yii下,filters()和accessControl()是YII基本的访问控制体系, public function filters(){ return array( 'accessControl', ); } public function accessControl(){ return array( array( 'allow', //allow or deny 允许或者拒绝 'controllers' => array('controllersList'), //对控制器进行访问控制 'actions' => array('actionsList'), //对action进行访问控制 'users' => array('usersList'), //对用户 'roles' => array('roles'), //对角色 'ips' => array('ip 地址'), //对客户端地址 'verbs' => array('GET','POST'), //对客户端的请求方式 'expression' => '' //对表达式(一般是业务逻辑) 'message' => 'thank your access', //错误信息提示,一般是deny时用到 ), array(....), .... array('deny', users => array('*')), ); } 好了,有了以上的访问控制,我们针对上面的roles进行讨论RBAC。 Yii的RBAC是基于一个组件authManager的,可以先在main。php中配置authManager authManger分为基于数据库的和基于PHP脚本的,一般如果你的应用程序基于数据库(mysql或者pgsql),最好把authManger配置为CDbAuthManger,而不是CPhpAuthManger。 ... 'authManager' => array( 'class' => 'CDbAuthManager', 'connectionID' => 'db', ), 'db' => array(...), ... 配置好了以后,需要在数据库中增加3个存放RBAC规则的表: AuthItem -- 存放建立的授权项目(role、task或者opration) AuthItemChild -- 存放授权项目的继承关系 AuthAssignMent -- 存放用户和授权项目的关系表 - CREATE TABLE `authitem` (
- `name` varchar(64) NOT NULL,
- `type` int(11) NOT NULL,
- `description` text,
- `bizrule` text,
- `data` text,
- PRIMARY KEY (`name`)
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authitemchild` (
- `parent` varchar(64) NOT NULL,
- `child` varchar(64) NOT NULL,
- PRIMARY KEY (`parent`,`child`),
- KEY `child` (`child`),
- CONSTRAINT `authitemchild_ibfk_1` FOREIGN KEY (`parent`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE,
- CONSTRAINT `authitemchild_ibfk_2` FOREIGN KEY (`child`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authassignment` (
- `itemname` varchar(64) NOT NULL,
- `userid` varchar(64) NOT NULL,
- `bizrule` text,
- `data` text,
- PRIMARY KEY (`itemname`,`userid`),
- CONSTRAINT `authassignment_ibfk_1` FOREIGN KEY (`itemname`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
建好表以后,就可以用Yii提供的authManger组件的API建立相关的授权项目,并指定授权关系了。 下面是一个例子: 下面做一个实例: 我们要实现上面的授权关系。 - class AuthManagerController extends Controller {
- public function actionIndex(){
- $auth = Yii::app()->authManager;
- if ($auth !== NULL){
- $auth->clearAll();
- //create roles
- $roleOwner = $auth->createRole('owner');
- $roleReader = $auth->createRole('reader');
- $roleMember = $auth->createRole('member');
- $roleBlackList = $auth->createRole('blackList');
- //create operations
- //issues
- $auth->createOperation('createIssue', 'create issue in project');
- $auth->createOperation('readIssue', 'read issue');
- $auth->createOperation('updateIssue', 'update issue');
- $auth->createOperation('deleteIssue', 'delete issue');
- //projects
- $auth->createOperation('createProject', 'create a new project');
- $auth->createOperation('readProject', 'read project');
- $auth->createOperation('updateProject', 'update project');
- $auth->createOperation('deleteProject', 'delete project');
- //users
- $auth->createOperation('createUser', 'create a new user');
- $auth->createOperation('readUser', 'read user');
- $auth->createOperation('updateUser', 'update user');
- $auth->createOperation('deleteUser', 'delete user');
- //authorization
- $roleReader->addChild('readIssue');
- $roleReader->addChild('readProject');
- $roleReader->addChild('readUser');
- $roleMember->addChild('reader');
- $roleMember->addChild('createIssue');
- $roleMember->addChild('updateIssue');
- $roleMember->addChild('deleteIssue');
- $roleOwner->addChild('reader');
- $roleOwner->addChild('member');
- $roleOwner->addChild('createProject');
- $roleOwner->addChild('updateProject');
- $roleOwner->addChild('deleteProject');
- $roleOwner->addChild('createUser');
- $roleOwner->addChild('updateUser');
- $roleOwner->addChild('deleteUser');
- //assign
- //此时,在Issue中的rules中设置view和index的roles=>array('member'),不管是什么用户,都无法访问这两个action
- $userAdmin = User::model()->findByAttributes(array('username' => 'admin'));
- $auth->assign('owner', $userAdmin->id);
- $auth->assign('member', $userAdmin->id); //将用户名为admin(id=3)指定为member角色,这样就可以访问了。
- $auth->assign('reader', $userAdmin->id);
- $userDemo = User::model()->findByAttributes(array('username' => 'demo'));
- $auth->assign('member', $userDemo->id); //将用户名为admin(id=3)指定为member角色,这样就可以访问了。
- $auth->assign('reader', $userDemo->id); //将用户名为demo(id=4)指定为reader角色
- $userDemo2 = User::model()->findByAttributes(array('username' => 'demo2'));
- $auth->assign('reader', $userDemo2->id); //将用户名为demo(id=4)指定为reader角色
- $userBlackList = User::model()->findByAttributes(array('username' => 'demo3'));
- $auth->assign('blackList', $userBlackList->id);
- }else{
- $message = 'Please config your authManage as a compontion in main.php';
- throw new CHttpException(0, $message);
- }
- }
- }
建立授权关系以后,更新accessRules为: - public function accessRules()
- {
- return array(
- array('allow', // allow all users to perform 'index' and 'view' actions
- 'actions'=>array('index','view'),
- 'users'=>array('@'),
- 'roles' => array('member', 'owner', 'reader'),
- ),
- array('allow', // allow authenticated user to perform 'create' and 'update' actions
- 'actions'=>array('create','update'),
- 'users'=>array('@'),
- 'roles' => array('member', 'owner'),
- ),
- array('allow', // allow admin user to perform 'admin' and 'delete' actions
- 'actions'=>array('admin','delete'),
- 'users'=>array('@'),
- 'roles' => array('owner'),
- ),
- array('deny', // deny all users
- 'users'=>array('*'),
- ),
- );
- }
就是把刚刚建立的授权项目加入到访问控制列表中。 另外一个例子 - $auth = Yii::app()->authManger;
- $roleManager = $auth->createRole('manager'); //建立一个角色
- $auth->createTask('projectManager'); //建立任务
- $auth->createTask('userManager');
- $auth->createOpration('createProject'); //建立操作
- $auth->createOpration('updateProject');
- $auth->createOpration('deleteUser');
- $user = User::model()->findByPk('1'); //检索用户
- $roleManager->addChild('projectManager'); //为角色授权任务
- $roleManager->addChild('updateProject');//为角色授权操作
- $auth->assign('manager', $user->id);//指定用户权限
|