weizhan2008 发表于 2011-12-21 08:44

Yii RBAC中的大致说明

<div class="level1">

<p>
以<span class="search_hit">Yii</span> 1.15版本为例:<br>

RBAC机制包含三个表;存放路径在 framework/web/auth/schema.sql;<br>

RBAC中一共包含三种对象,操作(Operation)、 任务(Task) 和 角色(Role);
</p>

</div>

<a name="表结构" id="表结构">表结构</a>
<div class="level2">

<p>

<strong>auth_items</strong>
</p>

<p>
功能
</p>
用来记录RBAC中的对象。

<p>
字段
</p>
<ul><li class="level1"><div class="li"> name - 存放对象名称,字符串;</div>
</li><li class="level1"><div class="li"> type - 对象类型,(0, 1, 2);</div>
</li><li class="level1"><div class="li"> description - 相关的描述,长字符串;</div>
</li><li class="level1"><div class="li"> bizrule - 长字符串,可以在这里定义一个PHP的代码块,以增强验证的扩展性;</div>
</li><li class="level1"><div class="li"> data - 长字符串,序列化后的数组。用于给bizrule提供参数;</div>
</li></ul>

<p>
其中 type 字段的值含义为
</p>
<ul><li class="level1"><div class="li"> 0 - Operation 操作</div>
</li><li class="level1"><div class="li"> 1 - Task 任务</div>
</li><li class="level1"><div class="li"> 2 - Role 角色</div>
</li></ul>


<p>
<strong>auth_assignments</strong>
</p>

<p>
功能
</p>
记录 用户-&gt;角色 之间的对应关系,将不同的用户分配至不同的角色(用户组)。

<p>
字段
</p>
<ul><li class="level1"><div class="li"> itemname - 角色名称,和auth_items中对应,区分大小写;</div>
</li><li class="level1"><div class="li"> userid - 用户ID,须在配置部分中预先定义所对应实际用户表的字段名;</div>
</li><li class="level1"><div class="li"> bizrule - 同auth_items中的代码段;</div>
</li><li class="level1"><div class="li"> data - 同上;</div>
</li></ul>


<p>
<strong>auth_itemchildren</strong>
</p>

<p>
功能
</p>
记录 角色-&gt;任务 、 角色-&gt;操作 和 任务-&gt;操作 之间的对应关系。

<p>
字段
</p>
<ul><li class="level1"><div class="li"> parent - 父级名称。可以是角色名,也可以是任务名;</div>
</li><li class="level1"><div class="li"> children - 字对象名称。可以是任务名,也可以是操作名;</div>
</li></ul>

</div>

<a name="初始化方法" id="初始化方法">初始化方法</a>
<div class="level2">

<p>
可以使用手册提供的一些方法,放在某个控制器中执行一次(CLI模式或者浏览器访问都可以)即可;<br>

当然,也可以手动,直接插入记录到数据库中。
</p>

</div>

<a name="验证方法" id="验证方法">验证方法</a>
<div class="level2">

<p>
可以使用 <a href="http://www.yiiframework.com/doc/api/1.1/CWebUser#checkAccess" class="urlextern" title="http://www.yiiframework.com/doc/api/1.1/CWebUser#checkAccess" rel="nofollow" target="_blank" target="_blank">CWebUser::checkAccess()</a> 来验证,也可以通过 <a href="http://www.yiiframework.com/doc/api/1.1/CAccessControlFilter" class="urlextern" title="http://www.yiiframework.com/doc/api/1.1/CAccessControlFilter" rel="nofollow" target="_blank" target="_blank">CAccessControlFilter</a> 过滤器。
</p>

<p>
例如:<br>

当前用户属于 Author 组(Role),需要验证是否有 EditPost 的任务(Task)权限,并且Post模型(CActiveRecord)中的 authorId 为当前用户ID;
EditPost 的 bizrule 中包含
</p>
<span class="kw1">return</span> <span class="re0">$params</span><span class="br0">[</span><span class="st_h">'post'</span><span class="br0">]</span><span class="br0">[</span><span class="st_h">'authorId'</span><span class="br0">]</span> <span class="sy0">==</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1">user</span><span class="sy0">-&gt;</span><span class="me1">id</span><span class="sy0">;</span>

<p>
开始验证:

</p>
<span class="re0">$auth</span> <span class="sy0">=</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1"><span class="search_hit">authManager</span></span><span class="sy0">;</span>
<span class="re0"><br>$post</span> <span class="sy0">=</span> Post<span class="sy0">::</span><span class="me2">model</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1">find</span><span class="br0">(</span><span class="re0">$criteria</span><span class="br0">)</span><span class="sy0">;</span>
<br><span class="re0">$restricted</span> <span class="sy0">=</span> <span class="sy0">!</span><span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1">user</span><span class="sy0">-&gt;</span><span class="me1">checkAccess</span><span class="br0">(</span><a href="http://www.php.net/array" target="_blank" target="_blank"><span class="kw3">array</span></a><span class="br0">(</span>
    <span class="st_h">'post'</span> <span class="sy0">=&gt;</span> <span class="re0">$post</span><span class="sy0">,</span>
<span class="br0">)</span><span class="br0">)</span><span class="sy0">;</span>
<br>&nbsp;
<span class="kw1">if</span><span class="br0">(</span><span class="kw4">false</span> <span class="sy0">==</span> <span class="re0">$restricted</span><span class="br0">)</span> <span class="br0">{<br></span>&nbsp;&nbsp;&nbsp;&nbsp; <span class="co1">// 验证通过<br></span>&nbsp; <span class="br0">}</span><span class="kw1">else</span><span class="br0">{</span><br>&nbsp;<span class="co1">&nbsp;&nbsp;&nbsp; // 验证未通过<br></span>&nbsp; <span class="br0">}</span>

</div>

<a name="一些变态的" id="一些变态的">一些变态的</a>


<p>
获取当前用户所属的组(Role)时,使用

</p>&nbsp;
<span class="re0">$cuid</span> <span class="sy0">=</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1">user</span><span class="sy0">-&gt;</span><span class="me1">id</span><span class="sy0">;</span>
<br><span class="re0">&nbsp;$roles</span> <span class="sy0">=</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1"><span class="search_hit">authManager</span></span><span class="sy0">-&gt;</span><span class="me1">getRoles</span><span class="br0">(</span><span class="re0">$cuid</span><span class="br0">)</span><span class="sy0">;</span>

<p>

这样得到的结果居然是一个包含<a href="http://www.yiiframework.com/doc/api/1.1/CAuthItem" class="urlextern" title="http://www.yiiframework.com/doc/api/1.1/CAuthItem" rel="nofollow" target="_blank" target="_blank">CAuthItem</a>对象的数组,每个对象的键名为该<a href="http://www.yiiframework.com/doc/api/1.1/CAuthItem" class="urlextern" title="http://www.yiiframework.com/doc/api/1.1/CAuthItem" rel="nofollow" target="_blank" target="_blank">CAuthItem</a>的<a href="http://www.yiiframework.com/doc/api/1.1/CAuthItem#name-detail" class="urlextern" title="http://www.yiiframework.com/doc/api/1.1/CAuthItem#name-detail" rel="nofollow" target="_blank" target="_blank">name</a>属性。<br>

所以,如果需要判断某个用户是否在组中,需要使用isset方法。
</p>

<p>


</p>&nbsp;<span class="re0">$cuid</span> <span class="sy0">=</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1">user</span><span class="sy0">-&gt;</span><span class="me1">id</span><span class="sy0">;<br></span>&nbsp;<span class="re0">$roles</span> <span class="sy0">=</span> <span class="search_hit">Yii</span><span class="sy0">::</span><span class="me2">app</span><span class="br0">(</span><span class="br0">)</span><span class="sy0">-&gt;</span><span class="me1"><span class="search_hit">authManager</span></span><span class="sy0">-&gt;</span><span class="me1">getRoles</span><span class="br0">(</span><span class="re0">$cuid</span><span class="br0">)</span><span class="sy0">;<br></span>&nbsp;<span class="kw1">if</span><span class="br0">(</span><a href="http://www.php.net/isset" target="_blank" target="_blank"><span class="kw3">isset</span></a><span class="br0">(</span><span class="re0">$roles</span><span class="br0">[</span><span class="st_h">'Administrator'</span><span class="br0">]</span><span class="br0">)</span><span class="br0">)</span> <span class="br0"><br>&nbsp;{</span>
    <span class="co1"><br>&nbsp;&nbsp; //当前用户是Administrator的一员</span><span class="br0"><br>&nbsp;}</span><span class="sy0">;</span>
页: [1]
查看完整版本: Yii RBAC中的大致说明