yii2 拒绝用户在后端登录 [英] yii2 deny user login on backend

问题描述

我有应用 RBAC 迁移的 yii2 高级模板.我试图学习 RBAC 并遵循 Docs 2.0.

I have yii2 advance template with RBAC migration applied. I was trying to learn RBAC and followed the Docs 2.0.

我使用数据库登录，但前端和后端都使用任何帐户登录.我已经创建了 2 个 RBAC 角色(管理员、用户)，但无法理解或找不到如何

I have logged in using database, but the front-end and back-end both get logged in with any account. I have made 2 RBAC roles (admin, user), but can't understand or find how to

限制后端以非管理员用户角色登录.

restrict back-end to login non-admin user-role.

以下是角色的代码.和数据库条目:

The following is the code for roles. and database entries:

namespace console\controllers;

use Yii;
use yii\console\Controller;

class RbacController extends Controller
{
    public function actionInit()
    {
        $auth = Yii::$app->authManager;

        // add "admin" role
        $admin = $auth->createRole('admin');
        $auth->add($admin);

        // add "user" role
        $user = $auth->createRole('user');
        $auth->add($user);

        $auth->assign($admin, 1);
    }
}

用户表:

admin   admin@gmail.com     20  10  1421197319  1421197319
user    user@gmail.com      10  10  1421198124  1421198124

现行规则:

'rules' => [
    [
        'actions' => ['login', 'error'],
        'allow' => true,
    ],
    [
        'actions' => ['logout', 'index'],
        'allow' => true,
        'roles' => ['@'],
    ],

推荐答案

已解决 - 注意:解决方案不完全是 RBAC，而是 ACF.

经过搜索和咨询，我在这个 yii2维基.

我不清楚 RBAC 的行为，因为我认为它不会让角色在某些操作(登录、提交等)之前执行特定任务.

I was unclear of RBAC behavior, in that I thought it won't let a role perform specific task before some action(login, submit etc).

实际上，RBAC 会让你做任何你想做的事，然后再检查获得许可，如果不允许则阻止.

Actually, RBAC will let you do whatever you try, and afterwards checks for permission and block if not permitted.

示例

房子里有一些院子出售，你可以自由漫步在它的前院周围.房子的大门/入口没有任何警卫在前面，它没有锁定.你试图潜入房子很快你进了房子，里面有一些保安突然阻止你表明自己的身份，他扫描你的信息房屋安全系统(DB 中的权限)并没有找到您的进入房子的权利.他逼你出去.这个守卫是RBAC

There is some yard sale in a house and you are free to roam around it's front yard. The house gate/entrance doesn't have any guard at front and its not locked. You try to sneak into the house and as soon you get into the house there is some security guard inside who abruptly stops you to identify yourself, he scan your information in the house security system(permissions in DB) and doesn't find your right to be in the house. He forces you out. This guard is RBAC

我需要一个守卫在前门，除非有人不让进他们被允许这样做.那就是 ACF.

I needed a guard at the front gate, who won't let anybody in unless they are allowed to. And that would be ACF.

所以，现在我需要一种方法来告诉后端系统特定的角色不能事先执行特定操作(即拒绝非管理员在后端登录)，这在 RBAC 中是不可能的，因此我们可以使用 ACF 使用matchCallback".

So, now I needed a way to tell the back-end system that a specific role cannot perform a specific action beforehand (i.e. deny non-admin login at back-end), this is not possible with RBAC so, for that we could use 'matchCallback' using ACF.

后端规则:

        'rules' => [
            [
                'actions' => ['login'],
                'allow' => true,
            ],
            [
                'actions' => ['logout', 'index'],
                'allow' => true,
                'roles' => ['@'],
                'matchCallback' => function ($rule, $action) {
                    return Yii::$app->user->identity->isAdmin;
                }
            ],
         ]

True 上的 matchCallback 允许执行操作，而 False 则拒绝该操作.isAdmin 是一个需要在 User 模型中定义的 getter 函数.

The matchCallback on True allows the actions to be performed and on False denies the action. isAdmin is a getter function that needs to be defined in User model.

namespace /common/models/User;

const ROLE_ADMIN = 20;
public function getIsAdmin()
{
    return $this->role == self::ROLE_ADMIN;
}

我已经在 这个 yii2 viki 的评论.

这篇关于yii2 拒绝用户在后端登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！