Yii RBAC:访问特定项目/行 [英] Yii RBAC: access to specific items/rows

问题描述

我有一个用例，我需要为用户分配编辑高度动态项目的权限，这些项目可能是数百个或数千个.每个用户，虽然属于同一类型或组，但必须被分配到其中一些项目(不同的用户可能有权访问相同的公司项目).此外，这些项目的数量可能会迅速增加或消失.这些项目与用户没有内在关系，但必须任意分配给他们.

I have a use case where I need to assign a user the right to edit highly dynamic items, which can be in the hundreds or thousands. Each user, while belonging to the same type or group, must be assigned to some of these items (and different users may have access to the same Company Items). Furthermore, these items can rapidly grow in number or disappear. These items have no intrinsic relationship with the users, but must be arbitrarily assigned to them.

我们将这些项目称为公司项目.

因此，我希望能够将公司项目分配给用户，并动态撤销该访问权限.然后在控制器内部使用这些分配来检查是否可以继续执行某些操作...从概念上讲，问题总是相同的:测试用户是否有权访问表中的特定项目/行，即公司项目'表.

So, I want to be able to assign Company Items to users, and revoke that access dynamically. These assignments are then used inside controllers to check if some action can go on... Conceptually, the problem is always the same: test if a user has access to a specific item/row in a table, the Company Items' table.

我的想法是使用 yii RBAC 系统，同时尝试保持授权树静态，从而避免每次创建或删除公司项时都创建/删除角色或任务.相反，我想知道是否可以使用 assign($itemName, $userId, $bizRule, $data) 中的 $data 参数和类似于以下:

My idea was to use the yii RBAC system, while trying to keep the authorization tree static, thus avoiding creating/deleting roles or tasks every time a Company Item is created or deleted. Instead, I was wondering If I could do this using the $data parameter in assign($itemName, $userId, $bizRule, $data) and a tree similar to the following:

• adminUser:角色
  • companyAdmin:角色
    • editCompanyItemRole:具有bizrule的角色；bizrule 通过简单地检查 $params['companyItemId']​​ 是否存在于 $data['companyItemsAllowed'] 中来测试对 公司项目 的访问;在分配时，应该收到一个 $data ，其中包含一个 公司项目' id 的数组，用户应该被允许编辑！
      • editItem:操作；用于检查控制器中的访问，并应提供公司项目 id 一个希望检查用户的 ID，例如，Yii::app()->user->checkAccess('editItem', array('companyItemId' => 666));
      • adminUser: role
        • companyAdmin: role
          • editCompanyItemRole: role with bizrule; bizrule tests access to Company Item by simply checking if $params['companyItemId'] exists inside $data['companyItemsAllowed']; at assignment time, should receive a $data containing an array of Company Items' ids the user should be allowed to edit!
            • editItem: operation; used to check access in the Controllers, and should be provided with the Company Item id one wishes to check the user against, e.g., Yii::app()->user->checkAccess('editItem', array('companyItemId' => 666));

            这样，每当我们需要更改对公司项目的用户分配时，我们唯一需要做的就是更改$data['companyItemsAllowed']原始赋值中的数组.角色总是一样的！

            This way, whenever we need to change the user assignment to Company Items, the only thing we need to do is to alter the $data['companyItemsAllowed'] array inside the original assignment. The role is always the same!

            1. 这个系统能用吗，我可以用这种方式使用 Yii 的 RBAC 系统吗??
            2. 假设我们有数千个公司项目，并且我们可能有几十个分配给每个用户??为什么<强>??
            1. Does this system work, can I use Yii's RBAC system in this fashion ??
            2. Is this the ideal way to accomplish the requirements, assuming we have thousands of Company Items, and we may have dozens of those assigned to each user ?? Why ??

            推荐答案

            我决定采用以下方法，因为我决定在 $data['companyItemsAllowed']不是最适合这些要求:

            I decided to take the following approach, after deciding that simply maintaining an array of Company Items inside $data['companyItemsAllowed'] was not the best for these requirements:

            • 创建了Users 和CompanyItems 之间的关联表；称之为association_table;

            • 如问题所示创建了 RBAC 树，但 bizRule 类似于以下内容:

            • created an association table between Users and CompanyItems; call it association_table;

            • created the RBAC tree as shown in the question, but where the bizRule was something like the following:

            $ret = Yii::app()->dbConnection->createCommand('SELECT EXISTS(SELECT 1 FROM `association_table` WHERE user_id=:userId AND company_item_id=:companyItemId)')
            ->queryScalar(array(':userId' => $params['userId'], 'companyItemId' => $params['companyItemId']));
            return $ret;
            

          这允许我维护访问控制界面，如下所示:

              Yii::app()->user->checkAccess('editItem', array('companyItemId' => 666));
          

          (回想一下，我们不需要在$params数组上传递userId！)

          (recall that we do not need to pass on userId on the $params array!.)

          当然，这将公司项目的实际权限分配与RBAC系统分开:我分配了editCompanyItemRole 给一些使用 Yii 提供的 RBAC 机制的用户，但必须通过在 association_table...

          Of course, this separates the actual assigning of permissions to Company Items from the RBAC system: I assign editCompanyItemRole to some user using the RBAC mechanisms offered by Yii, but each actual item must be assigned individually by inserting a row onto association_table...

          所以，虽然首先考虑在 $data 中维护一组 Company Items 可能会奏效，但我认为这是最好的，也更灵活.此外，关于 bizRule 的总体思路似乎有效.

          So, although first thought about maintaining an array of Company Items inside $data would probably work, I think this is best and more flexible. Also, the general idea about the bizRule seems to work.

          这篇关于Yii RBAC:访问特定项目/行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！