RBAC Access Understanding under thinkphp "Notes" ____php

Process:
A total of 3 tables, permissions, roles, admin role table for the middle link

1. To improve the role of the table, to achieve additions and deletions, and to assign permissions to the role of the function, save the ID and action controller in roles table, convenient after the use of
2. Perfect the permission table, realize and delete, and assign the corresponding permissions
3. Improve the administrator list, assigning the corresponding roles

Principle:

Q: left.html displays a list of different categories based on the identity of different administrators. A
: The basic--role Table of the role_auth_ids to judge, according to the SQL statement in the field to query the corresponding data "if the administrator, if the judge to bypass in operation, so that all query out"


Q: How to prevent professionals from manually entering URLs to enter pages that do not have their own permissions.
A: Fundamental--the ROLE_ATH_AC field in the role table in all the controllers in the background, inherit a total controller, in the general controller's construction method to dynamically judge the right "Controller_name,action_name" is the key to realize dynamic recognition

Summarize:

    The role table is the intermediate link between the three tables and the key to realize the decentralization of different administrators.
    Critical query Judgments, from decentralized operations, role table leads, and other two table aids.

//-----The right page to enter the URL manually, the page outside the access permission prompts for no permissions. "Admincontroller.class.php/__contruct () {}"-----//1. If the current access method is no longer publicly allowed; 2. If it is not a super administrator; 3. If no longer allowed in the Admin Role permission page// It is critical to issue two constants in the $now _ac without permission to automatically identify which controller is currently under the method "$now _ac =controller_name." -".
Action_name; $allow _ac = Array (' Index-left ', ' index-right ', ' index-head ', ' index-index ', ' manager-login ', ' index-modifypwd ', '
Index-verifyimg '); $auth _ac = $auth _ac[0][' role_auth_ac '];//a permission page queried from the database if (!in_array ($now _ac, $allow _ac) && $_session[' Mg_                     
        Id ']!=1 && strpos ($auth _ac, $now _ac) = = False) {$this->error (' No Access ', U ("Right ')); }

------The left list why different management displays different navigation.
    "Index.class.php/left () {}"------////Query list action lists//@return three-dimensional array//$arr [' P_list '] contains a two-dimensional array of all top-level lists $arr [' C_list '] contains a two-dimensional array of all level two lists//the above two combinations into a three-dimensional array return//function get_list () {$mg = M (' cms
        _manager ');
        $role = M (' Cms_role ');
        $role _id = $mg->field ("mg_role_id")->where ("mg_id=$_session[mg_id]")->find ();
        $auth _ids = $role->field ("Role_auth_ids")->where ("Role_id= $role _id[mg_role_id]")->find ();
        $sql = "Select Auth_id,auth_name from Cms_auth WHERE auth_level= ' 0 '";
        if ($_session[' mg_id ']!= "1") $sql. = "and auth_id in ($auth _ids[role_auth_ids])";
        $p _list = $mg->query ($sql);
        $sql = "Select Auth_id,auth_pid,auth_name,auth_a from Cms_auth WHERE auth_level= ' 1 '";
        if ($_session[' mg_id ']!= "1") $sql. = "and auth_id in ($auth _ids[role_auth_ids])";
        $c _list = $mg->query ($sql); $all _list=array ("p_lIst "=> $p _list," c_list "=> $c _list,);
        Show ($all _list); exit;
    return $all _list;
 }

* * one. RBAC Rights Management  "must wait for the project to be done roughly, and finally do" * *
    role Base access (role-based access control)

Sw_auth//Permission table

      ' auth_id '     primary key
      ' auth_name '   permission name,
      ' auth_pid '    parent ID, value: The ID that corresponds to the highest permission,        
      if it has the highest permission, and the value is 0 "to Convenient Pull-down menu display, there is a match, who is the Pull-down menu "
      ' Auth_c '      Controller, Controller controller goods;
      It is not the highest authority, the value is none" purpose in preventing direct access to URL break-through permissions, rules you can only access it "
      ' auth_a '      operation method, action  method showlist;
      if it's the highest authority, it's not, the value is none." To prevent direct access to the URL break permission, you can only access it "
      ' auth_ Path '   full path: User information sort use '                              purpose in the Rights Management list look sort, look good "
          ①: If the top-level permission, the full path equals this record primary key value (auth_id)
          ②: If not the top-level permissions, the full path equals "Parent Full path-(Central line) This record primary key value" (auth_pid-auth_id)
      ' auth_level ' level, "the purpose of the SQL is to differentiate the Drop-down                                                     menu, who is Level 1 menu, who is Level 2 menu"
            Basic: 0 Top level Permissions  1 times top-level permissions  2 times top-level
            permissions render indent relationship use


        permission data emulation:

            INSERT into Sw_auth values (1, ' Commodity Management ', 0, ', ', ', 1,0);
            INSERT into Sw_auth values (2, ' Order Management ', 0, ', ', ', 2,0);
            INSERT into Sw_auth values (3, ' advertising management ', 0, ', ', ', 3,0 ');
            INSERT into Sw_auth values (4, ' List of goods ', 1, ' goods ', ' showlist ', ' 1-4 ', 1);
            INSERT into Sw_auth values (5, ' Add goods ', 1, ' goods ', ' add ', ' 1-5 ', 1);
            INSERT into Sw_auth values (6, ' Commodity classification ', 1, ' goods ', ' Cate ', ' 1-6 ', 1);
            INSERT into Sw_auth values (7, ' user reviews ', 1, ' users ', ' comment ', ' 1-7 ', 1);
            INSERT into Sw_auth values (8, ' orders list ', 2, ' order ', ' showlist ', ' 2-8 ', 1);
            INSERT into Sw_auth values (9, ' orders print ', 2, ' order ', ' print ', ' 2-9 ', 1);
            INSERT into Sw_auth values (10, ' Add Orders ', 2, ' order ', ' Add ', ' 2-10 ', 1);
            INSERT into Sw_auth values (11, ' Ad list ', 3, ' advert ', ' showlist ', ' 3-11 ', 1);
            INSERT into Sw_auth values (12, ' ad position ', 3, ' advert ', ' position ', ' 3-12 ', 1);

Sw_role//Role table

        ' role_id '         primary key
        ' Role_name '       , ' role name ',
        ' Role_auth_ac '    module-operation ', associated permissions controller, method connection information ' Goods-showlist, Goods-add,goods-cate "" is to understand the pedestrian directly enter the URL to access more permissions "
        ' Role_auth_ids ' the   role of the corresponding permission id '," 1,4,5,6 " 
            The information that the primary key value of the associated permission is connected with a comma (if you have superior permission, you also associate the ID of the parent permission)

            INSERT into sw_role values (1, ' manager ', "1,4,5,6", "goods-showlist,goods-add,goods-cate");
            INSERT into Sw_role values (2, ' Supervisor ', "2,3,8,11", "order-showlist,advert-showlist");

 **sw_admin//admin Table * * mg_id ' primary key ' mg_name ' Admin account name ' mg_pwd ' admin password ' mg_time ' Last logon time, ' mg_role_id ' foreign key, role ID, two. program development by simulating good data a user login system, according to specific role display, left permission button B on the left to display the corresponding permission information I. User LOGIN system Show permission information $_session[' mg_id '] ii. obtain role information based on session[' mg_id ' information [' role_id '] iii. obtaining permission list information based on [' role_id '] information [' Auth_id,na Me '] three. The super administrator does not need permission to control admin a) in the Index/left method, if admin, display all permissions if ($_session[' mg_id ']!= 1) {$sql. = "and Auth_


ID in ($auth _ids) ";} Four. Prevent the insider to enter the URL to access more permissions to join the Judge 1. The Controller and method that the user accesses must be compared with the "AC information" of his corresponding role table 2. ' Role_auth_ac ' If you have access to the right, then access because every page in the background All to verify, write it a parent class, write all the public methods to it, and have all the backend controllers inherit from it: component\admincontroller.class.php Note: 1. Some public methods do not enter Line permission limit 2. System administrator, no permission limit 3. Allow access to the role only "take a good look at if the writing of the judgment, understand" maintain three parts of data: Roles, permissions, 1. Role Admin/role/showl IST role: Displays the role list information, assigning permissions to the role when set, the existing permissions are displayed 2. Permission Maintenance