A complete guide to using RBAC in Yii (User Role Privilege control) _php tips

It's written in front.
* My feed address has been modified to: http://feeds.imdong.net, please update your reader.
* The following content is suitable for yii 1.0.x, and other versions may be slightly different.
* Based on your comments and feedback, this article will continue to be modified and supplemented to facilitate new learners.

Start preparing
Yii provides a powerful configuration mechanism and many out-of-the-box class libraries. The use of RBAC in Yii is simple and does not require the need to write RBAC code at all. So the job is to open the editor and follow me.
Setting parameters, establishing a database
In the configuration array, add the following:

Copy Code code as follows:

' Components ' => array (
......
' AuthManager ' =>array (
' Class ' => ' Cdbauthmanager ',//certification class name
' Defaultroles ' =>array (' guest '),//default role
' ItemTable ' => ' pre_auth_item ',//Certified Item table name
' Itemchildtable ' => ' pre_auth_item_child ',//Certified Parent-child relationship
' Assignmenttable ' => ' pre_auth_assignment ', and/or authentication item weighting relationship
),
......

So how do these three data sheets be built? Very simple, to see Framework/web/auth/schema.sql. Note that you want to correspond to your custom table name. For example, Authitem in the SQL file you want to modify to Pre_auth_item. The statement in this SQL file is then run in the database.

Understanding Concepts
You might want to ask, what about the rest of the code? I told you, No. This is how the RBAC system is built. But in order to use it, you need to understand its operating mechanism. I'll try to talk a little bit more. (The official RBAC document is here, but I've seen it 4-5 times before.) ）

Three Concepts
What you need to know is that the authorization project can be divided into operations (action), Tasks (Task) and roles (roles).
A user has one or more roles, for example, we have three roles: Bank governor, bank clerk, customer. We assume that:
* President Zhang has a role: Bank governor, bank clerk, customer (they can save money themselves).
* Wang staff has a role: Bank staff, customers.
* Xiao Li has a role: customer.

So, accordingly, as long as the customer can do things, Xiao Li can do, Wang staff and president Zhang also can. What the bank clerk can do, Wang and Zhang can do, Xiao Li can not.

For example, a "customer" can save money, so the "customer" role of President Zhang, Wang staff, Xiao Li can save money. "Bank clerk" can print the customer's transactions, so the "bank clerk" role of the governor and Wang staff can be, and Xiao Li not, must find a "bank clerk" role can print detailed transactions. A "bank governor" can enter the bank Qianku to raise money, then only president Zhang can, because it has "bank governor" role.
This is based on the role of the authentication system, referred to as RBAC.

Inheritance of roles
Roles can be inherited, such as our Rules as follows:
* All "bank governors" are "bank clerks", that is to say, bank governors can do anything that a bank clerk can do.
* All "bank clerks" are customers, ditto, the customer can do things the bank staff can also do.
Then the role relationship becomes:
* President Zhang has a role: Bank governor.
* Wang staff has a role: Bank staff.
* Xiao Li has a role: customer.
This is simpler, and this is the inheritance of the role.

Inheritance of tasks
A task can contain another task, for example, "Enter a bank."
We set the "customer" role to have the "enter the bank" permission. In other words, "customer" can perform the "Enter Bank" task. Next, we assume that the "Access counter" is the parent's right to enter the bank, that is to say, "Entry counter" contains "enter the bank". Anyone who can "enter the counter" can "enter the bank". We put the "access to the Counter" task to "bank clerk".

So from the role, Wang staff can enter the bank, because the role of Wang staff is "bank clerk", and "bank clerk" contains the role of "customer". Then the "customer" can carry out the "task" for "bank clerk" is also possible. and "Customers" can "enter the bank", then the King staff can also "enter the bank." This is brought by the inheritance of the role.

We assume that there is a leader of Zhao, is a superior leader, can enter the counter for inspection. So, our mission relationship is:
* Zhao Leadership has the task: to enter the counter.
Then, Zhao's leadership can "enter the bank". Because "entering a bank" is a task that is included in the "Entry counter". Anyone who can execute the "entry counter" can perform "enter the bank". This is the inheritance of the task.

About the action
Action is a level that is not divided. Other words. And an action cannot contain other actions. Suppose we have an action called "to raise money from a bank warehouse". We have included this action as "entry counter". So long as the role of "money from the Bank warehouse" can be executed, the "Go to Counter" task.

three-person relationship
    * A role can contain another one or several roles.
    * A role can contain another one or several tasks.
    * A role can contain another one or several actions.
    *
    a task can contain another one or several tasks.
    * A task can contain another one or several actions.
    *
    * An action can only be contained by a role or task, and action cannot be included in the other, nor can it be divided.
In this way, a rights management system is formed. You don't have to think about "tasks" and "actions" in terms of their literal meaning. These two are the formation of two levels of authority.

To assign Power
We have established RBAC rights management, we need to do the Web management of permissions. This will require you to write your own code.
Call one of the following methods based on different kinds of projects to define an authorization project:
* Cauthmanager::createrole
* Cauthmanager::createtask
* Cauthmanager::createoperation
Once we have a set of authorized projects, we can invoke the following methods to establish an authorized project relationship:
* Cauthmanager::additemchild
* Cauthmanager::removeitemchild
* Cauthitem::addchild
* Cauthitem::removechild
Finally, we call the following methods to assign a role project to each user:
* Cauthmanager::assign
* Cauthmanager::revoke
Here we will show an example of an authorization level with the provided API:

Copy Code code as follows:

$auth =yii::app ()->authmanager;
$auth->createoperation (' createpost ', ' Create a post ');
$auth->createoperation (' readpost ', ' read a post ');
$auth->createoperation (' updatepost ', ' update a post ');
$auth->createoperation (' deletepost ', ' delete a post ');
$bizRule = ' return Yii::app ()->user->id== $params [' Post ']->authid; ';
$task = $auth->createtask (' updateownpost ', ' update a post by author himself ', $bizRule);
$task->addchild (' updatepost ');
$role = $auth->createrole (' reader ');
$role->addchild (' readpost ');
$role = $auth->createrole (' author ');
$role->addchild (' reader ');
$role->addchild (' createpost ');
$role->addchild (' updateownpost ');
$role = $auth->createrole (' editor ');
$role->addchild (' reader ');
$role->addchild (' updatepost ');
$role = $auth->createrole (' admin ');
$role->addchild (' editor ');
$role->addchild (' author ');
$role->addchild (' deletepost ');
$auth->assign (' Reader ', ' Readera ');
$auth->assign (' author ', ' Authorb ');
$auth->assign (' editor ', ' Editorc ');
$auth->assign (' admin ', ' admind ');

In other words, you need to write a management interface to list your roles, tasks, actions, and then manage them on this interface. For example, add, delete, modify.

Permission check
Assuming that you are empowered in your admin interface, you can have permission checks in the program:

Copy Code code as follows:

if (Yii::app ()->user->checkaccess (' Createpost '))
{
Here you can show actions such as forms
} else {
Check for failure to jump or show warnings
}

The code above checks to see if the user can perform "Createpost", which createpost may be a task or an action.

The other
For many said Yii privilege system RBAC bad use of people actually did not read the document. Combined with my experience, I feel that the RBAC framework is the best in the framework I have used. And you need to write the least of your own code.
Yii's RBAC has more advanced usage, such as "Business Rules", "Default roles". You can refer to the official documentation.
I know that some people still don't understand RBAC, or they won't use Yii's RBAC. No, you can ask questions in the comments box below.
Happy Yii!