yii下,filters()和accessControl()是YII基本的访问控制体系,
public function filters(){
return array(
'accessControl',
);
}
public function accessControl(){
return array(
array(
'allow', //allow or deny 允许或者拒绝
'controllers' => array('controllersList'), //对控制器进行访问控制
'actions' => array('actionsList'), //对action进行访问控制
'users' => array('usersList'), //对用户
'roles' => array('roles'), //对角色
'ips' => array('ip 地址'), //对客户端地址
'verbs' => array('GET','POST'), //对客户端的请求方式
'expression' => '' //对表达式(一般是业务逻辑)
'message' => 'thank your access', //错误信息提示,一般是deny时用到
),
array(....),
....
array('deny', users => array('*')),
);
}
好了,有了以上的访问控制,我们针对上面的roles进行讨论RBAC。
Yii的RBAC是基于一个组件authManager的,可以先在main。php中配置authManager
authManger分为基于数据库的和基于PHP脚本的,一般如果你的应用程序基于数据库(mysql或者pgsql),最好把authManger配置为CDbAuthManger,而不是CPhpAuthManger。
...
'authManager' => array(
'class' => 'CDbAuthManager',
'connectionID' => 'db',
),
'db' => array(...),
...
配置好了以后,需要在数据库中增加3个存放RBAC规则的表:
AuthItem -- 存放建立的授权项目(role、task或者opration)
AuthItemChild -- 存放授权项目的继承关系
AuthAssignMent -- 存放用户和授权项目的关系表
- CREATE TABLE `authitem` (
-
`name` varchar(64) NOT NULL,
-
`type` int(11) NOT NULL,
-
`description` text,
-
`bizrule` text,
-
`data` text,
-
PRIMARY KEY (`name`)
-
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authitemchild` (
-
`parent` varchar(64) NOT NULL,
-
`child` varchar(64) NOT NULL,
-
PRIMARY KEY (`parent`,`child`),
-
KEY `child` (`child`),
-
CONSTRAINT `authitemchild_ibfk_1` FOREIGN KEY (`parent`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE,
-
CONSTRAINT `authitemchild_ibfk_2` FOREIGN KEY (`child`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
-
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE `authassignment` (
-
`itemname` varchar(64) NOT NULL,
-
`userid` varchar(64) NOT NULL,
-
`bizrule` text,
-
`data` text,
-
PRIMARY KEY (`itemname`,`userid`),
-
CONSTRAINT `authassignment_ibfk_1` FOREIGN KEY (`itemname`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE
-
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
建好表以后,就可以用Yii提供的authManger组件的API建立相关的授权项目,并指定授权关系了。
下面是一个例子:
下面做一个实例:
我们要实现上面的授权关系。
- class AuthManagerController extends Controller {
-
public function actionIndex(){
-
$auth = Yii::app()->authManager;
-
-
if ($auth !== NULL){
-
$auth->clearAll();
-
//create roles
-
$roleOwner = $auth->createRole('owner');
-
$roleReader = $auth->createRole('reader');
-
$roleMember = $auth->createRole('member');
-
$roleBlackList = $auth->createRole('blackList');
-
-
//create operations
-
//issues
-
$auth->createOperation('createIssue', 'create issue in project');
-
$auth->createOperation('readIssue', 'read issue');
-
$auth->createOperation('updateIssue', 'update issue');
-
$auth->createOperation('deleteIssue', 'delete issue');
-
-
//projects
-
$auth->createOperation('createProject', 'create a new project');
-
$auth->createOperation('readProject', 'read project');
-
$auth->createOperation('updateProject', 'update project');
-
$auth->createOperation('deleteProject', 'delete project');
-
-
//users
-
$auth->createOperation('createUser', 'create a new user');
-
$auth->createOperation('readUser', 'read user');
-
$auth->createOperation('updateUser', 'update user');
-
$auth->createOperation('deleteUser', 'delete user');
-
-
//authorization
-
$roleReader->addChild('readIssue');
-
$roleReader->addChild('readProject');
-
$roleReader->addChild('readUser');
-
-
$roleMember->addChild('reader');
-
$roleMember->addChild('createIssue');
-
$roleMember->addChild('updateIssue');
-
$roleMember->addChild('deleteIssue');
-
-
$roleOwner->addChild('reader');
-
$roleOwner->addChild('member');
-
$roleOwner->addChild('createProject');
-
$roleOwner->addChild('updateProject');
-
$roleOwner->addChild('deleteProject');
-
$roleOwner->addChild('createUser');
-
$roleOwner->addChild('updateUser');
-
$roleOwner->addChild('deleteUser');
-
-
//assign
-
//此时,在Issue中的rules中设置view和index的roles=>array('member'),不管是什么用户,都无法访问这两个action
-
$userAdmin = User::model()->findByAttributes(array('username' => 'admin'));
-
$auth->assign('owner', $userAdmin->id);
-
$auth->assign('member', $userAdmin->id); //将用户名为admin(id=3)指定为member角色,这样就可以访问了。
-
$auth->assign('reader', $userAdmin->id);
-
-
$userDemo = User::model()->findByAttributes(array('username' => 'demo'));
-
$auth->assign('member', $userDemo->id); //将用户名为admin(id=3)指定为member角色,这样就可以访问了。
-
$auth->assign('reader', $userDemo->id); //将用户名为demo(id=4)指定为reader角色
-
-
$userDemo2 = User::model()->findByAttributes(array('username' => 'demo2'));
-
$auth->assign('reader', $userDemo2->id); //将用户名为demo(id=4)指定为reader角色
-
-
$userBlackList = User::model()->findByAttributes(array('username' => 'demo3'));
-
$auth->assign('blackList', $userBlackList->id);
-
}else{
-
$message = 'Please config your authManage as a compontion in main.php';
-
throw new CHttpException(0, $message);
-
}
-
}
-
}
建立授权关系以后,更新accessRules为:
- public function accessRules()
-
{
-
return array(
-
array('allow', // allow all users to perform 'index' and 'view' actions
-
'actions'=>array('index','view'),
-
'users'=>array('@'),
-
'roles' => array('member', 'owner', 'reader'),
-
),
-
array('allow', // allow authenticated user to perform 'create' and 'update' actions
-
'actions'=>array('create','update'),
-
'users'=>array('@'),
-
'roles' => array('member', 'owner'),
-
),
-
array('allow', // allow admin user to perform 'admin' and 'delete' actions
-
'actions'=>array('admin','delete'),
-
'users'=>array('@'),
-
'roles' => array('owner'),
-
),
-
array('deny', // deny all users
-
'users'=>array('*'),
-
),
-
);
-
}
就是把刚刚建立的授权项目加入到访问控制列表中。
另外一个例子
- $auth = Yii::app()->authManger;
-
$roleManager = $auth->createRole('manager'); //建立一个角色
-
-
$auth->createTask('projectManager'); //建立任务
-
$auth->createTask('userManager');
-
-
$auth->createOpration('createProject'); //建立操作
-
$auth->createOpration('updateProject');
-
$auth->createOpration('deleteUser');
-
-
$user = User::model()->findByPk('1'); //检索用户
-
$roleManager->addChild('projectManager'); //为角色授权任务
-
$roleManager->addChild('updateProject');//为角色授权操作
-
$auth->assign('manager', $user->id);//指定用户权限
阅读(1822) | 评论(0) | 转发(0) |
