Video Learning Transcript---thinkphp---rbac rights management

An introduction to "one"

(1) Introduction

RBAC (role based Access Controal), full name is based on user group/role permissions control.

(2) Overview

At present, the general project has two kinds of authority management mode ① traditional way; ②rbac way. The following in turn describes the following

Comparison between "two" traditional mode and RBAC model

(1) Traditional mode of authority assignment

Typical feature: Hook permissions to users and bind permissions directly to users. For example, the distribution of personnel rights in ECS e-commerce management platform

Disadvantage: ① efficiency is low; ② there is no uniform standard when setting permissions. So the above permission allocation method, in large sites will not be used

(2) RBAC Rights Management mode

In use, there are two ways of ① RBAC Rights management based on table structure; ② RBAC Rights Management based on file structure

The difference: Where data is stored, table-based data is stored in data tables (3 tables, 5 tables), and file-structure-based data is stored in the file. But the same principle .

Expansion: 3 table and 5 table difference, if the data split to the extent of non-split, use 5 table; otherwise use 3 table

3 table contains: User table, user Group table, permission table, 5 table is 3 table of permissions, user Group table to split again.

Based on the form of the data table: The advantage is that later data maintenance is more convenient, there is interface to manipulate the data table.

File-based form: The advantage is simple and easy to understand, the disadvantage is not easy to maintain (because written in the file, there is no maintenance interface.) It is difficult to maintain and revise later.)

(3) RBAC principle

Description: When the user logs on, the user login information (such as the role ID) is persisted, and the permissions of the role are queried based on the ID. The permissions here are user group permissions

Then in the middle controller to obtain the current user access control name and method name, composed of a predefined format consistent with the form, to determine the form after the composition is not in the permission information. If the permission is present, then no permission is indicated if it is absent.

(4) RBAC permission Assignment mode

The most important feature of RBAC permission mode is to hook permissions and user groups, and then hook user groups and users .

The advantages of RBAC mode can be found: ① design project, the standard of authority can be unified; ② easier and faster maintenance

In general large Web site projects, the use of RBAC mode more

"Three" cases

Implementing RBAC Rights Management for OA system

The first step: Define the user group's permission information data, the current mode is based on file rights Management method, so the data needs to be written in the file.

Which file is it written in?

Can be written in a configuration file or a separate write file is introduced. It is recommended to write in the configuration file , because the configuration file is automatically loaded by the system, so write in the configuration file, the later use of the words do not need to be introduced.

Configuration file can be written to the application level profile application\common\conf\config.php, or the group level profile application\home\conf\config.php

Here I recommend selecting the application level profile common]conf\config.php

I said before. 3 Table for user table, User Group table, permission table

Write the permission configuration below

//RBAC Permissions Data//1. Role Array' Rbac_roles ' =Array(                                    1 = ' senior Management ', 2 = ' middle leader ', 3 = ' General Staff '                                ),//2. Array of permissions (associative role array), associating roles and permission arrays with the number 123' Rbac_role_auths ' =Array(                                    1 = ' */* ',//have full permissions (the current controller name and method name), where the/Difference controllers and methods2 =Array(' email/* ', ' doc/* ', ' knowledge/* '),//Middle Management3 =Array(' email/* ', ' knowledge/* ')                                ),

The second step: in the specified place to the current user according to the role_id to obtain the current user should have permissions. Through the user group ID to get the appropriate permissions, get permission information and then get the permission name and method name.

Swap with Wang User login, permission is 3

Because of the current user's role_id to get to determine the user rights, since and FQ, as well as the rights are linked. In order to prevent FQ, written in the middle controller, here also need to judge the permissions, so and Fq write together. Reduce code duplication. Write to the controller CommonController.class.php.

Step three: How to construct the position----Intermediate controller

Fourth step: First Test the user's role_id, here I log on the user is Wang, role_id for 3. So the browser shows 3

The persistence of user information on login is already written in the login controller.

Then because the permissions information in the configuration file, so the next use the C method to read the configuration information, get Permissions

// because the permissions information in the configuration file, so the next use the C method to read the configuration information, get Permissions            $rbac _role_auths = C (' rbac_role_auths '); // Get Permissions            for all user groups Dump ($rbac _role_auths); die;

Here output is printed under whether to obtain full permission information, the browser displays the results

Array (3) {  [1] = = string (3) "*/*"  [2] = = Array (3) {    [0] = = string (7) "email/*"    [1] = Strin G (5) "doc/*"    [2] = = string (one) "knowledge/*"  }  [3] = = Array (2) {    [0] = = string (7) "email/*"    [1] = = string (one) "knowledge/*"}  }

Next, get the current user's permissions, and then print the output

$currRoleAuth $rbac _role_auths [$role _id]; // gets the permissions for the current user dump ($currRoleAuth); die;

The browser displays the result as

Array (2) {  [0] = = string (7) "email/*"  [1] = = string (one) "knowledge/*"}

It's over now.

Next down

Fourth step: Obtain the Controller name and method name in the route that the current user accesses by means of a constant , and compose the predefined format

It can be understood that, in the middle controller construction method to obtain the current Access controller name and method name, through what to get it? Get through constants

// gets the controller name and method name            in the route that the current user accesses by means of a constant $controller = strtolower (controller_name);//turn into and pre-defined, lowercase            dump ($controller);  die;

Browser output Controller name index

Next get the method name and continue adding

// gets the controller name and method name            in the route that the current user accesses by means of a constant $controller Strtolower (controller_name);             $action Strtolower (Action_name);

Fifth step: Determine if you have permission

Judging basis: Determine whether the form of the composition in the permission array, if it means that there is permission, otherwise there is no permission

//determine permissions, first exclude the situation of Super Administrator            if($role _id> 1) {                //permission to judge when the user is not a super Administrator                if(!In_array($controller.‘ /‘.$action,$currRoleAuth) &&!In_array($controller.‘ /*‘,$currRoleAuth)) {                    //user does not have permission                    $this->error (' You do not have permission '); die; }            }

At this time, refresh the browser verification, the login succeeds, but the display page failed, always show no permissions, and then log back in, then no permissions, and then sign in again .... In the absence of permissions and logins have been circulating

Why does this happen?

The original because there is no index controller in the configuration file, so next add

It is now possible to verify the test, the normal employee does not have the staff management permissions, so if you click on Staff management will prompt no permissions

If you want users to jump to the homepage when jumping page, you can write the method in the controller

Summary

Follow the steps to perform

.

Video Learning Transcript---thinkphp---rbac rights management