Practical PHP member permission control implementation principle analysis. My general permission system is designed to avoid code modification when changing permissions. it is from the chinaunix Forum. let's go and check it out today. I hope it will be helpful to you. if you have a friend of PHP100, my general permission system is designed to avoid code modification when changing permissions. it is from the chinaunix Forum. let's take a look. I hope to help you and improve bkJia.
The code is as follows:
/*
* Access Table control
* Acl value function
* 1 login required
* 2 self-modification
* 4 set of group permissions
* 8 identity access set
* 16 access prohibited
* 32 accessible dates
* 64 accessible Sunday
* 128 accessible time
* 256 enter the password to access
* 512 Super management
*/
Class aclACL extends acl {
Public $ routername = "acl ";
Public $ aclid = '2'; // permission resource ID. if a logon user does not have this permission, the value (below) is 0 and cannot be accessed.
Public $ roledisable = array (9); // disable identity
Public $ pwd = 123456; // password access ACL-> noPwd ();
Public $ date = array ('begin' => 0, 'end' => 0); // between allowed dates
Public $ hours = array ('begin' => 0, 'end' => 0); // hour interval in a day
Public $ weeks = array ('begin' => 0, 'end' => 0); // Monday to Week 7 in a week
Public $ aclgroup = array ("create" => "4,45, 8"); // create a group
Public $ aclrole = array ("all" => "6", "create" => ", 78"); // create a role to create, this group can be accessed only by a role with ID 6.
Public $ acl = array ("all" => 0,
"Index" => 4, // table column 4 indicates a combination of inspection groups.
"Delete" => 1, // delete only after logon. of course, set it to 2 or 4
"Update" => 1, // update submission can only be updated after login. here, it also prevents invalid content and post. edit cannot access the display edit content page.
"CreateForm" => 1, // The database cannot be submitted.
"Edit" => 0, // The edit box is displayed only after logon.
"Show" => 0, // can be displayed without logon
"Create" => 1); // The Innovation form must be logged on. you can set a group for creation.
}
?>
The file module to be authenticated is acl.
When a user accesses the acl module, if authentication is enabled, this class is called.
Then this class performs authentication based on the $ acl's all or index equivalent.
You can put this file in the router/acl Directory. The framework automatically authenticates the file and cannot access the corresponding restrictions if the user does not have the corresponding forward authorization.
For example, if the negative permission of the crud create method is 17, you need to log on and authorize the group according to the previous explanation, that is, create 4 45 8 three groups in the $ aclgroup array,
If a member does not log on to the group, the system will prompt logon. if the member is not in the group, the system will prompt that the member is not authorized to access the method.
Currently, the router can enable acl control based on actual conditions.
Add public function isAcl () {} to the xxxxRouter. class. php file (){}
You can return the permission file name, for example, curd. the curdACL. class. php class and name are automatically called.
CurdRouter class setting verification
The code is as follows:
Class curdRouter extends controller {
// Return to the RBAC control access list verification class. by default, the class has the same name as router, that is, curd.
// If you do not want to write this function, the general permission system is not enabled.
Public function isAcl (){}
Public function index ()
{
$ Booktype = M ("booktype ");
$ This-> pager = C ("pager"); // retrieves a category
$ This-> pager-> setPager ($ booktype-> count (), 10, 'page'); // in the total number of retrieved data, set each page to 10
$ This-> assign ("list", $ booktype-> orderby ("bookid desc")-> limit ($ this-> pager-> offset (), 10) -> fetch ()-> getRecord ());
}
Public function login () {// logon page
}
Public function logout () {// exit the page
MY ()-> logout (); // log out
Redirect (url_for ("guestbook/index"), "exited successfully", 3 );
}
Public function noAcl ($ mask) {// handle it. if you do not have the permission to switch to logon
Redirect (url_for ("guestbook/login"), "login required", 3 );
}
Public function loginpost () {// login submission place simple processing login authentication
If ($ _ POST ['author'] = 'queryphp' & md5 ($ _ POST ['pwd']) = md5 ('123 '))
{
MY ()-> setLogin (); // Set the logon status
Redirect (url_for ("guestbook/adminlist"), "logon successful", 3 );
}
Redirect (url_for ("guestbook/login"), "logon failed", 3 );
}
The code is as follows:
/*
* Basic logon information
* The permission table can cache data and be restored upon logon.
*/
Class mybase {
Public $ options = array ();
Public $ uid;
Public $ username;
Public $ isadmin;
Public $ role = array (); // the identity I use
Public $ group = array (); // my group
Public $ grouprole = array (); // group ID
Public $ mygroupMar = array (); // group that I have managed
Public $ mygroupOwn = array (); // belongs to my group
Public $ acl = array (); // The groupacl and myacl control permission sets in the active control table are rbac's rbacid
Public $ groupacl = array (); // The group's control permissions
Public $ myacl = array (); // control permission for my identity
Public $ loginfaild = 0; // The number of failed logons. if this number is exceeded, IP address logon is prohibited.
This is basic
You can put myUser. class. php in the project lib directory.
Use the MY () function to obtain the myUser.
View the framework file
The project/router Directory has a guestbookRouter. class. php
In the background
Obtain the guestbookRouter. class. php class name and method.
Add permissions to these methods.
There is an application permission on the right and a permission to be canceled. if the permission is canceled, there is no permission restriction.
That is, delete the permission file.
The application permission indicates that the permission is added to this class and a permission file is generated.
Generate the guestbookACL. class. php file in project/router/acl /.
When the program loads guestbookRouter. class. php, it will check whether there is a guestbookACL. class. php permission file.
If you have the permission, you can use the permission verification. if you do not have the permission, you cannot use the permission verification. In this way, the addition and subtraction permissions are not modified in the guestbookRouter. class. php file Portal.
Therefore, it is very convenient to add permissions in the future.
Http://queryphp.googlecode.com/files/queryphp_2011_01_27.zip
Bytes. I hope it will be helpful to everyone. for Friends of PHP100, there is...