Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yii2
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
PSDI Army
yii2
Commits
f7b8e7a0
Commit
f7b8e7a0
authored
Apr 18, 2014
by
Alexander Makarov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improved RBAC docs
parent
398b77da
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
89 additions
and
50 deletions
+89
-50
authorization.md
docs/guide/authorization.md
+89
-50
No files found.
docs/guide/authorization.md
View file @
f7b8e7a0
...
@@ -203,65 +203,104 @@ The `authManager` can now be accessed via `\Yii::$app->authManager`.
...
@@ -203,65 +203,104 @@ The `authManager` can now be accessed via `\Yii::$app->authManager`.
### Building Authorization Data
### Building Authorization Data
Building authorization data is all about the following
kinds of work:
Building authorization data is all about the following
tasks:
*
defining roles and permissions;
-
defining roles and permissions;
*
establishing relations among roles and permissions;
-
establishing relations among roles and permissions;
*
defining rules;
-
defining rules;
*
associating rules with roles and permissions;
-
associating rules with roles and permissions;
*
assigning roles to users.
-
assigning roles to users.
For applications that require very simple RBAC, the above work can be done once for all via a console command.
Depending on authorization flexibility requirements the tasks above could be done in different ways.
For applications that require complex RBAC with dynamic update to the authorization data, special user interfaces
may need to be developed.
The example below shows how to make use of the APIs offered by
`authManager`
to build authorization data. If you
If your persmissions hierarchy doesn't change at all and you have a fixed number of users you can create a console
use a console command to create the authorization data, you may put this piece of code in an action of the console
command that will initialize authorization data once via APIs offered by
`authManager`
:
command.
```
php
```
php
$auth
=
Yii
::
$app
->
authManager
;
<?php
namespace
app\commands
;
// add "createPost" permission
$createPost
=
$auth
->
createPermission
(
'createPost'
);
$createPost
->
description
=
'create a post'
;
$auth
->
add
(
$createPost
);
// add "readPost" permission
$readPost
=
$auth
->
createPermission
(
'readPost'
);
$readPost
->
description
=
'read a post'
;
$auth
->
add
(
$readPost
);
// add "updatePost" permission
$updatePost
=
$auth
->
createPermission
(
'updatePost'
);
$updatePost
->
description
=
'update post'
;
$auth
->
add
(
$updatePost
);
// add "reader" role and give this role the "readPost" permission
$reader
=
$auth
->
createRole
(
'reader'
);
$auth
->
add
(
$reader
);
$auth
->
addChild
(
$reader
,
$readPost
);
// add "author" role and give this role the "createPost" permission
// as well as the permissions of the "reader" role
$author
=
$auth
->
createRole
(
'author'
);
$auth
->
add
(
$author
);
$auth
->
addChild
(
$author
,
$createPost
);
$auth
->
addChild
(
$author
,
$reader
);
// add "admin" role and give this role the "updatePost" permission
use
yii\console\Controller
;
// as well as the permissions of the "author" role
$admin
=
$auth
->
createRole
(
'admin'
);
$auth
->
add
(
$admin
);
$auth
->
addChild
(
$admin
,
$updatePost
);
$auth
->
addChild
(
$admin
,
$author
);
// assign roles to users
class
RbacController
extends
Controller
$auth
->
assign
(
$reader
,
'reader A'
);
{
$auth
->
assign
(
$author
,
'author B'
);
public
function
actionInit
()
$auth
->
assign
(
$admin
,
'admin C'
);
{
$auth
=
Yii
::
$app
->
authManager
;
// add "createPost" permission
$createPost
=
$auth
->
createPermission
(
'createPost'
);
$createPost
->
description
=
'create a post'
;
$auth
->
add
(
$createPost
);
// add "readPost" permission
$readPost
=
$auth
->
createPermission
(
'readPost'
);
$readPost
->
description
=
'read a post'
;
$auth
->
add
(
$readPost
);
// add "updatePost" permission
$updatePost
=
$auth
->
createPermission
(
'updatePost'
);
$updatePost
->
description
=
'update post'
;
$auth
->
add
(
$updatePost
);
// add "reader" role and give this role the "readPost" permission
$reader
=
$auth
->
createRole
(
'reader'
);
$auth
->
add
(
$reader
);
$auth
->
addChild
(
$reader
,
$readPost
);
// add "author" role and give this role the "createPost" permission
// as well as the permissions of the "reader" role
$author
=
$auth
->
createRole
(
'author'
);
$auth
->
add
(
$author
);
$auth
->
addChild
(
$author
,
$createPost
);
$auth
->
addChild
(
$author
,
$reader
);
// add "admin" role and give this role the "updatePost" permission
// as well as the permissions of the "author" role
$admin
=
$auth
->
createRole
(
'admin'
);
$auth
->
add
(
$admin
);
$auth
->
addChild
(
$admin
,
$updatePost
);
$auth
->
addChild
(
$admin
,
$author
);
// Assign roles to users. 10, 14 and 26 are IDs returned by IdentityInterface::getId()
// usually implemented in your User model.
$auth
->
assign
(
$reader
,
10
);
$auth
->
assign
(
$author
,
14
);
$auth
->
assign
(
$admin
,
26
);
}
}
```
```
If your application allows user signup you need to assign roles to these new users once. For example, in order for all
signed up users to become authors you in advanced application template you need to modify
`common\models\User::create()`
as follows:
```
php
public
static
function
create
(
$attributes
)
{
/** @var User $user */
$user
=
new
static
();
$user
->
setAttributes
(
$attributes
);
$user
->
setPassword
(
$attributes
[
'password'
]);
$user
->
generateAuthKey
();
if
(
$user
->
save
())
{
// the following three lines were added:
$auth
=
Yii
::
$app
->
authManager
;
$adminRole
=
$auth
->
getRole
(
'author'
);
$auth
->
assign
(
$adminRole
,
$user
->
getId
());
return
$user
;
}
else
{
return
null
;
}
}
```
For applications that require complex access control with dynamically updated authorization data, special user interfaces
(i.e. admin panel) may need to be developed using APIs offered by
`authManager`
.
> Tip: By default, [[yii\rbac\PhpManager]] stores RBAC data in the file `@app/data/rbac.php`.
> Tip: By default, [[yii\rbac\PhpManager]] stores RBAC data in the file `@app/data/rbac.php`.
Sometimes when you want to make some minor changes to the RBAC data, you may directly edit this file.
Sometimes when you want to make some minor changes to the RBAC data, you may directly edit this file.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment