Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to use RBAC in Yii. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Start preparing.

Yii provides a powerful configuration mechanism and many off-the-shelf class libraries. Using RBAC in Yii is simple, and you don't need to write RBAC code at all. So the preparation is, open the editor and come with me.

Set parameters, set up a database

In the configuration array, add the following:

The copy code is as follows:

'components' = > array (

/ /.

'authManager'= > array (

'class'= >' CDbAuthManager',// authentication class name

'defaultRoles'= > array (' guest'), / / default role

'itemTable' = >' pre_auth_item',// authentication entry table name

'itemChildTable' = >' pre_auth_item_child',// authentication item parent-child relationship

'assignmentTable' = >' pre_auth_assignment',// authentication entry weighting relationship

),

/ /.

So how to build these three data tables? It's very simple. Go to see framework/web/auth/schema.sql. Be careful to match your custom table name. For example, you need to change the AuthItem in the SQL file to pre_auth_item. Then run the statements in the SQL file in the database.

Understand the concept

You might ask, where's the rest of the code? I'm telling you, no. The RBAC system was set up in this way. But in order to use it, you need to understand how it works. I'll try to talk a little longer. The official RBAC document is here, but I have read it 4-5 times before I understand it. )

Three concepts

What you need to understand is that authorized projects can be divided into operations (action), tasks (task) and roles (role).

A user has one or more roles. For example, we have three roles here: bank governor, bank clerk, and customer. Let's assume:

* President Zhang has a role: bank governor, bank clerk, customer (others can save money on their own).

* staff Wang has roles: bank staff, customers.

* Xiao Li has a role: a customer.

Then, accordingly, Xiao Li can do what customers can do, and so can clerk Wang and President Zhang. Wang clerk and President Zhang can do what the bank staff can do, but Xiao Li can't.

For example, if a "customer" can save money, then President Zhang, Wang clerk and Xiao Li who have the role of "customer" can all save money. "Bank staff" can print customer transaction records, so both Zhang President and Wang staff with the role of "bank clerk" can, while Xiao Li cannot, you must find a person with the role of "bank clerk" to print detailed transaction records. A "bank governor" can enter the bank treasury to withdraw money, then only president Zhang can, because it has the role of "bank president".

This is the role-based authentication system, referred to as RBAC.

Inheritance of roles

Roles can be inherited, for example, we specify the following:

* all "bank governors" are "bank staff", that is, as long as bank staff can do things, bank governors can do.

* all "bank staff" are customers. As above, bank staff can also do what customers can do.

Then the role relationship becomes:

* President Zhang has a role as the president of the bank.

* Clerk Wong has a role: bank clerk.

* Xiao Li has a role: a customer.

It's even easier this way. This is role inheritance.

Inheritance of tasks

A task (task) can contain another task. Let's give an example, such as "enter the bank".

We set the role of "customer" to have "access to the bank". In other words, the "customer" can perform the task of "entering the bank". Next, we assume that "entering the counter" is the parent authority to enter the bank, that is, "entering the counter" includes "entering the bank". Anyone who can "enter the counter" can "enter the bank". We assign the task of "entering the counter" to the "bank clerk".

So from the role, Wang clerk can enter the bank, because Wang clerk's role is "bank clerk", and "bank clerk" includes the role of "customer". Then the "tasks" that can be carried out by "customers" can also be carried out for "bank staff". And the "customer" can "enter the bank", then the Wang clerk can also "enter the bank". This is brought about by the inheritance of roles.

Let's assume that there is a leader Zhao, who is a superior leader, who can enter the counter for inspection. So, our mission relationship is:

* Leader Zhao has a task: enter the counter.

In that case, leader Zhao can "enter the bank". Because "entering the bank" is a task included by "entering the counter". Anyone who can perform "enter the counter" can perform "enter the bank". This is the inheritance of tasks.

About action.

Action is an inseparable level. In other words. And one action cannot include other actions. Suppose we have an action called "withdraw money from the bank warehouse". We take this action as including "entering the counter". So as long as you can perform the role of "withdrawing money from the bank warehouse", you can perform the task of "entering the counter".

Relationship among the three

* A role can contain one or more roles.

* A role can contain one or more tasks.

* A role can contain one or more actions.

*

* A task can contain one or more tasks.

* A task can include one or more actions.

*

* an action can only be contained by a role or task, and an action cannot be included or divided.

In this way, a rights management system is formed. You don't have to think about the literal meaning of "task" and "action". These two are the formation of two layers of authority.

To empower

We have established RBAC rights management, so we need to carry on the WEB management of permissions. You need to write your own code.

Call one of the following methods to define authorized projects based on different types of projects:

* CAuthManager::createRole

* CAuthManager::createTask

* CAuthManager::createOperation

Once we have a set of authorized projects, we can call the following methods to establish an authorized project relationship:

* CAuthManager::addItemChild

* CAuthManager::removeItemChild

* CAuthItem::addChild

* CAuthItem::removeChild

Finally, we call the following methods to assign role items to each user:

* CAuthManager::assign

* CAuthManager::revoke

Below we will show an example of establishing an authorization level with the API provided:

The copy code is as follows:

$auth=Yii::app ()-> authManager

$auth- > createOperation ('createPost','create a post')

$auth- > createOperation ('readPost','read a post')

$auth- > createOperation ('updatePost','update a post')

$auth- > createOperation ('deletePost','delete a post')

$bizRule='return Yii::app ()-> user- > id==$params ["post"]-> authID;'

$task=$auth- > createTask ('updateOwnPost','update a post by author himself',$bizRule)

$task- > addChild ('updatePost')

$role=$auth- > createRole ('reader')

$role- > addChild ('readPost')

$role=$auth- > createRole ('author')

$role- > addChild ('reader')

$role- > addChild ('createPost')

$role- > addChild ('updateOwnPost')

$role=$auth- > createRole ('editor')

$role- > addChild ('reader')

$role- > addChild ('updatePost')

$role=$auth- > createRole ('admin')

$role- > addChild ('editor')

$role- > addChild ('author')

$role- > addChild ('deletePost')

$auth- > assign ('reader','readerA')

$auth- > assign ('author','authorB')

$auth- > assign ('editor','editorC')

$auth- > assign ('admin','adminD')

In other words, you need to write your own management interface to list your roles, tasks, and actions, and then you can manage it on this interface. For example, add, delete, modify.

Permission check

Assuming that you have been empowered in your administration interface, you can check permissions in the program:

The copy code is as follows:

If (Yii::app ()-> user- > checkAccess ('createPost'))

{

/ / actions such as forms can be displayed here

} else {

/ / if the check fails, you can jump or display a warning.

}

The above code checks whether the user can execute "createPost", which can be a task or an action.

This is the end of this article on "how to use RBAC in Yii". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.