Yii authorization role-based access control (RBAC)

1: Basic concepts

A role is a collection of permissions (for example: create posts, modify posts). A role can be assigned to one or more users. To check whether a user has a specific permission, the system checks whether the role containing the permission is assigned to the user.

You can use a rule rule to associate with a role or permission. A rule is represented by a piece of code, and the execution of the rule is performed when checking whether a user meets this role or permission. For example, the "modify post" permission could use a rule that checks whether the user is the creator of the post. During the permission check, if the user is not the post creator, then he (she) will be considered not to have the permission to "modify posts".

Both roles and permissions can be organized hierarchically. In certain cases, a role may consist of other roles or permissions, which in turn may consist of other permissions. Yii implements a so-called local order hierarchy, which contains more specific tree levels. A role can contain a permission, but not vice versa. (Translator's Note: It can be understood that roles are at the top and permissions are at the bottom. If permissions are encountered from top to bottom, roles cannot appear further down)

2: Configure RBAC

At the beginning Before defining authorization data and performing access checks, you need to configure the application component yiibaseApplication::authManager. Yii provides two sets of authorization managers: yiirbacPhpManager and yiirbacDbManager. The former uses PHP scripts to store authorization data, while the latter uses a database to store authorization data. If your application does not require a large number of dynamic roles and permissions management, you may consider using the former

1: Use yiirbacPhpManager

return [    // ...
    'components' => [        'authManager' => [            'class' => 'yii\rbac\PhpManager',
        ],        // ...
    ],
];

After the configuration is completed, you can use Yii::$app-> ;authManager to access authManager

yiirbacPhpManager saves RBAC data in files in the @app/rbac directory by default. If the permission level data will be modified at runtime, make sure that the WEB server process has write permissions for the directory and the files in it.

2: Use yiirbacDbManager

(1) Configure yiirbacDbManager

return [    // ...
    'components' => [        'authManager' => [            'class' => 'yii\rbac\DbManager',            // uncomment if you want to cache RBAC items hierarchy
            // 'cache' => 'cache',
        ],        // ...
    ],
];

Note here:

If you are using Yii’s basic template, the above For configuration, you need to configure it in both the config/console.php and config/web.php files. If you are an advanced template of Yii, you only need to configure it once in the common/config/main.php file

(2) Generate the required permission table

If you use yiirbacDbManager, you need to generate 4 database tables to store permission data (they all have default table names. If you need to modify the table name, configure yiirbacDbManager Modify when required)

itemTable: This table stores authorization entries (Translator's Note: roles and permissions). The default table name is "auth_item" .
itemChildTable: This table stores the hierarchical relationship of authorization entries. The default table name is "auth_item_child".
assignmentTable: This table stores the assignment of authorization entries to users. The default table name is "auth_assignment".
ruleTable: This table stores rules. The default table name is "auth_rule".

Execute in the project directory

yii migrate --migrationPath=@yii/rbac/migrations

After executing the above command, at this time we The four tables mentioned above will be generated in the database

If you do not use the detailed command to generate the database, you can change the contents of vendoriisoftyii2rbacmigrationsschema-mysql.sql Copy it to the database and run it to generate the data table

After generating the corresponding permission table, we can use Yii::$app->authManager to access authManager

3: Establish authorization data

1: Add (create) permissions (generate permission data in the auth_item table, type is 2 indicating permissions)

$auth = Yii::$app->authManager;// 添加 "createPost" 权限$createPost = $auth->createPermission('createPost');
$createPost->description = '创建了createPost权限';
$auth->add($createPost);

2: Create a role (generate role data in the auth_item table, type is 1 means role)

$auth = Yii::$app->authManager;
$role = $auth->createRole('author');
$role->description = '创建了author角色';
$auth->add($role);

3: Grant permissions to the role

(1)Give the role the specified permissions

$auth = Yii::$app->authManager;
$createPost = $auth->createPermission('createPost');//创建权限对象
$role = $auth->createRole('author');//创建角色对象
$auth->addChild($role, $createPost); //添加对应关系(给author角色添加createPost权限)

(2)Give the role all the permissions of the specified role

$auth = Yii::$app->authManager;
$role1 = $auth->createRole('author1');//创建角色对象
$role2 = $auth->createRole('author2');//创建权限对象
$auth->addChild($role1, $role2); //添加对应关系(给author1角色添加author2角色所有权限)

4: Assign roles to users

$auth = Yii::$app->authManager;
$role = $auth->createRole('author');//创建角色对象$auth->assign($role, 1); #1是IdentityInterface::getId()返回的id,及用户表的id

Four: Verify permissions

\Yii::$app->user->can($action) #$action表示权限\Yii::$app->user->can('createPost') #判断用户是否具有createPost权限

Get the user’s role

$auth = Yii::$app->authManager;
$roles = $auth->getRolesByUser($userId);

Get the user’s permissions

$auth = Yii::$app->authManager;
$roles = $auth->getPermissionsByUser($userId);

The above is a simple understanding of role-based access control (RBAC). For details, please refer to Yii’s official documentation

The above is the detailed content of Yii authorization role-based access control (RBAC). For more information, please follow other related articles on the PHP Chinese website!