thinkphp Permissions Control

thinkphp3.2 Auth Permissions

The Auth class in thinkkphp is a permission control class that implements permission control, which provides us with three tables.

Think_auth_rule table: Certification rules table,

Think_auth_group: Authority authentication Group table; All categories in the site

Think_auth_group_access: Record the user belongs to that department

PS: Recently need to do a verification of user rights function, in the official and Baidu looked under, found that we are using AUTH to do the verification, the official has a lot of auth use of the tutorial, but are not comprehensive, I also asked a few questions about Auth also no one to answer me, helpless had to step by step to see the code research. My foundation is not good, belong to halfway decent of kind, hope my tutorial everybody don't laughed at. The novice is purely helpless to lift ...
Not much nonsense begins to decrypt:

First of all, I'm using the thinkphp version: ThinkPHP3.2.3 full version
Auth translation into Chinese is the meaning of authentication.
TP's Auth Class Core edition is not. The full version only, this point everyone should pay attention to!
1: First Open Auth.class.php
File Location thinkphp/library/think/auth.class.php
2: Open the Auth class file after we want to build AUTH certification required 3 tables, Auth class has been given the table used by the field of direct copy back paste into the phpMyAdmin run SQL can;
The table used by Auth is as follows:

2. //Database
4. /*
6. -- ----------------------------
8. --think_auth_rule, rules table,
10. --ID: Primary key, Name: Rule unique ID, title: Rule Chinese Name Status status: 1 Normal, 0 disabled, condition: Regular expression, NULL indicates existence on validation, non-null representation by condition validation
12. -- ----------------------------
14. DROP TABLE IF EXISTS ' think_auth_rule ';
16. CREATE TABLE ' think_auth_rule ' (
18. ' ID ' mediumint (8) unsigned not NULL auto_increment,
20. ' Name ' char (+) not NULL DEFAULT ' ',
22. ' title ' char (+) not NULL DEFAULT ' ',
24. ' Type ' tinyint (1) Not NULL DEFAULT ' 1 ',
26. ' Status ' tinyint (1) Not NULL DEFAULT ' 1 ',
28. ' Condition ' char (+) not NULL DEFAULT ' ', # rule attachment condition, rule that satisfies attached condition is considered valid rule
30. PRIMARY KEY (' id '),
32. UNIQUE KEY ' name ' (' name ')
34. ) Engine=myisam DEFAULT Charset=utf8;
36. -- ----------------------------
38. --Think_auth_group User Group table,
40. --ID: Primary KEY, Title: User group Chinese name, rules: User Group has rule ID, multiple rules "," separated, status state: 1 Normal, 0 disabled
42. -- ----------------------------
44. DROP TABLE IF EXISTS ' Think_auth_group ';
46. CREATE TABLE ' Think_auth_group ' (
48. ' ID ' mediumint (8) unsigned not NULL auto_increment,
50. ' title ' char (+) not NULL DEFAULT ' ',
52. ' Status ' tinyint (1) Not NULL DEFAULT ' 1 ',
54. ' Rules ' char (+) not NULL DEFAULT ' ',
56. PRIMARY KEY (' id ')
58. ) Engine=myisam DEFAULT Charset=utf8;
60. -- ----------------------------
62. --think_auth_group_access user Group Schedule
64. --UID: User id,group_id: User group ID
66. -- ----------------------------
68. DROP TABLE IF EXISTS ' think_auth_group_access ';
70. CREATE TABLE ' think_auth_group_access ' (
72. ' UID ' mediumint (8) unsigned not NULL,
74. ' group_id ' mediumint (8) unsigned not NULL,
76. UNIQUE KEY ' uid_group_id ' (' uid ', ' group_id '),
78. KEY ' uid ' (' uid '),
80. KEY ' group_id ' (' group_id ')
82. ) Engine=myisam DEFAULT Charset=utf8;
84.  */

Copy CodePS: We can change to the table prefix you want;
Another thing to say is: These 3 tables can be changed to the table name, as long as the field contains Auth required authentication field can also. If you rename these 3 tables, simply change them to their corresponding table names in the auth configuration.

3:3 sheets set up first to talk about the role of these 3 tables (I understand a limited number of people do not spray)
(My table prefix is tp_)
Tp_auth_rule (rule translated into Chinese for "rules" together is the authentication rule)
Field Overview:
ID: This does not have to say that I believe we all know (table primary key, self-increment, rule ID identifier)
Name: Authentication rule (the field holds the "module name/Controller name/method name" or "Custom rule" string type that you need to authenticate here are the best to follow the module name/Controller/method to fill in, between the multiple rules with, separated, the current rules are based on your ideas to customize, you can also fill in a Admin or * or Guanliyuan etc! Field length is 80, do not exceed this length can be)
Title: Rule description That's not much to say
Type:tinyint, if type is 1, the condition field can define a rule expression. This rule does not pass if the definition {score}>5 and {score}<100 indicates that the user's score is between 5-100. (Default is 1)
Condition: When type is 1 o'clock, the contents of the condition field will be used as regular expression rules to match the authentication rules to authenticate the user
Tp_auth_group (group translation to Chinese as "groups" meaning, together is the authentication group)
Field Overview:
ID: Everybody knows that. (ID identification of authentication Group, table primary key self-increment)
Title: Authentication Group Name
Status: Turn on 0 to off 1 for on (default = 1 on)
Rules: Rule ID (here is the ID of the rule in Tp_auth_rule, which will show you below)
Tp_auth_group_access (This table has two fields, which are the intermediate tables for rules and groups)
Field Overview:
UID: Member ID (this is the member ID that needs authentication)
GROUP_ID: Authentication Group ID (the ID of the authentication group is filled in here)

Ps: Here's how I understand the 3-sheet relationship:
In fact, the use of Auth is 4 tables (1. Membership Table 2. Certification Rules table 3. Certification Group Table 4. Certification Intermediate table), I do not have strong expression ability, simply say:

A. I'm in tp_auth_rule. Add one or more validation rules to verify your access rights
For example:
(admin/article/add) Add permission to an article
(Admin/article/edit) To modify the permissions of an article
(admin/article/delete) Permission to delete an article
Ps: These 3 rules can be combined into a single rule, combined into one rule: (admin/article/add,admin/article/edit,admin/article/delete)!
One more thing: This rule is 80 bytes, do not exceed; This rule you can also write article (meaning that you have all the permissions to manipulate the article)
can also be written (article-add-edit-delete) This means to have the article to delete and modify permissions
can also be written (article-add-edit) The meaning is to have the article to increase and modify the permissions, no delete permissions
In short, the rules here you can follow your own ideas, very flexible. This is awesome!
For more small white understand I am wordy:
For example:
Home/list/php has access to the front desk Php columns
Home/list/html has access to the foreground HTML column
Home/list/php,home/list/html has access to the front desk PHP and HTML columns
List-php-html has access to the front desk PHP and HTML columns
In short, the rules are very flexible to customize, as long as you need to verify the location of the flexible use of auth verification can be!

B. Add 2 user groups in the authentication group (respectively: Information Entry Department, Information Audit department, information XX Department)
Status defaults to On line, default is 1 to open this authentication group
Rules rule ID Multiple rules with, separating for example I now have 4 rules respectively:
ID 1:admin/article/add Add permission to the article
ID 2:admin/article/edit permission to modify an article
Permission to delete an article with ID 3:admin/article/delete
ID for 4:article-add-edit-delete has the article to delete and change permissions
Analysis: The information Input Department needs to add and modify the article and delete permissions, the audit department needs to modify and delete permissions, Information XX Department needs all the operation information permissions
According to the analysis:
The rules required by the information entry department are:
What the information Audit department needs is: 2,3
The information XX department needs is 4
OK, insert the data:
Information Entry Department: Title: Information Entry Department rules:1,2,3 (after insert assume ID is 1)
Information Audit Department: Title: Information Audit Department rules:2,3 (after inserting the construction ID is 2)
Information XX Department: Title: Information XX Department rules:4 (after inserting the construction ID is 3)
C. Certification in the intermediate table to enter the required authentication member ID and authentication group ID can be
PS: Suppose I now have a membership table for Tp_user
There are 4 members, respectively:
ID 1: Little Red
ID 2: Xiaoming
ID 3: Xiao Zhang
ID 4: Xiao Li

Assign permissions below:
Xiao Hong and Xiao Ming is the information entry department:
Then tp_auth_access as follows:
The UID is 1 of the small red belongs to the Certification department 1 (1 is the Authentication Group table of Information Entry department, with the addition, modification, deletion of the rights)
The UID is 2 Xiao Ming with the small red one level (function same)
The UID is 3 of the small Zhang belongs to the Certification Department 2 (2 is the Authentication Group table in the information Audit department, with the right to modify, delete)
The UID is 4 of the small Lee belongs to the Certification Department 3 (3 that is, the information in the Certification Form XX Department has the information to increase, modify, delete permissions)
PS: Maybe I said a bit around, but the meaning is almost like this hey! In the rule table for all rules that require authentication, the Group table is the Department group, and the Authority for the department is the rule in the Rules Table Id,access table for the record user belongs to that department! Do you understand that?

4: Start authentication right now:

Ps: Here I want to correct one point: I now use the thinkphp version of ThinkPHP3.2.3 full version: In the Auth class, there is a paragraph:
/**
* Permission Authentication Class
* Functional Features:
* 1, is the rule certification, not to the node authentication. The user can authenticate the node as a rule name implementation.
* $auth =new auth (); $auth->check (' rule name ', ' User ID ')
* 2, multiple rules can be authenticated at the same time, and set the relationship of multiple rules (or OR and)
* $auth =new auth (); $auth->check (' rule 1, Rule 2 ', ' User ID ', ' and ')
* When the third parameter is and, the user needs to have both rule 1 and Rule 2 permissions. When the third argument is or, the user value needs to have one of these conditions. Default to or
* 3, a user can belong to more than one user group (the Think_auth_group_access table defines the user group to which users belong). We need to set what rules each user group has (Think_auth_group defines user group permissions)
*
* 4, supports regular expressions.
* When a rule is defined in the Think_auth_rule table, the Condition field can define a rule expression if the type is 1. This rule does not pass if the definition {score}>5 and {score}<100 indicates that the user's score is between 5-100.
*/

The problem is this sentence:
2, you can authenticate multiple rules at the same time, and set the relationship of multiple rules (or OR and)
$auth =new auth (); $auth->check (' rule 1, Rule 2 ', ' User ID ', ' and ');
Problem:
Check methods in the Auth class have a total of 5 parameters
Public function Check ($name, $uid, $type =1, $mode = ' url ', $relation = ' or ')
So the third parameter in the official class fills in and the sight is not playing any role!
I don't know if that's the case, huh?


Ps: Before using auth, configure the following configuration items for Auth:
If you haven't modified the Auth_rule,auth_group,auth_group_access table name, just configure your membership form. Add the following configuration entry in the configuration item:

2. //auth configuration
4. ' auth_config ' = array(
6. //user group data table name
8. //' auth_group ' = ' tp_group ',
10. //user-user Group Relationship table
12. //' auth_group_access ' = ' tp_group_access ',
14. //Permissions rules table
16. //' auth_rule ' = ' tp_rule ',
18. //user Information table
20. ' auth_user ' = ' tp_admin '
22.     ),
24.  

Copy CodeAlso add that the member ID must be the primary key in the membership table!


I am now doing the experiment under Home/login/index:

Declare the Auth class first

$auth = new \think\auth ();

$auth->check (' Home/index/index ', ' 2 ')

thinkphp Permissions Control