From 78af586cd7ef7b76aa689cd30916aab887d6b93b Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Mon, 25 Nov 2013 02:22:46 +0400 Subject: [PATCH] Merged RBAC draft into authorization --- docs/guide/authorization.md | 117 ++++++++++++++++++++++++++++++++++++++++-- docs/guide/index.md | 1 - docs/guide/rbac.md | 122 -------------------------------------------- 3 files changed, 114 insertions(+), 126 deletions(-) delete mode 100644 docs/guide/rbac.md diff --git a/docs/guide/authorization.md b/docs/guide/authorization.md index b49f1af..5dedda9 100644 --- a/docs/guide/authorization.md +++ b/docs/guide/authorization.md @@ -77,15 +77,126 @@ Role based access control is very flexible approach to controlling access that i where permissions are customizable. In order to start using it some extra steps are required. First of all we need to configure `authManager` application -component: +component in application config file (`web.php` or `main.php` depending on template you've used): ```php +'authManager' => [ + 'class' => 'app\components\PhpManager', + 'defaultRoles' => ['guest'], +], +``` + +Often use role is stored in the same database table as other user data. In this case we may defined it by creating our +own component (`app/components/PhpManager.php`): + +```php +user->isGuest) { + // we suppose that user's role is stored in identity + $this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role); + } + } +} ``` -Then create permissions hierarchy. +Then create permissions hierarchy in `@app/data/rbac.php`: + +```php + ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], + 'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], + 'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], + 'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], + + // AND THE ROLES + 'guest' => [ + 'type' => Item::TYPE_ROLE, + 'description' => 'Guest', + 'bizRule' => NULL, + 'data' => NULL + ], + + 'user' => [ + 'type' => Item::TYPE_ROLE, + 'description' => 'User', + 'children' => [ + 'guest', + 'manageThing0', // User can edit thing0 + ], + 'bizRule' => 'return !Yii::$app->user->isGuest;', + 'data' => NULL + ], + + 'moderator' => [ + 'type' => Item::TYPE_ROLE, + 'description' => 'Moderator', + 'children' => [ + 'user', // Can manage all that user can + 'manageThing1', // and also thing1 + ], + 'bizRule' => NULL, + 'data' => NULL + ], + + 'admin' => [ + 'type' => Item::TYPE_ROLE, + 'description' => 'Admin', + 'children' => [ + 'moderator', // can do all the stuff that moderator can + 'manageThing2', // and also manage thing2 + ], + 'bizRule' => NULL, + 'data' => NULL + ], + + 'godmode' => [ + 'type' => Item::TYPE_ROLE, + 'description' => 'Super admin', + 'children' => [ + 'admin', // can do all that admin can + 'manageThing3', // and also thing3 + ], + 'bizRule' => NULL, + 'data' => NULL + ], + +]; +``` + +Now you can specify roles from RBAC in controller's access control configuration: + +```php +public function behaviors() +{ + return [ + 'access' => [ + 'class' => 'yii\web\AccessControl', + 'except' => ['something'], + 'rules' => [ + [ + 'allow' => true, + 'roles' => ['manageThing1'], + ], + ], + ], + ]; +} +``` -Specify roles from RBAC in controller's access control configuration or call [[User::checkAccess()]] where appropriate. +Another way is to call [[User::checkAccess()]] where appropriate. ### How it works diff --git a/docs/guide/index.md b/docs/guide/index.md index 666de98..422ca64 100644 --- a/docs/guide/index.md +++ b/docs/guide/index.md @@ -56,7 +56,6 @@ Security and access control - [Authorization](authorization.md) - Access control and RBAC - [Security](security.md) - Hashing and verifying passwords, encryption - [Views security](view.md#security) - how to prevent XSS -- [RBAC](rbac.md) - Role-based Access Control Data providers, lists and grids =============================== diff --git a/docs/guide/rbac.md b/docs/guide/rbac.md deleted file mode 100644 index 28d8f5c..0000000 --- a/docs/guide/rbac.md +++ /dev/null @@ -1,122 +0,0 @@ -Using RBAC -=========== - -Lacking proper documentation, this guide is a stub copied from a [topic on the forum](http://www.yiiframework.com/forum/index.php/topic/49104-does-anyone-have-a-working-example-of-rbac/page__view__findpost__p__229098). - - -First af all, you modify your config (web.php or main.php), -```php -'authManager' => [ - 'class' => 'app\components\PhpManager', // THIS IS YOUR AUTH MANAGER - 'defaultRoles' => ['guest'], -], -``` - -Next, create the manager itself (app/components/PhpManager.php) -```php -authFile === NULL) - $this->authFile = Yii::getAlias('@app/data/rbac') . '.php'; // HERE GOES YOUR RBAC TREE FILE - - parent::init(); - - if (!Yii::$app->user->isGuest) { - $this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role); // we suppose that user's role is stored in identity - } - } -} -``` - -Now, the rules tree (@app/data/rbac.php): -```php - ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], - 'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], - 'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], - 'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL], - - // AND THE ROLES - 'guest' => [ - 'type' => Item::TYPE_ROLE, - 'description' => 'Guest', - 'bizRule' => NULL, - 'data' => NULL - ], - - 'user' => [ - 'type' => Item::TYPE_ROLE, - 'description' => 'User', - 'children' => [ - 'guest', - 'manageThing0', // User can edit thing0 - ], - 'bizRule' => 'return !Yii::$app->user->isGuest;', - 'data' => NULL - ], - - 'moderator' => [ - 'type' => Item::TYPE_ROLE, - 'description' => 'Moderator', - 'children' => [ - 'user', // Can manage all that user can - 'manageThing1', // and also thing1 - ], - 'bizRule' => NULL, - 'data' => NULL - ], - - 'admin' => [ - 'type' => Item::TYPE_ROLE, - 'description' => 'Admin', - 'children' => [ - 'moderator', // can do all the stuff that moderator can - 'manageThing2', // and also manage thing2 - ], - 'bizRule' => NULL, - 'data' => NULL - ], - - 'godmode' => [ - 'type' => Item::TYPE_ROLE, - 'description' => 'Super admin', - 'children' => [ - 'admin', // can do all that admin can - 'manageThing3', // and also thing3 - ], - 'bizRule' => NULL, - 'data' => NULL - ], - -]; -``` - -As a result, you can now add access control filters to controllers -```php -public function behaviors() -{ - return [ - 'access' => [ - 'class' => 'yii\web\AccessControl', - 'except' => ['something'], - 'rules' => [ - [ - 'allow' => true, - 'roles' => ['manageThing1'], - ], - ], - ], - ]; -} -```