[PHP] Role-Based Access Control RBAC

Role RBAC (RoleBasedAccessControl) indicates Role-Based Access Control. Here, the user no longer has individual permissions, but is associated with the role. By granting the role permissions, the user also has

Role-Based Access Control (Role-Based Access Control) is Role-Based Access Control. A user no longer has independent permissions, but is associated with a Role. By Assigning permissions to a Role, the user also has

Bytes -------------------------------------------------------------------------------------------------------

Role-Based Access Control (RBAC) means Role-Based Access Control. Here, users no longer have independent permissions, but are associated with roles, then the user has the permissions of this role. The role here can also be understood as a user group.

Permission control location: In the constructor of the Public controller class, permission verification is required for sub-classes. logon to the controller where registration is located does not require inheritance. The CI framework is used as an example: controllers that contain logon directly inherit CI_Controller, and controllers that contain other methods inherit from MY_Controller for permission control.

The custom RBAC class finally returns the assembled array format, as shown in the following code:

$access_list = array(　　　　　　　'auth'=>array(　　　　　　　　　　'index'=>array(　　　　　　　　　　　　　　[0]=>'index',　　　　　　　　　　　　　　[1]=>'add',　　　　　　　　　　),　　　　　　　　　　'user'=>array(　　　　　　　　　　　　　　[0]=>'index',　　　　　　　　　　　　　　[1]=>'add',　　　　　　　　　　　　　　[2]=>'delete',　　　　　　　　　　),　　　　　　　　),　　　　　);

Step 3: Implement RBAC =>

1. The required five data tables are as follows:

User table

Role table (User Group)

User and role Association Table (to facilitate saving a single user to store multiple roles; otherwise, you must store multiple roleids and values in the User table)

Permission table (node table: Role id, node id, node pid)

Role and permission Association Table

(The RABC implemented by the four tables is a single-role approach. You can omit the "user and role Association Table" and store the role id directly to the user table, saving some code)

2. Get all node permissions through the user id:

1. query the role id using the user id. function getRoleId (){}

2. Get all node IDs through the role id of the user, function getNodeId (){}

3. Get the node name through all the node IDs, assemble the Array (which can also be saved to the session), and function getNodes () {} function getNodeName (){}

Iii. Permission Verification:

Compare $ _ GET ['C'] and $ _ GET ['M'] with $ access_list ['auth ']. If yes, you have the permission. Otherwise, you do not have the permission, the array_key_exists () function is used ().

Emphasize: logon and exit are not in the public controller and do not participate in permission control.

If Ajax is used, it can also be verified. The code is partial as follows:

/**
| ---------------------------------------------
| Enable permission control (using the CI framework as an example)
| @ Blackeye poet
 
  
| ---------------------------------------------
  
*/
  
Protected function openCheck () {$ this-> load-> library ('rbac '); // load rbac class if (! $ This-> rbac-> access_check ($ id) // access_check permission in rbac {if (isset ($ _ SERVER ['HTTP _ X_REQUESTED_WITH ']) & strtolower ($ _ SERVER ['HTTP _ X_REQUESTED_WITH ']) = 'xmlhttprequest') {echo 'You do not have permission! '; Exit; // Ajax request return value} else {redirect ('admin/show_notice'); // redirect to the prompt page }}}
 

You can also add judgment in the above Code, such as: the super administrator role is not restricted, so it better meets the needs of the permission system.

Link: http://www.cnblogs.com/farwish/p/3886805.html

@ Blackeye poet