关于 Yii2 RBAC 的疑惑 [英] Doubts about Yii2 RBAC
问题描述
到目前为止,我一直在使用 Yii 1.1.14 开发网络应用程序,但现在是升级的时候了.
I've been developing web apps using Yii 1.1.14 so far, but now it's time for an upgrade.
我工作的公司开发了自己的访问控制系统,我对它真的很好,直到我看到它真正的样子......数据库中的8个表的组合(不包括用户表),带有一堆外键.
The company where I work has developed its own Access Control system, and I was really OK with it until I saw what it was really like... A combination of 8 tables in the database (not counting the users table), with a bunch of foreign keys.
- 1 个控制器表
- 1 个动作表
- 1 个菜单类别表
- 1 个用户类型表
- 其他表基本上一次只连接 2 个或 3 个这些表.
它运行良好,但在我看来,维护所有这些表非常耗时,并且在某些时候,当您的应用程序上线时,如果它访问了一定数量的用户,它可能会变得非常慢.特别是因为其中 2 个表将用户的表主键作为外键.
It works well, but in my point of view it's highly time consuming to maintain all those tables, and at some point, when your application goes online, if it hits a certain amount of users it could get really slow. specially because 2 of those tables have the user's table primary key as foreign key.
所以我决定,当我开始在 Yii 2 上开发时,我将开始使用 RBAC,所以我开始在网上寻找教程......只找到了许多不同版本的具有作者角色的相同代码,以及创建或更新帖子的权限.
So I've decided that, when I start developing on Yii 2, I'm going to start using RBAC, so I started looking for tutorials online... Only finding many different versions of the same code with author's role, and permissions for create or update posts.
我在 Youtube 上找到了 5 个视频的组合,但它们都是关于 Yii 1 RBAC.他们很有帮助,因为我设法理解了 RBAC 的大部分功能,但我仍然有些怀疑我会下面列举.请记住,对于这个访问控制系统,我使用的是 DBManager 类.
I found a combination of 5 videos on Youtube, but they are about Yii 1 RBAC. They were helpful because I managed to understand most of RBAC's functionality, but I still have some doubts that I'll enumerate below. And keep in mind that for this Access Control system I'm using the DBManager class.
我的疑惑
Yii 1 的 RBAC 过去有 3 个表:
auth_assignment、auth_item和auth_item_child.现在在 Yii 2 RBAC 中,出现了一个名为auth_rule的新表,但我仍然不明白该特定表在那里做什么,如何使用它或如何填充它.
Yii 1's RBAC used to have 3 tables:
auth_assignment,auth_itemandauth_item_child. Now in Yii 2 RBAC, a new table appears that is calledauth_ruleand I still don't understand what that specific table is doing there, how to use it or how to populate it.
我看到可以通过使用控制器的行为方法来限制用户对某些操作的访问,并根据用户的角色分配对某些操作的访问权限,但是当涉及到这一点时,我必须拆分我的问题成2:
I see that it's possible to restrict the user's access to some actions by using the controller's behavior method, and assigning access to some actions depending on the user's role, but when it comes to this I have to split my question into 2:
2.1.第一:如果你可以通过在behaviors方法中设置来限制对action的访问,那么将权限保存到auth_item表有什么用?
2.1. First: If you can just restrict the access to actions by setting it up in the behaviors method, then what's the use of saving permissions to the auth_item table?
2.2.第二:如果你决定根据权限来控制访问,那么你到底是怎么做的,因为我发现自己在每个函数中编写了以下类型的代码,而且我不认为使用 RBAC应该是这样乏味.必须有另一种方式.
2.2. Second: If you DO decide to control access according to permissions, then how exactly do you do it, because I find myself writing the following type of code inside of every function and I don't think using RBAC is supposed to be this tedious. There has to be another way.
public function actionView($id)
{
if(Yii::$app->user->can('view-users')){
return $this->render('view', [
'model' => $this->findModel($id),
]);
}else{
#Redirect to a custom made action that will show a view
#with a custom error message
$this->redirect(['//site/notauthorized']);
}
}
由于我们现在使用的访问控制系统,当用户登录时,会执行一个复杂的查询,最终将返回一个数组,该数组将保存为会话变量,并将用于创建一个包含与菜单类别一样多的下拉列表的菜单,用户有权访问的控制器属于该菜单.如何使用 RBAC 做到这一点?
Because of the Access Control System that we use right now, when a user logs in, a complex query is executed that will end up returning an array that will be saved as a session variable, and will be used to create a menu with as many dropdownlists as menu categories, that the controllers that the user has access to belong to. How can this be done with RBAC?
推荐答案
我只能回答你问题的 2.2,因为 3 听起来根本不像 RBAC 应该做的事情.但是,如果您遵循与您的控制器或操作匹配的命名约定,您很可能会从规则表中获取您需要的信息.
I can only really answer 2.2 of your question, as 3 doesn't sound at all like something an RBAC should do. You could, however, get the information you needed from the rules table most likely, provided you followed a naming convention that matched your controllers or actions.
继续回答 2.2:
您可以简单地设置如下行为:
You can simply set the behavior like such:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'actions' => ['view'],
'roles' => ['view-users'], //<-- Note, rule instead of role
],
]
]
}
这并不能解决view-own-users"样式权限的不同问题,因为这需要检查 ActiveRecord 模型(好吧,至少在我的应用程序中是这样).如果您想实现这一点,请查看我在 Yii 论坛上的帖子:
This doesn't solve a different problem of 'view-own-users' style permissions, as this needs to inspect the ActiveRecord model (well, at least it does in my application). If You want to achieve this, take a look at my post in the Yii forums here:
这篇关于关于 Yii2 RBAC 的疑惑的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
