RBAC-"Rights Management"

Rbac:role Based access control: role-based access controls requirements:

1. permissions, roles, administrators

2 Rights Management "infinite level"

Note: Permissions will be assigned to the role, not the administrator!

3 List of roles

To assign permissions to a role when you add a role:

4

Administrator List

5 The system has a super administrator by default and cannot be deleted "Cannot assign permissions, have all permissions"

6 only Login to background

7 The left side of the background shows only the buttons that the current administrator has access to

Actual operation:

1. Build table

Three main Table two intermediate tables:

/************rbac Permission Table ***********/

drop table if exists p40_privilege;
CREATE TABLE P40_privilege
(
ID mediumint unsigned NOT null auto_increment comment ' Id ',
Pri_name varchar (+) NOT null comment ' permission name ',
Module_name varchar (+) NOT null default ' comment ' Module name ',
Controller_name varchar (+) NOT null default ' comment ' controller name ',
Action_name varchar (+) NOT null default ' comment ' method name ',
parent_id mediumint unsigned NOT null default ' 0 ' comment ' ancestor permission id ',
Primary KEY (ID)
) engine =innodb default Charset=utf8 comment ' permissions ';

drop table if exists p40_role_pri;
CREATE TABLE P40_role_pri
(
pri_id mediumint unsigned not NULL comment ' permission ID ',
role_id mediumint unsigned not NULL comment ' role ID ',
Key pri_id (pri_id),
Key role_id (role_id)
) Engine=innodb default Charset=utf8 comment ' role permissions ';

drop table if exists p40_role;
CREATE TABLE P40_role
(
ID mediumint unsigned NOT NULL auto_increment comment ' id ',
Role_name varchar (+) NOT null comment ' role name ',
Primary KEY (ID)

) Engine=innodb default charset UTF8 comment ' role ';

drop table if exists p40_admin_role;
CREATE TABLE P40_admin_role
(
admin_id mediumint unsigned NOT NULL comment ' administrator ID ',
role_id mediumint unsigned not NULL comment ' role ID ',
Key admin_id (admin_id),
Key role_id (role_id)
) engine =innodb default Charset=utf8 comment ' Administrator role ';

drop table if exists p40_admin;
CREATE TABLE P40_admin
(
ID mediumint unsigned NOT NULL auto_increment comment ' id ',
Username varchar (+) NOT null comment ' user name ',
Password char (+) NOT null comment ' password ',
Primary KEY (ID)
) Engine=innodb default charset UTF8 comment ' Administrator ';

Insert into P40_admin (Username,password) VALUES (' admin ', MD5 (' admin '));

Description: The TP framework comes with an RBAC class: Also to use five tables,TP only provides five tables and a class, this class only provides a future query of five tables, But the operation of these five tables also requires our own writing! No need to use TP , because it does not provide anything, or need to write their own.

2 using the GII to generate three main table code directly, the code of the relationship between the two tables needs to be added to our own completion!!

To generate a permission list:

To modify a configuration file:

Set to generate recursive code

' TableName ' = ' p40_privilege ',//table name
' Tablecnname ' + ' rights ',//table's Chinese name
' ModuleName ' = ' Admin ',//code generated to the module
' Withprivilege ' = FALSE,//whether the corresponding permission data is generated
' Toppriname ' + ',//name of the top-level permission
' Digui ' + 1,//Whether infinite level (recursive)
' Diguiname ' = ' pri_name ',//recursion used to display the name of the field, such as Cat_name (category name)
' PK ' = ' id ',///Table primary key field name
/********************* the code in the model file to be generated ******************************/
fields in the form that are allowed to be received when added
' insertfields ' = ' = ' Array (' pri_name ', ' module_name ', ' controller_name ', ' action_name ', ' parent_id ') ',
Fields in forms that are allowed to be received when modified
' updatefields ' = ' = ' Array (' id ', ' pri_name ', ' module_name ', ' controller_name ', ' action_name ', ' parent_id ') ',
' Validate ' = '

Remove Search

/**************** the configuration of the search field **********************/
' Search ' = = Array (),

Generate Code:

p40_privilege.php

To this unlimited level of permission to complete!

2.2. Regenerate management and Roles

Modify Administrator-managed features

1. Administrator password encryption in admin model add

Before adding
protected function _before_insert (& $data, $option)
{
$data [' Password ']=md5 ($data [' Password ']);
}

1. Super Admin cannot be deleted

Before deleting
protected function _before_delete ($option)
{
if ($option ($option [' where '] [' id ']) = = 1)
{
$this->error = ' Super admin cannot delete ';
return FALSE;
}
}

Super admin does not show Delete button

<TD align= "center" >
<a href= "<?php echo U (' edit?id= '. $v [' id ']. ' &p= '. I (' GET.P '));?> "title=" edit "> Edit </a>
<?php if ($v [' id '] >1):?>
|
<a href= "<?php echo U (' delete?id= '. $v [' id ']. ' &p= '. I (' GET.P '));?> "onclick=" return confirm (' OK to delete? "title=" Remove "> Remove </a>

<?php endif;?>
</td>

1. When modifying an administrator, do not change the password if the password is left blank

3.1 Modify form validation rules, can be blank when modified, cannot be empty when added

Array (' username ', ' require ', ' username cannot be empty! ', 1, ' Regex ', 3),
The value of array (' username ', ' 1,30 ', ' username cannot be longer than 30 characters! ', 1, ' length ', 3),
6th parameter: When does the rule take effect: 1 added in effect 2 effective when modified 3 all cases are in effect
Array (' Password ', ' Require ', ' password cannot be empty! ', 1, ' regex ',1),

You can now leave the password blank, but it is changed to null:

To decide before you modify:

Before modification
protected function _before_update (& $data, $option)
{
if ($data [' Password '])
$data [' Password ']=md5 ($data [' Password ']);
Else
unset ($data [' Password ']);
}

Code for the relationship between permissions and roles

Table used:

Actual operation:

1. Create a permission list in a form that adds a role

Take out all the permissions
$priModel =d (' privilege ');
$priData = $priModel->gettree ();

Setting information in a page
$this->assign (Array (
' pridata ' = $priDatA,
' _page_title ' + ' add character ',
' _page_btn_name ' + ' role list ',
' _page_btn_link ' + U (' lst '),
));

1. Loop output in a form

1. Each permission that is checked after the form is submitted is inserted into the Role Permissions intermediate table

Modify the role model after adding:

Public Function _after_insert ($data, $opiton)
{
$priId =i (' post.pri_id ');
$rpModel =d (' Role_pri ');
Foeach ($priId as $v)
{
$rpModel->add (Array (
' pri_id ' = $v,
' role_id ' = $data [' id '],
));
}
}

1. In the list of roles, add a column that lists all the permission names that the role has

Modify the Search method in the role model

$data [' data '] = $this->alias (' a ')
->field (' A.*,c.pri_name ')
->join (' LEFT join __role_pri__ b on a.id = b.role_id
Left join __privilege__ C on B.pri_id=c.id ')
->where ($where)
->limit ($page->firstrow ', '. $page->listrows)
->select ();
return $data;

RBAC-"Rights management