Thinkphp's RBAC (role-based privilege control) to deeply analyze _php skills

First, what is RBAC
role-based access Controls (role-based access control) are widely concerned as a promising alternative to traditional access control (autonomous access, mandatory access).
In RBAC, permissions are associated with roles, and the user gets the rights of those roles by becoming members of the appropriate roles. This greatly simplifies the administration of permissions.
In an organization, a role is created to accomplish a variety of tasks, and the user is assigned a role based on its responsibilities and qualifications, and the user can easily be assigned to another role from one role. Roles can be given new permissions based on new requirements and system consolidation, and permissions can be reclaimed from a role as needed. The relationship between roles and roles can be established to encompass a wider range of objective situations.

Second, RBAC in the thinkphp
First look at the official example of the use of the data table, through 5 tables to achieve control of permissions, defined as follows:
RBAC to use 5 data tables
Think_user (User table)
Think_role (User Group table)
Think_node (Operation node)
Think_role_user (corresponding to user and user groupings)
Think_access (corresponding to each operation and user group)

User table

Role table, which roles are associated with the corresponding UserID user

The corresponding role ID is associated with the ID of the user table, that is, assigning roles to the user, for example, the role of UserID 3 is 2, according to role table, 7 represents the role of the employee

Access table, permission table, for example, the role ID is 2, that is, the employee's permissions, the corresponding node can be

Node table, which represents the application-module-module method, and defines a relationship between, for example, Noteid 30 is the public module, Noteid for the 31,32,33,34 method add,insert,edit,update are public. The test method of Noteid 85 belongs to the method under the game module of Noteid 84.

Three, config configuration file detailed
Let's take a look at the config file in the thinkphp official example:

Copy Code code as follows:

Array
' App_autoload_path ' => ' @. TagLib ',
' Session_auto_start ' =>true,
' User_auth_on ' =>true,
' User_auth_type ' =>1,//default authentication type 1 login authentication 2 Real Time authentication
' User_auth_key ' => ' authid ',//user authentication session Mark
' Admin_auth_key ' => ' the Administrator ',
' User_auth_model ' => ' USER ',//default validation datasheet model
' Auth_pwd_encoder ' => ' MD5 ',//user authenticated password encryption method
' User_auth_gateway ' => '/public/login ',//default authentication Gateway
' Not_auth_module ' => ' public ',//default No Authentication module
' Require_auth_module ' => ',//default required authentication module
' Not_auth_action ' => ',//default No authentication operation
' Require_auth_action ' => ',//default requires authentication action
' guest_auth_on ' =>false,/whether to open the visitor authorized access
' guest_auth_id ' =>0,//visitor's user ID
' Db_like_fields ' => ' Title|remark ',
' Rbac_role_table ' => ' think_role ',
' Rbac_user_table ' => ' Think_role_user ',
' Rbac_access_table ' => ' think_access ',
' Rbac_node_table ' => ' Think_node ',
' Show_page_trace ' =>1//display debugging information
);

We look at the annotation should understand most of them, the public module is no need to authenticate, the truth is very simple, not logged in before everyone is a tourist identity, if the login page also to permissions, where to log in? Yes, hehe. The default gateway address is authentication failure, no permission to jump here, and login again. Admin_auth_key represents Super Admin rights, if you create a user in the user table named Admin, then the user is a super administrator, do not have to assign permissions to it, what permissions have, why to set an administrator, Because when you assign the right to the wrong system authority confusion, so that everyone can not access, this time the Super administrator came.

Four, several important methods of the RBAC class
Authenticate ($map, $model = ") method incoming query user's condition and user table model Returns an array containing the user's information
saveaccesslist ($authId =null) method incoming user ID This method does not return a value, just sets the value of $_session[' _access_list '. It contains all the nodes of the user group of which the user has the right to operate $_session[' _access_list ' [' Project name '] [' module name '] [' Operation name '], then judge the right is to judge the current project, module and operation whether in $_session[' _ Access_list '] can be found. The
CheckAccess () method detects whether the current module and operation need to validate return bool type
Checklogin () method detects login
Accessdecision ($appName =app_name) method is to detect whether the current project module operation is in the $_session[' _access_list ' array, i.e. $_session[' _access_list ' [' current operation '] in the $_session[' _access_list ' array [' Current module '] Whether [' current operation '] exists. Returns flase if there is an indication of permission otherwise. The
Getaccesslist ($authId) method returns the value of $_session[' _access_list ' by querying the database for a list of permissions.