yii下,filters()和accessControl()是YII基本的通路控制體系, public function filters(){ return array( 'accessControl', ); } public function accessControl(){ return array( array( 'allow', //allow or deny 允許或者拒絕 'controllers' => array('controllersList'), //對控制器進行通路控制 'actions' => array('actionsList'), //對action進行通路控制 'users' => array('usersList'), //對使用者 'roles' => array('roles'), //對角色 'ips' => array('ip 位址'), //對用戶端位址 'verbs' => array('GET','POST'), //對用戶端的請求方式 'expression' => '' //對表達式(一般是業務邏輯) 'message' => 'thank your access', //錯誤資訊提示,一般是deny時用到 ), array(....), .... array('deny', users => array('*')), ); } 好了,有了以上的通路控制,我們針對上面的roles進行讨論RBAC。 Yii的RBAC是基于一個元件authManager的,可以先在main。php中配置authManager authManger分為基于資料庫的和基于PHP腳本的,一般如果你的應用程式基于資料庫(mysql或者pgsql),最好把authManger配置為CDbAuthManger,而不是CPhpAuthManger。 ... 'authManager' => array( 'class' => 'CDbAuthManager', 'connectionID' => 'db', ), 'db' => array(...), ... 配置好了以後,需要在資料庫中增加3個存放RBAC規則的表: AuthItem -- 存放建立的授權項目(role、task或者opration) AuthItemChild -- 存放授權項目的繼承關系 AuthAssignMent -- 存放使用者和授權項目的關系表 - CREATE TABLE `authitem` (
- `name` varchar(64) NOT NULL,
- `type` int(11) NOT NULL,
- `description` text,
- `bizrule` text,
- `data` text,
- PRIMARY KEY (`name`)
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authitemchild` (
- `parent` varchar(64) NOT NULL,
- `child` varchar(64) NOT NULL,
- PRIMARY KEY (`parent`,`child`),
- KEY `child` (`child`),
- CONSTRAINT `authitemchild_ibfk_1` FOREIGN KEY (`parent`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE,
- CONSTRAINT `authitemchild_ibfk_2` FOREIGN KEY (`child`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authassignment` (
- `itemname` varchar(64) NOT NULL,
- `userid` varchar(64) NOT NULL,
- `bizrule` text,
- `data` text,
- PRIMARY KEY (`itemname`,`userid`),
- CONSTRAINT `authassignment_ibfk_1` FOREIGN KEY (`itemname`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
建好表以後,就可以用Yii提供的authManger元件的API建立相關的授權項目,并指定授權關系了。 下面是一個例子: 下面做一個執行個體: 我們要實作上面的授權關系。 - class AuthManagerController extends Controller {
- public function actionIndex(){
- $auth = Yii::app()->authManager;
- if ($auth !== NULL){
- $auth->clearAll();
- //create roles
- $roleOwner = $auth->createRole('owner');
- $roleReader = $auth->createRole('reader');
- $roleMember = $auth->createRole('member');
- $roleBlackList = $auth->createRole('blackList');
- //create operations
- //issues
- $auth->createOperation('createIssue', 'create issue in project');
- $auth->createOperation('readIssue', 'read issue');
- $auth->createOperation('updateIssue', 'update issue');
- $auth->createOperation('deleteIssue', 'delete issue');
- //projects
- $auth->createOperation('createProject', 'create a new project');
- $auth->createOperation('readProject', 'read project');
- $auth->createOperation('updateProject', 'update project');
- $auth->createOperation('deleteProject', 'delete project');
- //users
- $auth->createOperation('createUser', 'create a new user');
- $auth->createOperation('readUser', 'read user');
- $auth->createOperation('updateUser', 'update user');
- $auth->createOperation('deleteUser', 'delete user');
- //authorization
- $roleReader->addChild('readIssue');
- $roleReader->addChild('readProject');
- $roleReader->addChild('readUser');
- $roleMember->addChild('reader');
- $roleMember->addChild('createIssue');
- $roleMember->addChild('updateIssue');
- $roleMember->addChild('deleteIssue');
- $roleOwner->addChild('reader');
- $roleOwner->addChild('member');
- $roleOwner->addChild('createProject');
- $roleOwner->addChild('updateProject');
- $roleOwner->addChild('deleteProject');
- $roleOwner->addChild('createUser');
- $roleOwner->addChild('updateUser');
- $roleOwner->addChild('deleteUser');
- //assign
- //此時,在Issue中的rules中設定view和index的roles=>array('member'),不管是什麼使用者,都無法通路這兩個action
- $userAdmin = User::model()->findByAttributes(array('username' => 'admin'));
- $auth->assign('owner', $userAdmin->id);
- $auth->assign('member', $userAdmin->id); //将使用者名為admin(id=3)指定為member角色,這樣就可以通路了。
- $auth->assign('reader', $userAdmin->id);
- $userDemo = User::model()->findByAttributes(array('username' => 'demo'));
- $auth->assign('member', $userDemo->id); //将使用者名為admin(id=3)指定為member角色,這樣就可以通路了。
- $auth->assign('reader', $userDemo->id); //将使用者名為demo(id=4)指定為reader角色
- $userDemo2 = User::model()->findByAttributes(array('username' => 'demo2'));
- $auth->assign('reader', $userDemo2->id); //将使用者名為demo(id=4)指定為reader角色
- $userBlackList = User::model()->findByAttributes(array('username' => 'demo3'));
- $auth->assign('blackList', $userBlackList->id);
- }else{
- $message = 'Please config your authManage as a compontion in main.php';
- throw new CHttpException(0, $message);
- }
- }
- }
建立授權關系以後,更新accessRules為: - public function accessRules()
- {
- return array(
- array('allow', // allow all users to perform 'index' and 'view' actions
- 'actions'=>array('index','view'),
- 'users'=>array('@'),
- 'roles' => array('member', 'owner', 'reader'),
- ),
- array('allow', // allow authenticated user to perform 'create' and 'update' actions
- 'actions'=>array('create','update'),
- 'users'=>array('@'),
- 'roles' => array('member', 'owner'),
- ),
- array('allow', // allow admin user to perform 'admin' and 'delete' actions
- 'actions'=>array('admin','delete'),
- 'users'=>array('@'),
- 'roles' => array('owner'),
- ),
- array('deny', // deny all users
- 'users'=>array('*'),
- ),
- );
- }
就是把剛剛建立的授權項目加入到通路控制清單中。 另外一個例子 - $auth = Yii::app()->authManger;
- $roleManager = $auth->createRole('manager'); //建立一個角色
- $auth->createTask('projectManager'); //建立任務
- $auth->createTask('userManager');
- $auth->createOpration('createProject'); //建立操作
- $auth->createOpration('updateProject');
- $auth->createOpration('deleteUser');
- $user = User::model()->findByPk('1'); //檢索使用者
- $roleManager->addChild('projectManager'); //為角色授權任務
- $roleManager->addChild('updateProject');//為角色授權操作
- $auth->assign('manager', $user->id);//指定使用者權限
|