One field solves RBAC permissions. Modified RBAC for Dummies.

Source: Internet
Author: User
Provides various official and user-released code examples. For code reference, you are welcome to exchange and learn about the complexity of the official permission system. Beginners are often confused and confused.
This is my dummies version transformation. Please refer to your tasting.
The official rbac. I read a lot of articles, although I finally understood it, but it does consume a lot of brain cells. It also requires database support. It is difficult to integrate with your own system. Good or bad for the time being. It is not perfect in terms of complexity.
I figured out a dumb version. Let's just say it. Welcome to shoot bricks.
The principle of the permission system is not described in detail. In short, the key points are as follows:
1. User table, which records the specific operator account.
Userid
Username
2. Role table, or user group table. Record the roles available to the system.
Roleid
Rolename
Funstr (key)
There is a field: Permission string funstr. It must be varchar (2000) or larger. It is a large character field that stores the specific permission information of a role. The following explains how to use it.
3. User Role Association table. Associate users with roles.
There are numerous variants on the basis again. I will not talk about it any more. It is basically the three.
OK, hat trick:
What about the permission table? The table that records system permissions is missing.
This is the key point of the dummies edition,
Create a new class and name it fun.
Create an array to save all functions of all classes of all modules of the system.
Is all the operating methods of the system. The array is like this: Class AdmFunarrAction extends Action
{

//////////////////////////////////////// /////////////////////////////////////
/// // The array of all functions of the website ////////// ///////////////////////

// Primary key: GROUP-class-function is used for locating during permission check.
// The value is another array that stores information about the function.

// 1. id -- character encoding corresponding to the permission point (starting with a letter followed by two letters and numbers)
// Is the basis for permission check

// 2. pid-character encoding corresponding to the parent permission point, used to construct the permission tree

// 3. n -- name -- permission point name

// 4. t -- tree -- whether to construct a tree node and store it in the permission string
// Value 1 -- create a tree node and store the permission string.
// Value 0 -- no need to construct a tree node, no permission string stored, only used for check,
// Process the merging of several fun objects with an id, for example, merging various queries into an id

// 5. l -- login -- whether to log on, force control, to ensure security, 0 -- No Logon required; 1 -- must log on

// 6.x -- xx -- Detailed description of Permissions

// 7. p -- pic -- tree icon of the permission point
//////////////////////////////////////// /////////////////////////////////////
//////////////////////////////////////// /////////////////////////////////////
// ----- Total permissions of all modules in the background
PUBLIC $ admfunarr = array (
// Primary key | label | parent label | Name | node attribute | Force Logon | details | icon
'Aaaa-0000-0000' => array ('id' => 'A', 'pid '=> 'aaa', 'n' => 'total backend ', 'T' => '1', 'L' => '0', 'x' => 'total backend root node ', 'p' => 'icon-add '),
'Admin-Main-Index' => array ('id' => 'a01', 'pid '=> 'A', 'n' => 'background logon page ', 'T' => '1', 'L' => '0', 'x' => 'logon page managed by the organization backend ', 'p' => 'icon-add '),
'Admin-Main-main' => array ('id' => 'a02', 'pid '=> 'A', 'n' => 'background homepage ', 'T' => '1', 'L' => '1', 'x' => 'Organization Background Management Homepage ', 'p' => 'icon-add '),
'Aaaa-distance -0001 '=> array ('id' => 'a03', 'pid' => 'a02', 'n' => 'basic settings ', 'T' => '1', 'L' => '1', 'x' => 'basic settings menu ', 'p' => 'icon-add '),
'Admin-Adminuser-Index' => array ('id' => 'a04 ', 'pid' => 'a03', 'n' => 'administrator maintenance ', 'T' => '1', 'L' => '1', 'x' => 'administrator maintenance, including adding, deleting, modifying, and querying ', 'p' => 'icon-add '),
'Admin-Adminuser-getlist' => array ('id' => 'a04 ', 'pid' => 'a04 ', 'N' => 'combined-Administrator list', 't' => '0', 'L' => '1 ', 'X' => 'total background administrator management', 'p' => 'icon-add '),
'Admin-Adminuser-getone' => array ('id' => 'a04 ', 'pid' => 'a04 ', 'N' => 'Combined-single administrator query', 't' => '0', 'L' => '1 ', 'X' => 'total background administrator management', 'p' => 'icon-add '),
'Admin-Adminuser-addfun '=> array ('id' => 'a04', 'pid '=> 'a04 ', 'N' => 'add-Administrator add', 't' => '0', 'L' => '1 ', 'X' => 'total background administrator management', 'p' => 'icon-add '),
'Admin-Adminuser-updatefun '=> array ('id' => 'a04', 'pid '=> 'a04 ', 'N' => 'combination-Administrator modify', 't' => '0', 'L' => '1 ', 'X' => 'total background administrator management', 'p' => 'icon-add '),
'Admin-Adminuser-delfun '=> array ('id' => 'a04', 'pid '=> 'a04 ', 'N' => 'combination-Administrator delete', 't' => '0', 'L' => '1 ', 'X' => 'total background administrator management', 'p' => 'icon-add '),
'Aaaa-0000-0002' => array ('id' => 'a05 ', 'pid' => 'a02', 'n' => 'advanced settings ', 'T' => '1', 'L' => '1', 'x' => 'basic settings menu ', 'p' => 'icon-add '),
'Admin-Corp-Index' => array ('id' => 'a06', 'pid '=> 'a05', 'n' => 'Senior administrator maintenance ', 'T' => '1', 'L' => '1', 'x' => 'administrator maintenance, including adding, deleting, modifying, and querying ', 'p' => 'icon-add '),
'Admin-Adminuser-getlist1 '=> array ('id' => 'a06', 'pid' => 'a06', 'n' => 'Combined-Administrator list ', 'T' => '0', 'L' => '1', 'x' => 'total background administrator management ', 'p' => 'icon-add '),
'Admin-Adminuser-getone1 '=> array ('id' => 'a06', 'pid' => 'a06', 'n' => 'Combined-Administrator single query ', 'T' => '0', 'L' => '1', 'x' => 'total background administrator management ', 'p' => 'icon-add '),
'Admin-Adminuser-addfun1 '=> array ('id' => 'a06', 'pid' => 'a06', 'n' => 'Combined-Administrator add ', 'T' => '0', 'L' => '1', 'x' => 'total background administrator management ', 'p' => 'icon-add '),
'Admin-Adminuser-updatefun1 '=> array ('id' => 'a06', 'pid' => 'a06', 'n' => 'combination-Administrator modified ', 'T' => '0', 'L' => '1', 'x' => 'total background administrator management ', 'p' => 'icon-add '),
'Admin-Adminuser-delfun1 '=> array ('id' => 'a06', 'pid' => 'a06', 'n' => 'combination-Administrator delete ', 'T' => '0', 'L' => '1', 'x' => 'total background administrator management ', 'p' => 'icon-add '),





);
This is a composite array, and each item of array is also an array.
The primary key of array is composed of GROUP-class-function. Don't say you don't know what these three mean.
The value corresponding to each primary key is also an array that describes the function corresponding to this primary key. There are several:
// 1. id -- character encoding corresponding to the permission point, such as a01 and a02
(It must start with a letter, followed by two letters and numbers. It can be repeated)
This is the key., The conditions can be repeated when needed.The preceding role table permission field (funstr) stores the funciton encoding combination separated by commas,
Represents all operations that this role can have. Is the basis for permission check!

------ Because I use ztree for permission management, the following additional attributes are only used to construct the json required by ztree for convenient permission allocation at the front end.
Except that the name (function name) is required, you can ignore it. However, there are still some nuances. Please be patient.
// 2. pid -- character encoding corresponding to the parent permission point, used to construct the permission tree (required by ztree, nothing to say)

// 3. n -- name -- permission point name (nothing to say. What do you need to do with your function)

// 4. t -- tree -- whether to construct a tree node and store it in the permission string ( This is exquisite.)
// Value 1 -- create a tree node and store the permission string.
// Value 0 -- no tree node need to be constructed, no permission string is saved, and only used to check and process the combination of several fun nodes with one id, for example, a user-specific addition, deletion, modification, query is merged into a function vertex id.
------ What does this mean ???
As we mentioned above, each function must have a record in this array. But not every function
All represent a Function Point. Sometimes, permission control is rough. For example, if you only need to control one user's management permission, you can add, delete, modify, and query users with this permission.
You do not need to subscribe to add, delete, modify, and query all the four operation permissions. In this case, you can merge the four permissions for addition, deletion, modification, and query, and set a virtual permission point, for example
In the above 'aaaa-0000-0001 ', the addition, deletion, modification, and query methods are added below, but they all use the same encoding. This is a duplicate encoding condition.
In this way, the permission is checked as a permission point. A permission point indicates four specific operations, including addition, deletion, modification, and query.
Wonderful .....Haha, shameless!


// 5. l -- login -- whether logon is required, hard code is forcibly controlled to ensure security. Even if permissions are accidentally assigned, for example, only logon permissions are assigned to visitors,
You can also block it here. 0 -- logon is not required. 1 -- logon is required.

// 6.x -- xx -- Detailed description of permissions (nothing to say)

// 7. p -- pic -- tree icon of the permission point (no more, ztree is required)


--------------------------------- The preceding permission array has been explained. If you are dizzy, please come back later.


With the array of all the functions of your system, do you still need permission to list them?
Moreover, maintaining such an array is much easier than maintaining a table with a permission point.

The next step of permission judgment is the old growth talk. It is nothing more than creating a base class and writing an init method. All your other classes will be inherited from here. /*
* Basic classes of the common backend public modules
*/
Class AdminCommonAction extends Action {
/*
* Initialization
* Permission Verification
* Session judgment
*/
Public function _ initialize (){

Header ('content-Type: text/html; charset = UTF-8 ');
// Determine whether to log on. No Logon is required.
If (! Session ('? Admuserid ')){
Redirect (/index. php. '/'. GROUP_NAME. '/Login/Index ');
}
// Obtain the session permission string
$ Funstr = '';
If (session ('? Admuserfunstr ')){
$ Funstr = session ('admuserfunstr ');
}
// Determine whether the current access is in the permission string
// 1. obtain the permission array. My permission array is in a special class. Therefore, you can call it here or write it together, without any pressure.
$ S = new AdmFunarrAction ();
$ Admfunarr = $ s-> admfunarr; // permission Array
// 2. Obtain the key based on group, action, and fun
$ Key = GROUP_NAME. '-'. MODULE_NAME. '-'. ACTION_NAME; // Add. Use '-' to connect
If (! Array_key_exists ("$ key", $ admfunarr )){
If (! IS_AJAX ){
Header ('content-Type: text/html; charset = UTF-8 ');
Echo ('failure 555 ...! You may not have the permission. Please upgrade it... ------------------------- return ');
Exit ();
} Else {
$ Json = '{"zt": 0, "xx": "555 failed ...! You may not have the permission. Please upgrade it ..."}';
Echo $ json;
Exit ();
}
}
// 3. Obtain the id based on the key
$ Id = $ admfunarr ["$ key"] ['id'];
// 4. Determine whether the permission string contains the id
$ Pos = strpos ($ funstr, $ id );
If (! $ Pos ){
If (! IS_AJAX ){
Header ('content-Type: text/html; charset = UTF-8 ');
Echo ('failure 555555 ...! You may not have the permission. Please upgrade it... ------------------------- return ');
Exit ();
} Else {
$ Json = '{"zt": 0, "xx": "555555 failed ...! You may not have the permission. Please upgrade it ..."}';
Echo $ json;
Exit ();
}
}

}

}
With the code, there is nothing to say, nagging:
. Get the key according to group, action, and fun. All three tp have constants and get the key. Find the corresponding value of the system function array Based on the key and extract the id from it,
Then, you can determine whether the id is operable if it is not in the funstr string of the role table.

There is still one missing part. the id of each key in the array function is stored in the funstr of the role table. This will not be ugly. Then you have time to attach the source code.


No worries during the weekend. I wrote a text article, just a little bit of water, just a thought. Thank you !!!





AD: truly free, domain name + VM + enterprise mailbox = 0 RMB

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.