Analysis on the working principle and usage of srbac permission extension module in Yii

The example in this article describes the working principle and usage of the srbac permission extension module in Yii. Share it with everyone for your reference, the details are as follows:

1. Set permission rule table: It can be placed in the module module configuration file

public function init() {
  //操作权限表，必须存在以下字段：
  //itemname角色名/ID，
  //type授权项目类型/1（任务）或者2（角色），
  //bizrule权限/逻辑运算表达式为false是有权限操作，
  //data数据/YII暂无利用
  Yii::app()->authManager->itemTable = 'AuthItem';
  //会员组-权限对应表，必须存在以下字段：
  //child子角色/ID,
  //parent父角色/ID,此表可循环执行，可多级继承
  Yii::app()->authManager->itemChildTable = 'uthItemChild';
  //会员-会员组对应表，会员组可直接为操作名称，必须存在以下字段：
  //itemname角色名/ID，
  //userid用户名/ID，
  //bizrule权限/逻辑运算表达式为false是有权限操作，
  //data数据/YII暂无利用
  Yii::app()->authManager->assignmentTable = 'zd_mem_glog';

2. To implement the rules, the controller inherits the base class SBaseController , originally Controller

class ProductController extends SBaseController
{
    ........
}
class SBaseController extends Controller
{
    ........
}

3. SBaseController inherits the base class Controller, and adds beforeAction in front to implement permission verification.

protected function beforeAction($action) {
  //载入模块分隔符
 $del = Helper::findModule('srbac')->delimeter;
 //取得前模块名称
 $mod = $this->module !== null ? $this->module->id . $del : "";
 $contrArr = explode("/", $this->id);
 $contrArr[sizeof($contrArr) - 1] = ucfirst($contrArr[sizeof($contrArr) - 1]);
 $controller = implode(".", $contrArr);
 $controller = str_replace("/", ".", $this->id);
 // 生成静态页面 模块+分隔符+控制器（首字母大写）+方法（首字母大写）例： model-ControllerAction
 if(sizeof($contrArr)==1){
  $controller = ucfirst($controller);
 }
 $access = $mod . $controller . ucfirst($this->action->id);
 //验证访问页面地址是否在总是允许列表里面，是返回有权限
 if (in_array($access, $this->allowedAccess())) {
  return true;
 }
 //验证SRBAC有无安装，没在安装，返回的权限访问
 if (!Yii::app()->getModule('srbac')->isInstalled()) {
  return true;
 }
 //验证SRBAC有无开启，没在开启，返回的权限访问
 if (Yii::app()->getModule('srbac')->debug) {
  return true;
 }
  // 权限验证
 if (!Yii::app()->user->checkAccess($access) || Yii::app()->user->isGuest) {
  $this->onUnauthorizedAccess();
 } else {
  return true;
 }
}

4. CDbAuthManager reads the current user role

public function getAuthAssignments($userId)
{
  $rows=$this->db->createCommand()
    ->select()
    ->from($this->assignmentTable)
    ->where('userid=:userid', array(':userid'=>$userId))
    ->queryAll();
  $assignments=array();
  foreach($rows as $row)
  {
    if(($data=@unserialize($row['data']))===false)
      $data=null;
    $assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
  }
  return $assignments;
}

5. CDbAuthManager reads the corresponding permissions of the role

public function getAuthItem($name)
{
  $row=$this->db->createCommand()
    ->select()
    ->from($this->itemTable)
    ->where('name=:name', array(':name'=>$name))
    ->queryRow();
  if($row!==false)
  {
    if(($data=@unserialize($row['data']))===false)
      $data=null;
    return new CAuthItem($this,$row['name'],$row['type'],$row['description'],$row['bizrule'],$data);
  }
  else
    return null;
}

6. CDbAuthManager reads the corresponding operations of the permissions

protected function checkAccessRecursive($itemName,$userId,$params,$assignments)
{
  if(($item=$this->getAuthItem($itemName))===null)
    return false;
  Yii::trace('Checking permission "'.$item->getName().'"','system.web.auth.CDbAuthManager');
  if(!isset($params['userId']))
    $params['userId'] = $userId;
  if($this->executeBizRule($item->getBizRule(),$params,$item->getData()))
  {
    if(in_array($itemName,$this->defaultRoles))
      return true;
    if(isset($assignments[$itemName]))
    {
      $assignment=$assignments[$itemName];
      if($this->executeBizRule($assignment->getBizRule(),$params,$assignment->getData()))
        return true;
    }
    $parents=$this->db->createCommand()
      ->select('parent')
      ->from($this->itemChildTable)
      ->where('child=:name', array(':name'=>$itemName))
      ->queryColumn();
    foreach($parents as $parent)
    {
      if($this->checkAccessRecursive($parent,$userId,$params,$assignments))
        return true;
    }
  }
  return false;
}

7. CAuthManager verification permissions

public function executeBizRule($bizRule,$params,$data)
{
  return $bizRule==='' || $bizRule===null || ($this->showErrors ? eval($bizRule)!=0 : @eval($bizRule)!=0);
}

8. Always allow access rule settings

I hope this article will be helpful to everyone’s PHP program design based on the Yii framework.

For more articles related to the working principle and usage analysis of the srbac permission extension module in Yii, please pay attention to the PHP Chinese website!