务)或者2(角色),
  //bizrule权限/逻辑运算表达式为false是有权限操作,
  //data数据/YII暂无利用
  Yii::app()->authManager->itemTable = 'AuthItem';
  //会员组-权限对应表,必须存在以下字段:
  //child子角色/ID,
  //parent父角色/ID,此表可循环执行,可多级继承
  Yii::app()->authManager->itemChildTable = 'uthItemChild';
  //会员-会员组对应表,会员组可直接为操作名称,必须存在以下字段:
  //itemname角色名/ID,
  //userid用户名/ID,
  //bizrule权限/逻辑运算表达式为false是有权限操作,
  //data数据/YII暂无利用
  Yii::app()->authManager->assignmentTable = 'zd_mem_glog';
}

2. To implement the rules, the controller inherits the base class SBaseController, which is originally Controller

class ProductController extends SBaseController
{
    ........
}
class SBaseController extends Controller
{
    ........
}

3. SBaseController inherits the base class Controller, and adds beforeAction to realize permission verification.

protected function beforeAction($action) {
  //载入模块分隔符
  $del = Helper::findModule('srbac')->delimeter;
  //取得前模块名称
  $mod = $this->module !== null ? $this->module->id . $del : "";
  $contrArr = explode("/", $this->id);
  $contrArr[sizeof($contrArr) - 1] = ucfirst($contrArr[sizeof($contrArr) - 1]);
  $controller = implode(".", $contrArr);
  $controller = str_replace("/", ".", $this->id);
  // 生成静态页面 模块+分隔符+控制器(首字母大写)+方法(首字母大写)例: model-ControllerAction
  if(sizeof($contrArr)==1){
   $controller = ucfirst($controller);
  }
  $access = $mod . $controller . ucfirst($this->action->id);
  //验证访问页面地址是否在总是允许列表里面,是返回有权限
  if (in_array($access, $this->allowedAccess())) {
   return true;
  }
  //验证SRBAC有无安装,没在安装,返回的权限访问
  if (!Yii::app()->getModule('srbac')->isInstalled()) {
   return true;
  }
  //验证SRBAC有无开启,没在开启,返回的权限访问
  if (Yii::app()->getModule('srbac')->debug) {
   return true;
  }
  // 权限验证
  if (!Yii::app()->user->checkAccess($access) || Yii::app()->user->isGuest) {
   $this->onUnauthorizedAccess();
  } else {
   return true;
  }
}

4. CDbAuthManager reads the current user role

public function getAuthAssignments($userId)
{
  $rows=$this->db->createCommand()
    ->select()
    ->from($this->assignmentTable)
    ->where('userid=:userid', array(':userid'=>$userId))
    ->queryAll();
  $assignments=array();
  foreach($rows as $row)
  {
    if(($data=@unserialize($row['data']))===false)
      $data=null;
    $assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
  }
  return $assignments;
}

5. CDbAuthManager reads Get the corresponding permissions of the role

public function getAuthItem($name)
{
  $row=$this->db->createCommand()
    ->select()
    ->from($this->itemTable)
    ->where('name=:name', array(':name'=>$name))
    ->queryRow();
  if($row!==false)
  {
    if(($data=@unserialize($row['data']))===false)
      $data=null;
    return new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],$data);
  }
  else
    return null;
}

6, CDbAuthManager read permission corresponding operations

protected function checkAccessRecursive($itemName,$userId,$params,$assignments)
{
  if(($item=$this->getAuthItem($itemName))===null)
    return false;
  Yii::trace('Checking permission "'.$item->getName().'"','system.web.auth.CDbAuthManager');
  if(!isset($params['userId']))
    $params['userId'] = $userId;
  if($this->executeBizRule($item->getBizRule(),$params,$item->getData()))
  {
    if(in_array($itemName,$this->defaultRoles))
      return true;
    if(isset($assignments[$itemName]))
    {
      $assignment=$assignments[$itemName];
      if($this->executeBizRule($assignment->getBizRule(),$params,$assignment->getData()))
        return true;
    }
    $parents=$this->db->createCommand()
      ->select('parent')
      ->from($this->itemChildTable)
      ->where('child=:name', array(':name'=>$itemName))
      ->queryColumn();
    foreach($parents as $parent)
    {
      if($this->checkAccessRecursive($parent,$userId,$params,$assignments))
        return true;
    }
  }
  return false;
}

7. CAuthManager verification authority

public function executeBizRule($bizRule,$params,$data)
{
  return $bizRule==='' || $bizRule===null || ($this->showErrors ? eval_r($bizRule)!=0 : @eval_r($bizRule)!=0);
}

3. SRBAC test

Some configuration information that needs attention in SRBAC

Building of SRBAC theme environment , and how to integrate it into our specific project (you can put it in the modules directory, and then make some configurations in the configuration file) As mentioned above

we can choose whether to generate it when installing Of course, it doesn't matter if some test data is not generated. We can manually configure some data according to its rules.

Before introducing the configuration of data, we need to have a little understanding of the working principle of the SRBAC module:

The SRBAC module is the mapping between roles--tasks--operations Relationships are used to implement permission control.

users corresponds to our users

roles corresponds to all the role names required by our system

operations corresponds to the names of all specific operations we need to manage permissions ( For example, for a specific action, we only allow a certain role to access it)

在SRBAC的主界面我们可以看到三个icon,分别对应于不同的操作。

我们就先来新建一些我们需要的数据信息(对应于第一个icon):

新建具体的operation:这里的operation的命名需要注意,必须是ControllernameActionname的格式。controller、action的名字组合,且二者的首字母都必须要大写。

新建具体的task:一个task可以对应于多个operation,我们可以按照相应的功能来命名task。例如:可以使用News Management 来表示新闻管理的task。这里的命名没有严格的格式要求,只要做到见名知意即可。

新建具体的roles:这个很简单,就是输入我们需要的角色而已。
ok,数据新建完毕。接下来我们就来到assign页面(对应于第二个icon),对具体的数据来进行映射设置了。

根据前面所说的,将operations分配给各个task,然后我们再将tasks分配给具体的role。

最后再给user指定roles。

到这一步,我们的权限配置基本就结束了。

这时,我们可以通过点击第三个icon来查看我们具体的用户的权限信息时候正确。

确认无误以后,我们就可以来进行我们的权限验证了。

不过,在此之前还有最后一步,我们要确认已经关闭了SRBAC的debug模式。

因为查看源代码我们会发现,如果debug模式是开启状态的话,我们的权限管理是不会起作用的。

可以到config/main.php来进行查看:

'modules' => array(
  'srbac' => array(
    'userclass' => 'User',
    'userid' => 'id',
    'username' => 'username',
    'debug' => false,//confirm this field

   

到这一步,我们的权限模块就可以work了。去检查一下我们的配置是否正常吧,呵呵

希望本文所述对大家基于Yii框架的PHP程序设计有所帮助。

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn