An introduction to "one"
(1) Introduction
RBAC (role based Access Controal), full name is based on user group/role permissions control.
(2) Overview
At present, the general project has two kinds of authority management mode ① traditional way; ②rbac way. The following in turn describes the following
Comparison between "two" traditional mode and RBAC model
(1) Traditional mode of authority assignment
Typical feature: Hook permissions to users and bind permissions directly to users. For example, the distribution of personnel rights in ECS e-commerce management platform
Disadvantage: ① efficiency is low; ② there is no uniform standard when setting permissions. So the above permission allocation method, in large sites will not be used
(2) RBAC Rights Management mode
In use, there are two ways of ① RBAC Rights management based on table structure; ② RBAC Rights Management based on file structure
The difference: Where data is stored, table-based data is stored in data tables (3 tables, 5 tables), and file-structure-based data is stored in the file. But the same principle .
Expansion: 3 table and 5 table difference, if the data split to the extent of non-split, use 5 table; otherwise use 3 table
3 table contains: User table, user Group table, permission table, 5 table is 3 table of permissions, user Group table to split again.
Based on the form of the data table: The advantage is that later data maintenance is more convenient, there is interface to manipulate the data table.
File-based form: The advantage is simple and easy to understand, the disadvantage is not easy to maintain (because written in the file, there is no maintenance interface.) It is difficult to maintain and revise later.)
(3) RBAC principle
Description: When the user logs on, the user login information (such as the role ID) is persisted, and the permissions of the role are queried based on the ID. The permissions here are user group permissions
Then in the middle controller to obtain the current user access control name and method name, composed of a predefined format consistent with the form, to determine the form after the composition is not in the permission information. If the permission is present, then no permission is indicated if it is absent.
(4) RBAC permission Assignment mode
The most important feature of RBAC permission mode is to hook permissions and user groups, and then hook user groups and users .
The advantages of RBAC mode can be found: ① design project, the standard of authority can be unified; ② easier and faster maintenance
In general large Web site projects, the use of RBAC mode more
"Three" cases
Implementing RBAC Rights Management for OA system
The first step: Define the user group's permission information data, the current mode is based on file rights Management method, so the data needs to be written in the file.
Which file is it written in?
Can be written in a configuration file or a separate write file is introduced. It is recommended to write in the configuration file , because the configuration file is automatically loaded by the system, so write in the configuration file, the later use of the words do not need to be introduced.
Configuration file can be written to the application level profile application\common\conf\config.php, or the group level profile application\home\conf\config.php
Here I recommend selecting the application level profile common]conf\config.php
I said before. 3 Table for user table, User Group table, permission table
Write the permission configuration below
//RBAC Permissions Data//1. Role Array' Rbac_roles ' =Array( 1 = ' senior Management ', 2 = ' middle leader ', 3 = ' General Staff ' ),//2. Array of permissions (associative role array), associating roles and permission arrays with the number 123' Rbac_role_auths ' =Array( 1 = ' */* ',//have full permissions (the current controller name and method name), where the/Difference controllers and methods2 =Array(' email/* ', ' doc/* ', ' knowledge/* '),//Middle Management3 =Array(' email/* ', ' knowledge/* ') ),
The second step: in the specified place to the current user according to the role_id to obtain the current user should have permissions. Through the user group ID to get the appropriate permissions, get permission information and then get the permission name and method name.
Swap with Wang User login, permission is 3
Because of the current user's role_id to get to determine the user rights, since and FQ, as well as the rights are linked. In order to prevent FQ, written in the middle controller, here also need to judge the permissions, so and Fq write together. Reduce code duplication. Write to the controller CommonController.class.php.
Step three: How to construct the position----Intermediate controller
Fourth step: First Test the user's role_id, here I log on the user is Wang, role_id for 3. So the browser shows 3
The persistence of user information on login is already written in the login controller.
Then because the permissions information in the configuration file, so the next use the C method to read the configuration information, get Permissions
// because the permissions information in the configuration file, so the next use the C method to read the configuration information, get Permissions $rbac _role_auths = C (' rbac_role_auths '); // Get Permissions for all user groups Dump ($rbac _role_auths); die;
Here output is printed under whether to obtain full permission information, the browser displays the results
Array (3) { [1] = = string (3) "*/*" [2] = = Array (3) { [0] = = string (7) "email/*" [1] = Strin G (5) "doc/*" [2] = = string (one) "knowledge/*" } [3] = = Array (2) { [0] = = string (7) "email/*" [1] = = string (one) "knowledge/*"} }
Next, get the current user's permissions, and then print the output
$currRoleAuth $rbac _role_auths [$role _id]; // gets the permissions for the current user dump ($currRoleAuth); die;
The browser displays the result as
Array (2) { [0] = = string (7) "email/*" [1] = = string (one) "knowledge/*"}
It's over now.
Next down
Fourth step: Obtain the Controller name and method name in the route that the current user accesses by means of a constant , and compose the predefined format
It can be understood that, in the middle controller construction method to obtain the current Access controller name and method name, through what to get it? Get through constants
// gets the controller name and method name in the route that the current user accesses by means of a constant $controller = strtolower (controller_name);//turn into and pre-defined, lowercase dump ($controller); die;
Browser output Controller name index
Next get the method name and continue adding
// gets the controller name and method name in the route that the current user accesses by means of a constant $controller Strtolower (controller_name); $action Strtolower (Action_name);
Fifth step: Determine if you have permission
Judging basis: Determine whether the form of the composition in the permission array, if it means that there is permission, otherwise there is no permission
//determine permissions, first exclude the situation of Super Administrator if($role _id> 1) { //permission to judge when the user is not a super Administrator if(!In_array($controller.‘ /‘.$action,$currRoleAuth) &&!In_array($controller.‘ /*‘,$currRoleAuth)) { //user does not have permission $this->error (' You do not have permission '); die; } }
At this time, refresh the browser verification, the login succeeds, but the display page failed, always show no permissions, and then log back in, then no permissions, and then sign in again .... In the absence of permissions and logins have been circulating
Why does this happen?
The original because there is no index controller in the configuration file, so next add
It is now possible to verify the test, the normal employee does not have the staff management permissions, so if you click on Staff management will prompt no permissions
If you want users to jump to the homepage when jumping page, you can write the method in the controller
Summary
Follow the steps to perform
.
Video Learning Transcript---thinkphp---rbac rights management