Shulou(Shulou.com)06/02 Report--

This article will explain in detail about PHP and RBAC design ideas and data table design as well as how the source code is, the content of the article is of high quality, so the editor will share it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The privilege system module is a very important function for Internet products, which can control different roles to access different resources reasonably so as to achieve secure access.

What are the models of access control?

ACL

RBAC role-based access control

From the figure above, we can see that ACL is directly related to users and permissions, while RBAC is indirectly related to users and permissions through roles. So we noticed that role is an important attribute of RBAC system.

What is the RBAC model

RBAC (Role-Based Access Control, role-based access control) is that users are associated with permissions through roles. To put it simply, a user has several roles, and each role has several permissions. In this way, the authorization model of "user-role-permission" is constructed. In this model, there is generally a many-to-many relationship between users and roles and between roles and permissions.

Why choose the RBAC model?

The reasons are as follows:

Facilitate user grouping

Facilitate permission allocation and recovery

Easy to expand and meet most business needs

That is to say, before we talk about rights management, we should know that rights management should have functions.

The diagram of RBAC model

There are five important attributes of the RBAC model in the figure, which are:

1 user attributes (Zhang San, Li Si, Wang Wu)

2 role attributes (sales manager, sales, receptionist)

3 the relationship between users and roles (Zhang San is the sales manager, Li Si Wang Wu is the sales manager)

4 permissions (add customers, edit customers, delete customers, view customers)

5 relationship between permissions and roles (sales have the right to view customers, sales managers can view / add / delete / edit customers)

A RBAC authority module is bound to achieve three functions

User management

User list

Add user

Edit user

Set up user roles

Role Management role list

Add Rol

Editor's role

Set role permissions

Authority management

Permission list

New permissions

Edit permission

As shown in the figure

Data table design

User table

CREATE TABLE `user` (`id` int (11) unsigned NOT NULL AUTO_INCREMENT, `name` varchar (20) NOT NULL DEFAULT''COMMENT' name', `email` varchar (30) NOT NULL DEFAULT''COMMENT' mailbox', `is_ admin` tinyint (1) NOT NULL DEFAULT'0' COMMENT 'whether it is a super administrator 1 means no, `status` tinyint (1) NOT NULL DEFAULT' 1' COMMENT 'status 1: valid 0: invalid' `updated_ time` timestamp NOT NULL DEFAULT '0000-00-0000: 00COMMENT' last update', `created_ time`timestamp NOT NULL DEFAULT '0000-00-0000: 00COMMENT' insert time', PRIMARY KEY (`id`), KEY `idx_ email` (`email`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' user table'

Role table

CREATE TABLE `role` (`id` int (11) unsigned NOT NULL AUTO_INCREMENT, `name` varchar (50) NOT NULL DEFAULT''COMMENT' role name', `status` tinyint (1) NOT NULL DEFAULT'1' COMMENT 'status 1: valid 0: invalid, `created_ time` timestamp NOT NULL DEFAULT' 0000-00-0000: 00unsigned NOT NULL AUTO_INCREMENT 'last update', `created_ time` timestamp NOT NULL DEFAULT '0000-00-0000: 00unsigned NOT NULL AUTO_INCREMENT 00' COMMENT' insert time' PRIMARY KEY (`id`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' role Table'

User role table

CREATE TABLE `role_ role` (`id`int (11) unsigned NOT NULL AUTO_INCREMENT, `uid` int (11) NOT NULL DEFAULT'0' COMMENT 'user id', `role_ id` int (11) NOT NULL DEFAULT' 0' COMMENT 'role ID', `created_ time`timestamp NOT NULL DEFAULT' 0000-00-0000: 00int 0000' COMMENT 'insert time, PRIMARY KEY (`id`), KEY `idx_ uid` (`uid`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' user role table'

Permission details table

CREATE TABLE `access` (`id` int (11) unsigned NOT NULL AUTO_INCREMENT, `title` varchar (50) NOT NULL DEFAULT''COMMENT' permission name', `urls` varchar (1000) NOT NULL DEFAULT''COMMENT' json array', `status` tinyint (1) NOT NULL DEFAULT'1' COMMENT 'status 1: valid 0: invalid, `updated_ time` timestamp NOT NULL DEFAULT' 0000-00-0000: 00varchar 00' COMMENT 'last update' `created_ time`timestamp NOT NULL DEFAULT '0000-00-0000: 00 COMMENT' insert time', PRIMARY KEY (`id`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' permission details table'

Role permissions table

CREATE TABLE `access_ access` (`id`int (11) unsigned NOT NULL AUTO_INCREMENT, `role_ id` int (11) NOT NULL DEFAULT'0' COMMENT 'role id', `access_ id` int (11) NOT NULL DEFAULT' 0' COMMENT 'permission id', `created_ time`timestamp NOT NULL DEFAULT' 0000-00-0000: 00int 'COMMENT' insert time, PRIMARY KEY (`id`), KEY `idx_role_ id` (`role_ id`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' role permission table'

User operation record table

CREATE TABLE 'app_access_ log` (`id` int (11) NOT NULL AUTO_INCREMENT, `uid` bigint (20) NOT NULL DEFAULT' 0' COMMENT 'brand UID', `query_ url` varchar (255) NOT NULL DEFAULT' 'COMMENT' access to url', `query_ params`longtext NOT NULL COMMENT 'get and post parameters', `ua`varchar (255) NOT NULL DEFAULT''COMMENT' access ua', `ip`varchar (32) NOT NULL DEFAULT''COMMENT' access ip' `note`varchar (1000) NOT NULL DEFAULT''COMMENT' json format memo field', `created_ time`timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), KEY `idx_ uid` (`uid`) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=' user operation record table' Code implementation

All pages of this system need to be logged in before they can be accessed. Add a unified verification method to the framework.

Public function beforeAction ($action) {$login_status = $this- > checkLoginStatus (); if (! $login_status & &! in_array ($action- > uniqueId,$this- > allowAllAction)) {if (Yii::$app- > request- > isAjax) {$this- > renderJSON ([], "not logged in, please return to user Center",-302) } else {$this- > redirect (UrlService::buildUrl ("/ user/login")); / / return to the login page} return false;} / / Save all visits to the database $get_params = $this- > get (null); $post_params = $this- > post (null) $model_log = new AppAccessLog (); $model_log- > uid = $this- > current_user?$this- > current_user ['id']: 0; $model_log- > target_url = isset ($_ SERVER [' REQUEST_URI'])? $_ SERVER ['REQUEST_URI']:'; $model_log- > query_params = json_encode (array_merge ($post_params,$get_params)) $model_log- > ua = isset ($_ SERVER ['HTTP_USER_AGENT'])? $_ SERVER [' HTTP_USER_AGENT']:'; $model_log- > ip = isset ($_ SERVER ['REMOTE_ADDR'])? $_ SERVER [' REMOTE_ADDR']:''; $model_log- > created_time = date ("Y-m-d H:i:s"); $model_log- > save (0) / * the logic for judging permissions is * to remove the role of the currently logged-in user * remove all permission links in the permission table * check whether the current access link is in the permission list * / / determine whether the current access link is if (! $this-) in the permission list > checkPrivilege ($action- > getUniqueId ()) {$this- > redirect (UrlService::buildUrl ("/ error/forbidden")) Return false;} return true;}

Check whether you have access to the specified link

Public function checkPrivilege ($url) {/ / if you are a super administrator, you don't need permission to judge if ($this- > current_user & & $this- > current_user ['is_admin']) {return true;} / / some pages are if (in_array ($url,$this- > ignore_url) that don't need permission judgment) {return true } return in_array ($url, $this- > getRolePrivilege ();}

Get all the permissions of a user, take out the role of the specified user, remove the permission relationship through the role, and remove all the permission links in the permission table

Public function getRolePrivilege ($uid = 0) {if (! $uid & & $this- > current_user) {$uid = $this- > current_user- > id;} if (! $this- > privilege_urls) {$role_ids = UserRole::find ()-> where (['uid' = > $uid])-> select (' role_id')-> asArray ()-> column () If ($role_ids) {/ / take out the permission relationship $access_ids = RoleAccess::find ()-> where (['role_id' = > $role_ids])-> select (' access_id')-> asArray ()-> column () / / remove all permission links from the permission table $list = Access::find ()-> where (['id' = > $access_ids])-> all () If ($list) {foreach ($list as $_ item) {$tmp_urls = @ json_decode ($_ item ['urls'], true); $this- > privilege_urls = array_merge ($this- > privilege_urls,$tmp_urls) }} return $this- > privilege_urls;} about PHP and RBAC design ideas and data table design, as well as how the source code is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.