First, what is RBAC
Role-based access controls (role-based access control) as a promising alternative to traditional access control (autonomous access, forced access) are widely concerned.
In RBAC, permissions are associated with roles, and users get permissions to those roles by becoming members of the appropriate role. This greatly simplifies the management of permissions.
In an organization where roles are created to accomplish a variety of jobs, users are assigned roles based on their responsibilities and qualifications, and users can easily be assigned to another role from one role. Roles can be given new permissions depending on the new requirements and the consolidation of the system, and permissions can be reclaimed from a role as needed. The relationship between roles and roles can be set up to encompass a wider range of objective situations.
Second, RBAC in the thinkphp
Let's look at the data tables used by the official examples, and implement permission control through 5 tables, defined as follows:
RBAC uses 5 data tables
Think_user (User table)
Think_role (User Group table)
Think_node (Operation node)
Think_role_user (corresponding to user and user groupings)
Think_access (corresponding to individual operations and user groups)
User table
Role table, which roles are associated with the corresponding UserID user
Depending on the ID of the user table, the corresponding role ID is associated, that is, assigning roles to the user, for example, the role of UserID 3 is 2, and 7 represents the role of the employee according to role table.
Access tables, permissions tables, such as the role ID 2, which is the employee's permissions, can be the corresponding node
A node table, which represents the application-module-module approach, and defines a relationship, such as the public module for Noteid 30, and the Noteid 31,32,33,34 method add,insert,edit,update are public. The Noteid is a 85 test method, which belongs to the method under the Noteid 84 game module.
Third, config configuration file detailed
Let's take a look at the config file in the thinkphp official example:
Array (' app_autoload_path ' = ' @ '. TagLib ', ' Session_auto_start ' =>true, ' user_auth_on ' =>true, ' User_auth_type ' =>1,//default authentication type 1 login Authentication 2 Real-time authentication ' user_auth_key ' = ' authId ',//user authentication session Mark ' Admin_auth_key ' = ' Administrator ', ' user_auth_model ' + ' USER ',//default validation data table model ' Auth_pwd_encoder ' = ' md5 ',//user authentication password encryption method ' User_auth_gateway ' = '/public/login ',//default authentication Gateway ' Not_auth_module ' = ' public ',//Default no Authentication module ' require_auth_module ' = ', '//default required To certify the module ' not_auth_action ' + ',//default No Authentication action ' require_auth_action ' = ',// The default requires authentication operation ' guest_auth_on ' =>false,//whether to open the visitor authorized access to ' guest_auth_id ' =>0, Visitor's user id ' db_like_fields ' = ' title|remark ', ' rbac_role_table ' => ' think_role ', ' rbac_user_table ' = ' think_role_user ', ' rbac_access_table ' = ' thin ' K_access ', ' rbac_node_table ' = ' think_node ', ' show_page_trace ' =>1//display debug information);
Everyone should read the comments should understand the majority of the public module is no certification, the reason is very simple, not logged in before everyone is a tourist identity, if the login page also want permission, where to log in? Yes, hehe. The default gateway address is authentication failed, no permission to jump here, re-login. Admin_auth_key represents Super Administrator permissions, if you create a user table named Admin, then this user is Super Administrator, do not assign permissions to it, what permissions have, why to set up an administrator, Because when you assign permissions to the wrong system can easily cause confusion, so that everyone can not access, this time the Super administrator came.
Iv. several important methods of RBAC class
Authenticate ($map, $model = ") method incoming query the user's condition and the model of the user table returns an array containing the user's information
Saveaccesslist ($authId =null) method to pass in the ID of the user this method does not return a value, just sets the value of $_session[' _access_list '], which contains all the nodes that have permission operations for the user group that corresponds to that user $_ session[' _access_list ' [' Project name '] [' module name '] [' Operation name '], then the right to judge the current project, module and operation is found in $_session[' _access_list ']. S
The CheckAccess () method detects whether the current module and operation require validation to return a bool type
Checklogin () method to detect Login
Accessdecision ($appName =app_name) method is to detect whether the current project module operation is in the $_session[' _access_list '] array, that is, $_session[' _access_list ' The array $_session[' _access_list ' [' current operation '] [' current module ' [' current operation '] exists. Returns flase if there is an indication of permission.
The Getaccesslist ($authId) method returns the value of the permission list $_session[' _access_list '] by querying the database.
Reprint: http://www.cnblogs.com/tanteng/archive/2012/11/25/2787597.html
php_thinkphp RBAC (role-based permission control)