Error202
/
yii2-bootstrap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Merged RBAC draft into authorization

tags/2.0.0-beta
Alexander Makarov 11 years ago
parent
cf73f40d79
commit
78af586cd7
3 changed files with 114 additions and 126 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 117
      docs/guide/authorization.md
  2. 1
      docs/guide/index.md
  3. 122
      docs/guide/rbac.md

117
docs/guide/authorization.md
Unescape View File

@ -77,15 +77,126 @@ Role based access control is very flexible approach to controlling access that i
where permissions are customizable. where permissions are customizable.
In order to start using it some extra steps are required. First of all we need to configure `authManager` application In order to start using it some extra steps are required. First of all we need to configure `authManager` application
component: component in application config file (`web.php` or `main.php` depending on template you've used):
```php ```php
'authManager' => [
'class' => 'app\components\PhpManager',
'defaultRoles' => ['guest'],
],
```
Often use role is stored in the same database table as other user data. In this case we may defined it by creating our
own component (`app/components/PhpManager.php`):
```php
<?php
namespace app\components;
use Yii;
class PhpManager extends \yii\rbac\PhpManager
{
public function init()
{
parent::init();
if (!Yii::$app->user->isGuest) {
// we suppose that user's role is stored in identity
$this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role);
}
}
}
``` ```
Then create permissions hierarchy. Then create permissions hierarchy in `@app/data/rbac.php`:
```php
<?php
use yii\rbac\Item;
return [
// HERE ARE YOUR MANAGEMENT TASKS
'manageThing0' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
// AND THE ROLES
'guest' => [
'type' => Item::TYPE_ROLE,
'description' => 'Guest',
'bizRule' => NULL,
'data' => NULL
],
'user' => [
'type' => Item::TYPE_ROLE,
'description' => 'User',
'children' => [
'guest',
'manageThing0', // User can edit thing0
],
'bizRule' => 'return !Yii::$app->user->isGuest;',
'data' => NULL
],
'moderator' => [
'type' => Item::TYPE_ROLE,
'description' => 'Moderator',
'children' => [
'user', // Can manage all that user can
'manageThing1', // and also thing1
],
'bizRule' => NULL,
'data' => NULL
],
'admin' => [
'type' => Item::TYPE_ROLE,
'description' => 'Admin',
'children' => [
'moderator', // can do all the stuff that moderator can
'manageThing2', // and also manage thing2
],
'bizRule' => NULL,
'data' => NULL
],
'godmode' => [
'type' => Item::TYPE_ROLE,
'description' => 'Super admin',
'children' => [
'admin', // can do all that admin can
'manageThing3', // and also thing3
],
'bizRule' => NULL,
'data' => NULL
],
];
```
Now you can specify roles from RBAC in controller's access control configuration:
```php
public function behaviors()
{
return [
'access' => [
'class' => 'yii\web\AccessControl',
'except' => ['something'],
'rules' => [
[
'allow' => true,
'roles' => ['manageThing1'],
],
],
],
];
}
```
Specify roles from RBAC in controller's access control configuration or call [[User::checkAccess()]] where appropriate. Another way is to call [[User::checkAccess()]] where appropriate.
### How it works ### How it works

1
docs/guide/index.md
Unescape View File

@ -56,7 +56,6 @@ Security and access control
- [Authorization](authorization.md) - Access control and RBAC - [Authorization](authorization.md) - Access control and RBAC
- [Security](security.md) - Hashing and verifying passwords, encryption - [Security](security.md) - Hashing and verifying passwords, encryption
- [Views security](view.md#security) - how to prevent XSS - [Views security](view.md#security) - how to prevent XSS
- [RBAC](rbac.md) - Role-based Access Control
Data providers, lists and grids Data providers, lists and grids
=============================== ===============================

122
docs/guide/rbac.md
Unescape View File

@ -1,122 +0,0 @@
Using RBAC
===========
Lacking proper documentation, this guide is a stub copied from a [topic on the forum](http://www.yiiframework.com/forum/index.php/topic/49104-does-anyone-have-a-working-example-of-rbac/page__view__findpost__p__229098).
First af all, you modify your config (web.php or main.php),
```php
'authManager' => [
'class' => 'app\components\PhpManager', // THIS IS YOUR AUTH MANAGER
'defaultRoles' => ['guest'],
],
```
Next, create the manager itself (app/components/PhpManager.php)
```php
<?php
namespace app\components;
use Yii;
class PhpManager extends \yii\rbac\PhpManager
{
public function init()
{
if ($this->authFile === NULL)
$this->authFile = Yii::getAlias('@app/data/rbac') . '.php'; // HERE GOES YOUR RBAC TREE FILE
parent::init();
if (!Yii::$app->user->isGuest) {
$this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role); // we suppose that user's role is stored in identity
}
}
}
```
Now, the rules tree (@app/data/rbac.php):
```php
<?php
use yii\rbac\Item;
return [
// HERE ARE YOUR MANAGEMENT TASKS
'manageThing0' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
// AND THE ROLES
'guest' => [
'type' => Item::TYPE_ROLE,
'description' => 'Guest',
'bizRule' => NULL,
'data' => NULL
],
'user' => [
'type' => Item::TYPE_ROLE,
'description' => 'User',
'children' => [
'guest',
'manageThing0', // User can edit thing0
],
'bizRule' => 'return !Yii::$app->user->isGuest;',
'data' => NULL
],
'moderator' => [
'type' => Item::TYPE_ROLE,
'description' => 'Moderator',
'children' => [
'user', // Can manage all that user can
'manageThing1', // and also thing1
],
'bizRule' => NULL,
'data' => NULL
],
'admin' => [
'type' => Item::TYPE_ROLE,
'description' => 'Admin',
'children' => [
'moderator', // can do all the stuff that moderator can
'manageThing2', // and also manage thing2
],
'bizRule' => NULL,
'data' => NULL
],
'godmode' => [
'type' => Item::TYPE_ROLE,
'description' => 'Super admin',
'children' => [
'admin', // can do all that admin can
'manageThing3', // and also thing3
],
'bizRule' => NULL,
'data' => NULL
],
];
```
As a result, you can now add access control filters to controllers
```php
public function behaviors()
{
return [
'access' => [
'class' => 'yii\web\AccessControl',
'except' => ['something'],
'rules' => [
[
'allow' => true,
'roles' => ['manageThing1'],
],
],
],
];
}
```
Write Preview
Loading…
Cancel
Save