Three Concepts
What you need to know is that the authorization project can be divided into operations (action), Tasks (Task) and roles (role).
A user has one or more roles, for example, we have three roles: Bank president, Bank clerk, customer. We assume that:
* President Zhang has a role: Bank governors, bank clerks, customers (others can save money themselves).
* The King clerk has a role: bank clerk, customer.
* Xiao Li has a role: customer.
Then, the corresponding, as long as the customer can do things, Xiao Li can do, Wang staff and President Zhang can also. What the bank clerk can do, the King clerk and Mr. Zhang can do it, Xiao Li is not allowed.
For example, a "customer" can save money, then the "customer" role of Zhang, Wang staff, Xiao Li can save money. "Bank clerk" can print the customer's transaction records, then the "bank clerk" role of Zhang and Wang staff can be, and Xiao Li not, must find a "bank clerk" role of talent can print detailed transaction records. A "bank president" can enter the bank Qianku money, then only president Zhang can, because it has the role of "bank president".
This is the role-based authentication system, referred to as RBAC.
Inheritance of roles
Roles can be inherited, for example we stipulate the following:
* All "bank governors" are "bank clerks", that is, bank governors can do whatever the bank clerk can do.
* All "bank staff" are customers, ditto, customers can do things that the bank staff can do.
Then the role relationship becomes:
* President Zhang has a role: President of the Bank.
* king Clerk has a role: bank clerk.
* Xiao Li has a role: customer.
This is easier, and this is the inheritance of the character.
Inheritance of tasks
A task can contain another task, let us give an example, such as "Go to the bank".
We set the "customer" role to have "access to the bank" permission. In other words, the "customer" can perform the "Enter the bank" task. Next, we assume that the "entry counter" is the parent permission to enter the bank, that is, "entry counter" contains "enter the bank". Anyone who can "enter the counter" can "enter the bank". We have "access to the counter" this task to the "bank clerk".
So in the role of the king, the clerk can enter the bank because the king's role is "bank clerk" and "bank clerk" contains the "customer" role. Then "the customer" can carry on "the task" for "the bank clerk" also can carry on. The "Customer" can "enter the bank", then the King staff can also "enter the bank." This is the result of the inheritance of the character.
We assume that there is a Zhao leader, is a superior leader, can enter the counter to inspect. So, our task relationship is:
* Zhao Leadership has a task: enter the counter.
Then, Zhao leader can "enter the bank". Because "access to the bank" is a task included in the "Entry counter". "Enter the bank" can be executed as long as the person who can execute the "Access counter". This is the inheritance of the task.
About action
Action is a non-dividing level. Other words. And an action cannot contain other actions. Suppose we have an action called "withdraw money from a bank warehouse". We include this action as "entry counter". You can perform the "Enter the Counter" task as long as you can execute the "withdraw money from bank warehouse" role.
The three-person relationship
* One character can contain another or several characters.
* One character can contain another or several tasks.
* One character can contain another or several actions.
*
* One task can contain another or a few tasks.
* One task can contain another or a few actions.
*
* An action can only be included in a role or task, and action is not to contain others, nor can it be divided.
In this way, a rights management system is formed. You don't have to think about the literal meaning of "task" and "action". The two are two levels of permissions.
the right to empower
We set up RBAC rights Management, we need to do the Web management of permissions. This will require you to write your own code.
Call one of the following methods to define the authorization project based on different kinds of projects:
* Cauthmanager::createrole
* Cauthmanager::createtask
* Cauthmanager::createoperation
Once we have a set of authorization items, we can call the following methods to establish an authorization project relationship:
* Cauthmanager::additemchild
* Cauthmanager::removeitemchild
* Cauthitem::addchild
* Cauthitem::removechild
Finally, we call the following methods to assign a role project to individual users:
* Cauthmanager::assign
* Cauthmanager::revoke
Below we will show an example of establishing an authorization level with the API provided:
Copy CodeThe code is as follows:
$auth =yii::app ()->authmanager;
$auth->createoperation (' createpost ', ' Create a post ');
$auth->createoperation (' readpost ', ' read a post ');
$auth->createoperation (' updatepost ', ' update a post ');
$auth->createoperation (' deletepost ', ' delete a post ');
$bizRule = ' return Yii::app ()->user->id== $params ["Post"]->authid; ';
$task = $auth->createtask (' updateownpost ', ' update a post by author himself ', $bizRule);
$task->addchild (' updatepost ');
$role = $auth->createrole (' reader ');
$role->addchild (' readpost ');
$role = $auth->createrole (' author ');
$role->addchild (' reader ');
$role->addchild (' createpost ');
$role->addchild (' updateownpost ');
$role = $auth->createrole (' editor ');
$role->addchild (' reader ');
$role->addchild (' updatepost ');
$role = $auth->createrole (' admin ');
$role->addchild (' editor ');
$role->addchild (' author ');
$role->addchild (' deletepost ');
$auth->assign (' Reader ', ' Readera ');
$auth->assign (' author ', ' Authorb ');
$auth->assign (' editor ', ' Editorc ');
$auth->assign (' admin ', ' admind ');
In other words, you need to write a management interface to list your characters, tasks, actions, and then manage them on this interface. such as additions, deletions, and modifications.
Permission check
Assuming that you are empowered in your admin interface, you can check the permissions in the program:
Copy the Code code as follows:
if (Yii::app ()->user->checkaccess (' Createpost '))
{
Here you can display the form and other actions
} else {
Check for non-pass can jump or display a warning
}
The code above checks to see if the user can perform "Createpost", which createpost could be a task or an action.
Other of
For many people who say that Yii permissions system RBAC is not good to use the person actually did not read the document. To integrate my experience, I feel that the Yii framework RBAC is the best use of the framework I have used. And you need to write the least code yourself.
Yii RBAC has more advanced usage, such as "Business Rules", "Default roles". You can refer to the official documentation.
I know that some people will still not understand RBAC, or will not use Yii RBAC. No matter, you can ask in the comment box below.
Happy Yii!
http://www.bkjia.com/PHPjc/327750.html www.bkjia.com true http://www.bkjia.com/PHPjc/327750.html techarticle write in front * My feed address has been modified to: http://feeds.imdong.net, please update your reader. * The following content is suitable for Yii 1.0.x, other versions may be slightly different. * Root ...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
