Yii Study Day 23rd, Accessrules usage

Access control Filters (Access controls filter)
An access control filter is a preliminary authorization mode that checks whether the current user can perform access to the controller action .

This authorization mode is based on the user name , the client IP address , and the access type .

Access control filters for simple validation .

complex access control is required , using role-based access control (role-based access (RBAC)) that will be explained.

Overload the Ccontroller::filters method in the controller, set the Access filter to control the Access action ( see Filter For more filter settings information ).
Class Postcontroller extends Ccontroller
{
......
Public Function Filters ()
{
Return Array (
'AccessControl',
);
}
}
Above, the access control filter set will be applied to each action in the Postcontroller.

The specific authorization rules for the filter are specified by the Ccontroller::accessrules method of the overloaded controller.
Class Postcontroller extends Ccontroller
{
......
Public Function Accessrules ()
{
Return Array (
Array (' Deny ',
' Actions ' =>array (' Create ', ' edit '),
' Users ' =>array ('? '),
),
Array (' Allow ',
' Actions ' =>array (' delete '),
' Roles ' =>array (' admin '),
),
Array (' Deny ',
' Actions ' =>array (' delete '),
' Users ' =>array (' * '),
),
);
}
}
There are three rules, each represented by an array of numbers.

The first element of an array isnot ' allow ', which is 'deny', and the other is the name-value pairs form the rule parameter .

The rules above understand this:

Create and edit actions cannot be performed anonymously;

The delete action can be performed by the user of the admin role;

Delete action cannot be performed by anyone.

An access rule is one that performs a judgment in a set order.

The first rule that matches the current judging mode (for example: User name, role, client IP, address) determines the result of the authorization.

If this rule is allow, the action is executable;

If it is deny, it cannot be executed, and if there is no rule match, the action can be executed.

To ensure that a certain type of action is not executed without permission, set a deny rule that matches everyone at the end , similar to the following:
Return Array (
// ... Other rules ...
The following match everyone rule denies ' delete ' action
Array (' Deny ',
' Action ' = ' delete ',
),
);
Because if no rule matching action is set, the action lacks the capital to be executed.
Access rules are set through the following context parameters:

Actions: sets which action matches this rule.

Users: sets which user matches this rule.

The name of this current user is used to match, and three set characters can be used here:
*: Any user, including anonymous and authenticated users.
?: Anonymous user.
@: Verify the user passed.

Roles: sets which role matches this rule .

Here is the role-based access control technology that will be described later.

In particular, the rule was applied if cwebuser::checkaccess returns true for one of the roles. Prompts, the user role should be set to allow rules because the role representative can Do certain things.

IPs: sets which client IP matches this rule.

Verbs: sets which type of request (for example: GET, POST) matches this rule.

Expression: sets a PHP expression.

Its value is used to indicate whether this rule applies. In the expression, you can use a variable called $user, which represents the Yii::app ()->user.

In the access rule:
Expression: Sets a PHP expression. Its value is used to indicate whether this rule applies. In the expression, you can use a variable called $user, which represents the Yii::app ()->user.
Specific uses of expression:
Class Admincontroller extends Ccontroller
{
......
Public Function Accessrules ()
{
Return Array (
Array (' Allow ',//allows all people to execute ' login ', ' ERROR ', ' index '
' Actions ' =>array (' login ', ' ERROR ', ' Index '),
' Users ' =>array (' * '),
),
Array (' Allow ',//allows the Super administrator to perform all actions
' Actions ' =>array (' Create ', ' Update ', ' delete '),
' Expression ' =>array ($this, ' issuperadmin '),
),
Array (' Allow ',//allows normal administrator to execute
' Actions ' =>array (' Update '),
' Expression ' =>array ($this, ' isnormaladmin '),//Represents calling the Isnormaladmin method in $this (that is, Admincontroller).
),
Array (' Deny ',//Deny all users
' Users ' =>array (' * '),
),
);
}

Determine if a super administrator
protected function Issuperadmin ($user) // where $user represents Yii::app ()->user is the logged-on user.
{
Return ($this->loadmodel ($user->id)->adminadminflag==1);
}

Determine if it is an ordinary administrator
protected function Isnormaladmin ($user) // where $user represents Yii::app ()->user is the logged-on user.
{
Return ($this->loadmodel ($user->id)->adminadminflag==0);
}

Public Function Loadmodel ($id)
{
$model =admin::model ()->findbypk ((int) $id);
if ($model ===null) {
throw new Chttpexception (404, ' page does not exist ');
}
return $model;
}
}

Note: where $user represents Yii::app ()->user is the logged-on user.

Yii Study Day 23rd, Accessrules usage