Shulou(Shulou.com)06/03 Report--

This article mainly introduces how to use RBAC in Yii. The article is very detailed and has certain reference value. Interested friends must read it!

began to prepare

Yii provides powerful configuration mechanisms and many ready-made libraries. Using RBAC in Yii is simple and requires no additional RBAC code. So the preparation is, open up the editor and follow me.

Setting parameters, establishing database

In the configuration array, add the following:

'components' => array( //…… 'authManager'=>array( 'class'=>'CDbAuthManager',//authentication class name 'defaultRoles'=>array ('guest '),//default roles 'itemTable'=> 'pre_auth_item',//authentication item table name 'itemChildTable'=> 'pre_auth_item_child',//authenticate item parent-child relationship 'assignmentTable'=> 'pre_auth_assignment',//authentication item assignment relation ), //……

So how do you build these three tables? It's easy to see, go to framework/web/auth/schema.sql. Be careful to match your custom table names. For example, AuthItem in SQL file you want to change to pre_auth_item. Then run the statements in this SQL file in the database.

Understand the concept

You might ask, where is the rest of the code? I'm telling you, there isn't. RBAC systems are thus established. But in order to use it, you need to understand how it works. I'll try to be a bit more verbose…(The official RBAC documentation is here, but I've read it 4-5 times before I understand.)

three concepts

What you need to understand is that authorization projects can be divided into operations,tasks, and roles.

A user has one or more roles, for example, we have three roles here: bank president, bank clerk, customer. We assume:

* President Zhang has roles: bank president, bank clerk, customer (people can save money themselves).

* Wang has roles: bank clerk, customer.

* Xiao Li has a role: customer.

Then, correspondingly, as long as customers can do things, Xiao Li can do them, and so can Staff Wang and President Zhang. Bank staff can do things, Wang staff and President Zhang can do, Xiao Li can not.

For example, if a "customer" can save money, then President Zhang, Wang staff and Xiao Li who have the role of "customer" can save money. "Bank staff" can print customer transaction records, so both Zhang and Wang staff with the role of "bank staff" can, but Xiao Li can't. Only someone with the role of "bank staff" can print detailed transaction records. Only a "bank president" can enter the bank treasury to withdraw money, so only President Zhang can, because it has the role of "bank president."

This is the role-based authentication system, or RBAC.

Inheritance of roles

Roles are inheritable, for example, we define them as follows:

* All "bank presidents" are "bank employees," that is, bank presidents can do anything bank employees can do.

* Every "bank clerk" is a customer, ditto. Bank clerks can do what customers can do.

Then the role relationship becomes:

* President Zhang has a role: Bank President.

* The king has a role: bank clerk.

* Xiao Li has a role: customer.

This is easier, this is the inheritance of the role.

Inheritance of tasks

A task can contain another task, such as "Enter the bank."

We set the "customer" role to have "access to the bank." That is, the customer can perform the task of entering the bank. Next, we assume that "Enter Counter" is the parent right to enter the bank, that is,"Enter Counter" contains "Enter Bank." Anyone who can "get into the counter" can "get into the bank." We're giving access to the counter to bank clerk.

So role-wise, Wang can enter the bank, because Wang's role is "bank clerk," and "bank clerk" contains the role of "customer." Then the "tasks" that the "customer" can perform are also possible for the "bank clerk." While "customers" can "enter the bank," Wang employees can also "enter the bank." This is the inheritance of the role.

Let's assume that there is a leader Zhao, a superior leader, who can enter the counter for inspection. So, our mission relationship is:

* Leader Zhao has a mission: Enter the counter.

Then, leader Zhao can "enter the bank". Because "entering the bank" is a task that is subsumed by "entering the counter." Anyone who can perform "enter counter" can perform "enter bank." This is the inheritance of tasks.

for action

Action is an indivisible hierarchy. That is to say. An action cannot contain other actions. Suppose we have an operation called "withdraw money from bank storage." Let's call this an action involving "getting into the counter." Then any character who can perform the task of "withdraw money from the bank warehouse" can perform the task of "enter the counter".

of the relations among

* A character can contain one or more other characters.

* A role can include one or more tasks.

* A character can include one or more other actions.

*

* A task can include one or more tasks.

* A task can include one or more other actions.

*

* An action can only be contained by a character or task. An action cannot contain anything else, nor can it be subdivided.

This creates a system of authority management. You don't have to think about the literal meaning of "mission" and "action." These two are two layers of authority.

to empower people.

We have established RBAC permission management, we need to carry out WEB management of permissions. This requires you to write your own code.

Define authorized items by calling one of the following methods depending on the type of item:

* CAuthManager::createRole

* CAuthManager::createTask

* CAuthManager::createOperation

Once we have a set of authorization projects, we can establish authorization project relationships by calling the following methods:

* CAuthManager::addItemChild

* CAuthManager::removeItemChild

* CAuthItem::addChild

* CAuthItem::removeChild

Finally, we call the following methods to assign role items to individual users:

* CAuthManager::assign

* CAuthManager::revoke

Below we will show an example of how to establish an authorization level using the API provided:

$auth=Yii::app()->authManager; $auth->createOperation('createPost','create a post'); $auth->createOperation('readPost','read a post'); $auth->createOperation('updatePost','update a post'); $auth->createOperation('deletePost','delete a post'); $bizRule='return Yii::app()->user->id==$params["post"]->authID;'; $task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule); $task->addChild('updatePost'); $role=$auth->createRole('reader'); $role->addChild('readPost'); $role=$auth->createRole('author'); $role->addChild('reader'); $role->addChild('createPost'); $role->addChild('updateOwnPost'); $role=$auth->createRole('editor'); $role->addChild('reader'); $role->addChild('updatePost'); $role=$auth->createRole('admin'); $role->addChild('editor'); $role->addChild('author'); $role->addChild('deletePost'); $auth->assign('reader','readerA'); $auth->assign('author','authorB'); $auth->assign('editor','editorC'); $auth->assign('admin','adminD');

That is, you need to write your own management interface to list your roles, tasks, actions, and then manage them from this interface. Such as adding, deleting, modifying.

permission check

Assuming you have empowerment in your admin interface, you can check permissions inside the program:

if( Yii::app()->user->checkAccess('createPost') ){ //Here you can display forms and other operations} else { //check if there is no pass, jump or display warning}

The above code checks whether the user can execute "createPost," which can be a task or an action.

The above is "How to use RBAC in Yii" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.