YII framework下基于角色的访问控制（RBAC）

weizhan2008 发表于 2011-12-21 08:44

yii下，filters()和accessControl()是YII基本的访问控制体系， public function filters(){     return array(            'accessControl',     ); } public function accessControl(){     return array(         array(             'allow', //allow or deny 允许或者拒绝             'controllers' => array('controllersList'), //对控制器进行访问控制             'actions' => array('actionsList'), //对action进行访问控制             'users' => array('usersList'), //对用户             'roles' => array('roles'), //对角色             'ips' => array('ip 地址'), //对客户端地址             'verbs' => array('GET','POST'), //对客户端的请求方式             'expression' => '' //对表达式（一般是业务逻辑）             'message' => 'thank your access', //错误信息提示，一般是deny时用到          ),        array(....),        ....        array('deny', users => array('*')),     ); } 好了，有了以上的访问控制，我们针对上面的roles进行讨论RBAC。 Yii的RBAC是基于一个组件authManager的，可以先在main。php中配置authManager authManger分为基于数据库的和基于PHP脚本的，一般如果你的应用程序基于数据库（mysql或者pgsql)，最好把authManger配置为CDbAuthManger，而不是CPhpAuthManger。 ... 'authManager' => array(      'class' => 'CDbAuthManager',      'connectionID' => 'db', ), 'db' => array(...), ... 配置好了以后，需要在数据库中增加3个存放RBAC规则的表： AuthItem -- 存放建立的授权项目（role、task或者opration) AuthItemChild -- 存放授权项目的继承关系 AuthAssignMent -- 存放用户和授权项目的关系表 <div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>CREATE TABLE `authitem` ( </li><li>
            `name` varchar(64) NOT NULL, </li><li>
            `type` int(11) NOT NULL, </li><li>
            `description` text, </li><li>
            `bizrule` text, </li><li>
            `data` text, </li><li>
            PRIMARY KEY (`name`) </li><li>
          ) ENGINE=InnoDB DEFAULT CHARSET=utf8;</li></ol></div><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>CREATE TABLE `authitemchild` ( </li><li>
                 `parent` varchar(64) NOT NULL, </li><li>
                 `child` varchar(64) NOT NULL, </li><li>
                 PRIMARY KEY (`parent`,`child`), </li><li>
                 KEY `child` (`child`), </li><li>
                 CONSTRAINT `authitemchild_ibfk_1` FOREIGN KEY (`parent`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE, </li><li>
                 CONSTRAINT `authitemchild_ibfk_2` FOREIGN KEY (`child`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE </li><li>
               ) ENGINE=InnoDB DEFAULT CHARSET=utf8;</li></ol></div>

 <div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>CREATE TABLE `authassignment` ( </li><li>
                  `itemname` varchar(64) NOT NULL, </li><li>
                  `userid` varchar(64) NOT NULL, </li><li>
                  `bizrule` text, </li><li>
                  `data` text, </li><li>
                  PRIMARY KEY (`itemname`,`userid`), </li><li>
                  CONSTRAINT `authassignment_ibfk_1` FOREIGN KEY (`itemname`) REFERENCES `authitem` (`name`) ON DELETE CASCADE ON UPDATE CASCADE </li><li>
                ) ENGINE=InnoDB DEFAULT CHARSET=utf8;</li></ol></div>建好表以后，就可以用Yii提供的authManger组件的API建立相关的授权项目，并指定授权关系了。 下面是一个例子： 下面做一个实例： 
<a href="http://my.chinaunix.nethttp://blog.chinaunix.net/attachment/201103/23/395468_1300863507Xa2c.png" target="_blank" target="_blank"><img src="http://my.chinaunix.nethttp://blog.chinaunix.net/attachment/201103/23/395468_1300863507Xa2c.png" border="0"></a> 
我们要实现上面的授权关系。 <div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>class AuthManagerController extends Controller{ </li><li>
    public function actionIndex(){ </li><li>
        $auth = Yii::app()->authManager; </li><li>
         </li><li>
        if ($auth !== NULL){ </li><li>
            $auth->clearAll(); </li><li>
            //create roles </li><li>
            $roleOwner = $auth->createRole('owner'); </li><li>
            $roleReader = $auth->createRole('reader'); </li><li>
            $roleMember = $auth->createRole('member'); </li><li>
            $roleBlackList = $auth->createRole('blackList'); </li><li>
 </li><li>
            //create operations </li><li>
            //issues </li><li>
            $auth->createOperation('createIssue', 'create issue in project'); </li><li>
            $auth->createOperation('readIssue', 'read issue'); </li><li>
            $auth->createOperation('updateIssue', 'update issue'); </li><li>
            $auth->createOperation('deleteIssue', 'delete issue'); </li><li>
 </li><li>
            //projects </li><li>
            $auth->createOperation('createProject', 'create a new project'); </li><li>
            $auth->createOperation('readProject', 'read project'); </li><li>
            $auth->createOperation('updateProject', 'update project'); </li><li>
            $auth->createOperation('deleteProject', 'delete project'); </li><li>
 </li><li>
            //users </li><li>
            $auth->createOperation('createUser', 'create a new user'); </li><li>
            $auth->createOperation('readUser', 'read user'); </li><li>
            $auth->createOperation('updateUser', 'update user'); </li><li>
            $auth->createOperation('deleteUser', 'delete user'); </li><li>
 </li><li>
            //authorization </li><li>
            $roleReader->addChild('readIssue'); </li><li>
            $roleReader->addChild('readProject'); </li><li>
            $roleReader->addChild('readUser'); </li><li>
 </li><li>
            $roleMember->addChild('reader'); </li><li>
            $roleMember->addChild('createIssue'); </li><li>
            $roleMember->addChild('updateIssue'); </li><li>
            $roleMember->addChild('deleteIssue'); </li><li>
 </li><li>
            $roleOwner->addChild('reader'); </li><li>
            $roleOwner->addChild('member'); </li><li>
            $roleOwner->addChild('createProject'); </li><li>
            $roleOwner->addChild('updateProject'); </li><li>
            $roleOwner->addChild('deleteProject'); </li><li>
            $roleOwner->addChild('createUser'); </li><li>
            $roleOwner->addChild('updateUser'); </li><li>
            $roleOwner->addChild('deleteUser'); </li><li>
 </li><li>
            //assign </li><li>
            //此时，在Issue中的rules中设置view和index的roles=>array('member'),不管是什么用户，都无法访问这两个action </li><li>
            $userAdmin = User::model()->findByAttributes(array('username' => 'admin')); </li><li>
            $auth->assign('owner', $userAdmin->id); </li><li>
            $auth->assign('member', $userAdmin->id); //将用户名为admin（id=3）指定为member角色，这样就可以访问了。 </li><li>
            $auth->assign('reader', $userAdmin->id); </li><li>
 </li><li>
            $userDemo = User::model()->findByAttributes(array('username' => 'demo')); </li><li>
            $auth->assign('member', $userDemo->id); //将用户名为admin（id=3）指定为member角色，这样就可以访问了。 </li><li>
            $auth->assign('reader', $userDemo->id); //将用户名为demo（id=4）指定为reader角色 </li><li>
             </li><li>
            $userDemo2 = User::model()->findByAttributes(array('username' => 'demo2')); </li><li>
            $auth->assign('reader', $userDemo2->id); //将用户名为demo（id=4）指定为reader角色 </li><li>
 </li><li>
            $userBlackList = User::model()->findByAttributes(array('username' => 'demo3')); </li><li>
            $auth->assign('blackList', $userBlackList->id); </li><li>
        }else{ </li><li>
            $message = 'Please config your authManage as a compontion in main.php'; </li><li>
            throw new CHttpException(0, $message); </li><li>
        } </li><li>
    } </li><li>
}</li></ol></div>建立授权关系以后，更新accessRules为： <div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>public function accessRules() </li><li>
    { </li><li>
        return array( </li><li>
            array('allow',// allow all users to perform 'index' and 'view' actions </li><li>
                'actions'=>array('index','view'), </li><li>
                'users'=>array('@'), </li><li>
                                'roles' => array('member', 'owner', 'reader'), </li><li>
            ), </li><li>
            array('allow', // allow authenticated user to perform 'create' and 'update' actions </li><li>
                'actions'=>array('create','update'), </li><li>
                'users'=>array('@'), </li><li>
                                'roles' => array('member', 'owner'), </li><li>
            ), </li><li>
            array('allow', // allow admin user to perform 'admin' and 'delete' actions </li><li>
                'actions'=>array('admin','delete'), </li><li>
                'users'=>array('@'), </li><li>
                                'roles' => array('owner'), </li><li>
            ), </li><li>
            array('deny',// deny all users </li><li>
                'users'=>array('*'), </li><li>
            ), </li><li>
        ); </li><li>
    }</li></ol></div>就是把刚刚建立的授权项目加入到访问控制列表中。 另外一个例子 <div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>$auth = Yii::app()->authManger; </li><li>
$roleManager = $auth->createRole('manager'); //建立一个角色 </li><li>
 </li><li>
$auth->createTask('projectManager'); //建立任务 </li><li>
$auth->createTask('userManager'); </li><li>
 </li><li>
$auth->createOpration('createProject'); //建立操作 </li><li>
$auth->createOpration('updateProject'); </li><li>
$auth->createOpration('deleteUser'); </li><li>
 </li><li>
$user = User::model()->findByPk('1'); //检索用户 </li><li>
$roleManager->addChild('projectManager'); //为角色授权任务 </li><li>
$roleManager->addChild('updateProject');//为角色授权操作 </li><li>
$auth->assign('manager', $user->id);//指定用户权限</li></ol></div>

页: [1]

Chinaunix's Archiver

YII framework下基于角色的访问控制（RBAC）