Whether adding permission verification in service or action, the RBAC module can be separated. I completed this module last year, then, you only need to add this module to the project. If the actual project can use URL to control permissions, you do not need to write a row. Code . The RBAC module can fully implement fine-grained control.
(It can be a URL, and someone said it just now. the parameter after do does not exist. Of course, the parameter can be used, but the URL is cut into two parts, one part is the parameter. you can get it through getquerystring)
Resources are the final material we want. We can define a permission for each resource or a permission for a certain type of resources. The tree of the web project URL is especially easy to use to manage resources. A resource is a tree. If you have the permission to manage the tree root, you have all the permissions for this tree.
Permission is a type of protection for resources. to access a resource, you must have the access permission for resource.
In fact, we do not directly grant permissions to users, but to users through roles, because a user has a certain permission because the user plays a certain role.
A is a manager who manages Company B and has the permissions of B, C, and D. Is it true that a has this permission, but that Abo is the manager. Because the manager has B, C, and D Permissions
Therefore, in terms of permission division, we will grant permissions to a role rather than to individuals. The benefit is that
If the company changes the manager, you only need to hire another person as the manager, and the permission will not be taken away because the permission is in the personal hand.
Group concept(The group is also a tree, and the user is the leaf here)
Only roles are not enough. Company B finds that a has a financial problem and sets up a financial investigation team. Then we assign the role of the financial investigator to the group (note that this role is assigned to the Group ). in this way, all the staff of this group
All are qualified for financial investigations. You do not need to assign this role to everyone in the group (actually you already have it). The group concept is also applicable to the department, because any department plays a general role in the company or society.
A user must belong to a group and does not belong to a group. However, a user can directly assume (obtain) the role or obtain the role through the group.
Judging whether a user has the permission to access the resource depends on whether the user has the permission to access the resource. That is to say, grouping, division, and Division roles ultimately implement resource access control through permissions.