Yii RBAC：访问特定项目/行 [英] Yii RBAC: access to specific items/rows

问题描述

我有一个用例，我需要为用户分配编辑高度动态项目的权限，该项目可能有成百上千个。必须将每个属于同一类型或组的用户 分配给其中一些项目（并且不同的用户可以访问相同的公司项目）。此外，这些物品的数量会迅速增加或消失。这些项目与用户没有内在联系，但是必须任意分配给他们。

I have a use case where I need to assign a user the right to edit highly dynamic items, which can be in the hundreds or thousands. Each user, while belonging to the same type or group, must be assigned to some of these items (and different users may have access to the same Company Items). Furthermore, these items can rapidly grow in number or disappear. These items have no intrinsic relationship with the users, but must be arbitrarily assigned to them.

我们称这些项目为公司项目。

所以，我想成为能够为用户分配公司项目，并动态撤消该访问权限。然后在控制器内部使用这些分配来检查是否可以执行某些操作...
从概念上讲，问题始终相同：测试用户是否可以访问表中的特定项目/行，公司项目'表。

So, I want to be able to assign Company Items to users, and revoke that access dynamically. These assignments are then used inside controllers to check if some action can go on... Conceptually, the problem is always the same: test if a user has access to a specific item/row in a table, the Company Items' table.

我的想法是使用yii RBAC系统，同时尝试使授权树保持静态，从而避免创建/每次创建或删除公司项目时，删除角色或任务。相反，我想知道是否可以使用 assign（$ itemName，$ userId，$ bizRule，$ data） $ data 和类似以下的树：

My idea was to use the yii RBAC system, while trying to keep the authorization tree static, thus avoiding creating/deleting roles or tasks every time a Company Item is created or deleted. Instead, I was wondering If I could do this using the $data parameter in assign($itemName, $userId, $bizRule, $data) and a tree similar to the following:

• adminUser ：角色
  
  
  
  • companyAdmin ：角色
    
    
    
    • editCompanyItemRole ：具有 bizrule的角色; bizrule 通过简单地检查<$ c $中是否存在 $ params ['companyItemId']​​ 来测试对公司项目的访问权限c> $ data ['companyItemsAllowed'] ;在分配时，应该会收到一个 $ data ，其中包含允许用户编辑的公司项目'ID数组！
      
      
      
      • editItem ：操作；用来检查控制器中的访问权限，并应提供公司项目 ID，以供用户对照例如 Yii :: app（）-> user来检查用户-> checkAccess（'editItem'，array（'companyItemId'=> 666））;
      
      
      • adminUser: role
        • companyAdmin: role
          • editCompanyItemRole: role with bizrule; bizrule tests access to Company Item by simply checking if $params['companyItemId'] exists inside $data['companyItemsAllowed']; at assignment time, should receive a $data containing an array of Company Items' ids the user should be allowed to edit!
            • editItem: operation; used to check access in the Controllers, and should be provided with the Company Item id one wishes to check the user against, e.g., Yii::app()->user->checkAccess('editItem', array('companyItemId' => 666));

            这样，每当我们需要将用户分配更改为公司项目，我们唯一需要做的就是更改原始分配中的 $ data ['companyItemsAllowed'] 数组。 角色总是一样！

            This way, whenever we need to change the user assignment to Company Items, the only thing we need to do is to alter the $data['companyItemsAllowed'] array inside the original assignment. The role is always the same!

            
            
            1. 此系统是否可以正常工作，我是否可以以这种方式使用Yii的RBAC系统 ??
            
            
            2. 假设我们有这样的方法，这是实现要求的理想方法吗？成千上万的公司项目，我们可能有数十个分配给每个用户 ?? 为什么 ??
            
            
            1. Does this system work, can I use Yii's RBAC system in this fashion ??
            2. Is this the ideal way to accomplish the requirements, assuming we have thousands of Company Items, and we may have dozens of those assigned to each user ?? Why ??

            
            

            推荐答案

            在决定简单地维护公司项目数组之后，我决定采用以下方法在 $ data ['companyItemsAllowed'] 内，不是满足以下要求的最佳选择：

            I decided to take the following approach, after deciding that simply maintaining an array of Company Items inside $data['companyItemsAllowed'] was not the best for these requirements:

            
            
            • 在个用户和 CompanyItems 之间创建了一个关联表；称为 association_table ;
            
            

            • 创建了RBAC树，如问题所示，但是 bizRule 类似于以下内容：

            • created an association table between Users and CompanyItems; call it association_table;

            • created the RBAC tree as shown in the question, but where the bizRule was something like the following:

            $ret = Yii::app()->dbConnection->createCommand('SELECT EXISTS(SELECT 1 FROM `association_table` WHERE user_id=:userId AND company_item_id=:companyItemId)')
            ->queryScalar(array(':userId' => $params['userId'], 'companyItemId' => $params['companyItemId']));
            return $ret;
            

          
          

          这可以让我维护访问控制界面，就像这样：

          This allows me to maintain the access control interface, like so:

              Yii::app()->user->checkAccess('editItem', array('companyItemId' => 666));
          

          （回想我们不需要传递<$ c $ $ params 数组上的c> userId ！）

          (recall that we do not need to pass on userId on the $params array!.)

          课程，这将对 Company Items 的实际权限分配与 RBAC 系统分开：我分配了 editCompanyItemRole 使用Yii提供的RBAC机制的某些用户，但是必须通过在 association_table ...

          Of course, this separates the actual assigning of permissions to Company Items from the RBAC system: I assign editCompanyItemRole to some user using the RBAC mechanisms offered by Yii, but each actual item must be assigned individually by inserting a row onto association_table...

          因此，尽管首先想到的是在 $ data 内部维护一系列公司项目可能可行，但我认为这是可行的最好且更灵活。另外，关于 bizRule 的一般想法似乎可行。

          So, although first thought about maintaining an array of Company Items inside $data would probably work, I think this is best and more flexible. Also, the general idea about the bizRule seems to work.

          这篇关于Yii RBAC：访问特定项目/行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！