A brief analysis of the complete guide to using RBAC in Yii (User role permission control) _php Tutorial

Source: Internet
Author: User
Tags addchild yii
Write in front
* My feed address has been modified to: http://feeds.imdong.net, please update your reader.
* The following content is suitable for Yii 1.0.x, other versions may be slightly different.
* Based on your comments and feedback, this article will be constantly revised and supplemented to facilitate new learners.

Start preparing
Yii provides a powerful configuration mechanism and a lot of ready-made class libraries. The use of RBAC in Yii is simple, and there is no need to write RBAC code at all. So the prep work is, open the editor and follow me.
Setting parameters, establishing a database
In the configuration array, add the following:
Copy CodeThe code is as follows:
' Components ' = Array (
' AuthManager ' =>array (
' Class ' = ' Cdbauthmanager ',//Authentication class name
' Defaultroles ' =>array (' guest '),//default role
' itemTable ' = ' pre_auth_item ',//Authentication table name
' itemchildtable ' = ' pre_auth_item_child ',//authentication Parent-child relationship
' assignmenttable ' + ' pre_auth_assignment ',//certification of the right to assign the relationship

So how do these three data sheets be built? Very simple, go to see Framework/web/auth/schema.sql. Note that you want to correspond to your custom table name. For example, Authitem in the SQL file you want to change to Pre_auth_item. Then run the statement in the SQL file in the database.

Understanding Concepts
You might want to ask, what's the rest of the code? I tell you, No. This is how the RBAC system is set up. But in order to use it, you need to understand its operating mechanism. I'll try to talk a little bit more ... (The official RBAC document is here, but I've looked at it for 4-5 times before I understand it.) )

Three Concepts
What you need to know is that the authorization project can be divided into operations (action), Tasks (Task) and roles (role).
A user has one or more roles, for example, we have three roles: Bank president, Bank clerk, customer. We assume that:
* President Zhang has a role: Bank governors, bank clerks, customers (others can save money themselves).
* The King clerk has a role: bank clerk, customer.
* Xiao Li has a role: customer.

Then, the corresponding, as long as the customer can do things, Xiao Li can do, Wang staff and President Zhang can also. What the bank clerk can do, the King clerk and Mr. Zhang can do it, Xiao Li is not allowed.

For example, a "customer" can save money, then the "customer" role of Zhang, Wang staff, Xiao Li can save money. "Bank clerk" can print the customer's transaction records, then the "bank clerk" role of Zhang and Wang staff can be, and Xiao Li not, must find a "bank clerk" role of talent can print detailed transaction records. A "bank president" can enter the bank Qianku money, then only president Zhang can, because it has the role of "bank president".
This is the role-based authentication system, referred to as RBAC.

Inheritance of roles
Roles can be inherited, for example we stipulate the following:
* All "bank governors" are "bank clerks", that is, bank governors can do whatever the bank clerk can do.
* All "bank staff" are customers, ditto, customers can do things that the bank staff can do.
Then the role relationship becomes:
* President Zhang has a role: President of the Bank.
* king Clerk has a role: bank clerk.
* Xiao Li has a role: customer.
This is easier, and this is the inheritance of the character.

Inheritance of tasks
A task can contain another task, let us give an example, such as "Go to the bank".
We set the "customer" role to have "access to the bank" permission. In other words, the "customer" can perform the "Enter the bank" task. Next, we assume that the "entry counter" is the parent permission to enter the bank, that is, "entry counter" contains "enter the bank". Anyone who can "enter the counter" can "enter the bank". We have "access to the counter" this task to the "bank clerk".

So in the role of the king, the clerk can enter the bank because the king's role is "bank clerk" and "bank clerk" contains the "customer" role. Then "the customer" can carry on "the task" for "the bank clerk" also can carry on. The "Customer" can "enter the bank", then the King staff can also "enter the bank." This is the result of the inheritance of the character.

We assume that there is a Zhao leader, is a superior leader, can enter the counter to inspect. So, our task relationship is:
* Zhao Leadership has a task: enter the counter.
Then, Zhao leader can "enter the bank". Because "access to the bank" is a task included in the "Entry counter". "Enter the bank" can be executed as long as the person who can execute the "Access counter". This is the inheritance of the task.

About action
Action is a non-dividing level. Other words. And an action cannot contain other actions. Suppose we have an action called "withdraw money from a bank warehouse". We include this action as "entry counter". You can perform the "Enter the Counter" task as long as you can execute the "withdraw money from bank warehouse" role.

The three-person relationship
* One character can contain another or several characters.
* One character can contain another or several tasks.
* One character can contain another or several actions.
* One task can contain another or a few tasks.
* One task can contain another or a few actions.
* An action can only be included in a role or task, and action is not to contain others, nor can it be divided.
In this way, a rights management system is formed. You don't have to think about the literal meaning of "task" and "action". The two are two levels of permissions.

the right to empower
We set up RBAC rights Management, we need to do the Web management of permissions. This will require you to write your own code.
Call one of the following methods to define the authorization project based on different kinds of projects:
* Cauthmanager::createrole
* Cauthmanager::createtask
* Cauthmanager::createoperation
Once we have a set of authorization items, we can call the following methods to establish an authorization project relationship:
* Cauthmanager::additemchild
* Cauthmanager::removeitemchild
* Cauthitem::addchild
* Cauthitem::removechild
Finally, we call the following methods to assign a role project to individual users:
* Cauthmanager::assign
* Cauthmanager::revoke
Below we will show an example of establishing an authorization level with the API provided:
Copy CodeThe code is as follows:
$auth =yii::app ()->authmanager;
$auth->createoperation (' createpost ', ' Create a post ');
$auth->createoperation (' readpost ', ' read a post ');
$auth->createoperation (' updatepost ', ' update a post ');
$auth->createoperation (' deletepost ', ' delete a post ');
$bizRule = ' return Yii::app ()->user->id== $params ["Post"]->authid; ';
$task = $auth->createtask (' updateownpost ', ' update a post by author himself ', $bizRule);
$task->addchild (' updatepost ');
$role = $auth->createrole (' reader ');
$role->addchild (' readpost ');
$role = $auth->createrole (' author ');
$role->addchild (' reader ');
$role->addchild (' createpost ');
$role->addchild (' updateownpost ');
$role = $auth->createrole (' editor ');
$role->addchild (' reader ');
$role->addchild (' updatepost ');
$role = $auth->createrole (' admin ');
$role->addchild (' editor ');
$role->addchild (' author ');
$role->addchild (' deletepost ');
$auth->assign (' Reader ', ' Readera ');
$auth->assign (' author ', ' Authorb ');
$auth->assign (' editor ', ' Editorc ');
$auth->assign (' admin ', ' admind ');

In other words, you need to write a management interface to list your characters, tasks, actions, and then manage them on this interface. such as additions, deletions, and modifications.

Permission check
Assuming that you are empowered in your admin interface, you can check the permissions in the program:
Copy the Code code as follows:
if (Yii::app ()->user->checkaccess (' Createpost '))
Here you can display the form and other actions
} else {
Check for non-pass can jump or display a warning

The code above checks to see if the user can perform "Createpost", which createpost could be a task or an action.

Other of
For many people who say that Yii permissions system RBAC is not good to use the person actually did not read the document. To integrate my experience, I feel that the Yii framework RBAC is the best use of the framework I have used. And you need to write the least code yourself.
Yii RBAC has more advanced usage, such as "Business Rules", "Default roles". You can refer to the official documentation.
I know that some people will still not understand RBAC, or will not use Yii RBAC. No matter, you can ask in the comment box below.
Happy Yii!

http://www.bkjia.com/PHPjc/327750.html www.bkjia.com true http://www.bkjia.com/PHPjc/327750.html techarticle write in front * My feed address has been modified to: http://feeds.imdong.net, please update your reader. * The following content is suitable for Yii 1.0.x, other versions may be slightly different. * Root ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.