在 Yii2 中,需要判断当前登录用户是否具有接口具体数据访问权限(基于 RBAC、默认角色、子权限)
1、参考:在 Yii2 中,需要判断当前登录用户是否具体接口访问权限(基于 RBAC、默认角色)
2、权限机制设计如下:
1、现在 RBAC 中有 2 个角色: companyEmployeeRole participantShareRecipientRole 1 2、每一个角色分别绑定了一个规则: companyEmployeeRole(CompanyEmployeeRule) participantShareRecipientRole(ParticipantShareRecipientRule) 1 3、现在 RBAC 中有 4 个权限: participantShareFilterViewPermission participantShareFilterDownloadPermission participantShareFilterOwnViewPermission participantShareFilterOwnDownloadPermission 1 4、角色 companyEmployeeRole 赋予了权限: participantShareFilterViewPermission participantShareFilterDownloadPermission 1 5、2 个权限分别绑定了一个规则: participantShareFilterOwnViewPermission(ParticipantShareFilterOwnViewRule) participantShareFilterOwnDownloadPermission(ParticipantShareFilterOwnDownloadRule) 1 6、"participantShareFilterOwnViewPermission" 权限将由 "participantShareFilterViewPermission" 权限使用、"participantShareFilterOwnDownloadPermission" 权限将由 "participantShareFilterDownloadPermission" 权限使用 1 7、允许 接收者 浏览、下载 自己的高级筛选的分享记录的报名列表 角色 participantShareRecipientRole 赋予了权限: participantShareFilterOwnViewPermission 1 角色 participantShareRecipientRole 赋予了权限: participantShareFilterOwnDownloadPermission 1 8、基于 第 2 点角色绑定的规则,自动分配 2 个角色至当前的登录用户 1 9、使用 can 方法检查用户的 participantShareFilterViewPermission participantShareFilterDownloadPermission 权限
3、新增加一个数据库迁移文件,代码实现如下
<?php
use common\rbac\ParticipantShareFilterOwnDownloadRule;
use common\rbac\ParticipantShareFilterOwnViewRule;
use common\rbac\ParticipantShareRecipientRule;
use yii\db\Migration;
/**
* Class m250407_132039_init_convention_participant_share_filter_rbac
*/
class m250407_132039_init_convention_participant_share_filter_rbac extends Migration
{
/**
* {@inheritdoc}
*/
public function safeUp()
{
$auth = Yii::$app->authManager;
// 创建自定义规则
$participantShareRecipientRule = new ParticipantShareRecipientRule();
$auth->add($participantShareRecipientRule);
$participantShareFilterOwnViewRule = new ParticipantShareFilterOwnViewRule();
$auth->add($participantShareFilterOwnViewRule);
$participantShareFilterOwnDownloadRule = new ParticipantShareFilterOwnDownloadRule();
$auth->add($participantShareFilterOwnDownloadRule);
// 创建权限
$participantShareFilterViewPermission = $auth->createPermission('participantShareFilterViewPermission');
$participantShareFilterViewPermission->description = '高级筛选结果的浏览权限';
$auth->add($participantShareFilterViewPermission);
$participantShareFilterDownloadPermission = $auth->createPermission('participantShareFilterDownloadPermission');
$participantShareFilterDownloadPermission->description = '高级筛选结果的下载权限';
$auth->add($participantShareFilterDownloadPermission);
// 创建角色并分配规则、赋予权限
$companyEmployeeRole = $auth->getRole('companyEmployeeRole');
$auth->addChild($companyEmployeeRole, $participantShareFilterViewPermission);
$auth->addChild($companyEmployeeRole, $participantShareFilterDownloadPermission);
$participantShareRecipientRole = $auth->createRole('participantShareRecipientRole');
$participantShareRecipientRole->ruleName = $participantShareRecipientRule->name;
$auth->add($participantShareRecipientRole);
// 添加 "participantShareFilterOwnViewPermission"、"participantShareFilterOwnDownloadPermission" 权限并与规则关联
$participantShareFilterOwnViewPermission = $auth->createPermission('participantShareFilterOwnViewPermission');
$participantShareFilterOwnViewPermission->description = '做为接收者,高级筛选结果的浏览权限';
$participantShareFilterOwnViewPermission->ruleName = $participantShareFilterOwnViewRule->name;
$auth->add($participantShareFilterOwnViewPermission);
$participantShareFilterOwnDownloadPermission = $auth->createPermission('participantShareFilterOwnDownloadPermission');
$participantShareFilterOwnDownloadPermission->description = '做为接收者,高级筛选结果的下载权限';
$participantShareFilterOwnDownloadPermission->ruleName = $participantShareFilterOwnDownloadRule->name;
$auth->add($participantShareFilterOwnDownloadPermission);
// "participantShareFilterOwnViewPermission" 权限将由 "participantShareFilterViewPermission" 权限使用
$auth->addChild($participantShareFilterOwnViewPermission, $participantShareFilterViewPermission);
// "participantShareFilterOwnDownloadPermission" 权限将由 "participantShareFilterDownloadPermission" 权限使用
$auth->addChild($participantShareFilterOwnDownloadPermission, $participantShareFilterDownloadPermission);
// 允许 接收者 浏览、下载 自己的高级筛选的分享记录的报名列表
$auth->addChild($participantShareRecipientRole, $participantShareFilterOwnViewPermission);
$auth->addChild($participantShareRecipientRole, $participantShareFilterOwnDownloadPermission);
}
/**
* {@inheritdoc}
*/
public function safeDown()
{
echo "m250407_132039_init_convention_participant_share_filter_rbac cannot be reverted.\n";
return false;
}
/*
// Use up()/down() to run migration code without a transaction.
public function up()
{
}
public function down()
{
echo "m250407_132039_init_convention_participant_share_filter_rbac cannot be reverted.\n";
return false;
}
*/
}
4、4 个规则文件实现如下
CompanyEmployeeRule.php
<?php
namespace common\rbac;
use yii\rbac\Item;
use yii\rbac\Rule;
use common\models\CompanyEmployeeMapping;
/**
* 检查 user_id 是否和通过参数传进来的 user 参数相符
*/
class CompanyEmployeeRule extends Rule
{
public $name = 'isCompanyEmployee';
/**
* @param string|integer $userId 用户 ID.
* @param Item $item 该规则相关的角色或者权限
* @param array $params 传给 ManagerInterface::checkAccess() 的参数
* @return boolean 代表该规则相关的角色或者权限是否被允许
*/
public function execute($userId, $item, $params): bool
{
if (!isset($params['convention'])) {
return false;
}
return CompanyEmployeeMapping::find()
->where([
'user_id' => $userId,
'company_id' => $params['convention']->company_id,
])
->exists();
}
}
FormContentShareRecipientRule.php
<?php
namespace common\rbac;
use api\models\ConventionFormContentShareRecipient;
use common\models\ConventionFormContentShareRecipient as CommonConventionFormContentShareRecipient;
use Yii;
use yii\rbac\Item;
use yii\rbac\Rule;
/**
* 检查当前登录用户是否为信息表单的分享内容的接收者
*/
class FormContentShareRecipientRule extends Rule
{
public $name = 'isFormContentShareRecipient';
/**
* @param string|integer $userId 用户 ID.
* @param Item $item 该规则相关的角色或者权限
* @param array $params 传给 ManagerInterface::checkAccess() 的参数
* @return boolean 代表该规则相关的角色或者权限是否被允许
*/
public function execute($userId, $item, $params): bool
{
if (!isset($params['conventionForm'])) {
return false;
}
return ConventionFormContentShareRecipient::find()
->where([
'form_id' => $params['conventionForm']->id
])
->andWhere(['user_id' => Yii::$app->user->id])
->andWhere(['status' => [CommonConventionFormContentShareRecipient::STATUS_NORMAL, CommonConventionFormContentShareRecipient::STATUS_SUSPENDED]])
->exists();
}
}
ParticipantShareFilterOwnDownloadRule.php
<?php
namespace common\rbac;
use api\models\ConventionParticipantShareRecipient;
use common\models\ConventionParticipantShareRecipient as CommonConventionParticipantShareRecipient;
use Yii;
use yii\rbac\Item;
use yii\rbac\Rule;
/**
* 检查当前登录用户是否为高级筛选的分享记录的接收者,且具有下载权限
*/
class ParticipantShareFilterOwnDownloadRule extends Rule
{
public $name = 'allowParticipantShareFilterOwnDownload';
/**
* @param string|integer $userId 用户 ID.
* @param Item $item 该规则相关的角色或者权限
* @param array $params 传给 ManagerInterface::checkAccess() 的参数
* @return boolean 代表该规则相关的角色或者权限是否被允许
*/
public function execute($userId, $item, $params): bool
{
if (!isset($params['conventionParticipantShareFilter'])) {
return false;
}
return ConventionParticipantShareRecipient::find()
->where([
'share_filter_id' => $params['conventionParticipantShareFilter']->id
])
->andWhere(['user_id' => Yii::$app->user->id])
->andWhere(['status' => [CommonConventionParticipantShareRecipient::STATUS_NORMAL, CommonConventionParticipantShareRecipient::STATUS_SUSPENDED]])
->andWhere(['download' => CommonConventionParticipantShareRecipient::DOWNLOAD_YES])
->exists();
}
}
ParticipantShareFilterOwnViewRule.php
<?php
namespace common\rbac;
use api\models\ConventionParticipantShareRecipient;
use common\models\ConventionParticipantShareRecipient as CommonConventionParticipantShareRecipient;
use Yii;
use yii\rbac\Item;
use yii\rbac\Rule;
/**
* 检查当前登录用户是否为高级筛选的分享记录的接收者,且具有浏览权限
*/
class ParticipantShareFilterOwnViewRule extends Rule
{
public $name = 'allowParticipantShareFilterOwnView';
/**
* @param string|integer $userId 用户 ID.
* @param Item $item 该规则相关的角色或者权限
* @param array $params 传给 ManagerInterface::checkAccess() 的参数
* @return boolean 代表该规则相关的角色或者权限是否被允许
*/
public function execute($userId, $item, $params): bool
{
if (!isset($params['conventionParticipantShareFilter'])) {
return false;
}
return ConventionParticipantShareRecipient::find()
->where([
'share_filter_id' => $params['conventionParticipantShareFilter']->id
])
->andWhere(['user_id' => Yii::$app->user->id])
->andWhere(['status' => [CommonConventionParticipantShareRecipient::STATUS_NORMAL, CommonConventionParticipantShareRecipient::STATUS_SUSPENDED]])
->andWhere(['view' => CommonConventionParticipantShareRecipient::VIEW_YES])
->exists();
}
}
5、最终检查权限的实现如下,直接在控制器的方法实现
if (!Yii::$app->user->can('formDownloadPermission', ['convention' => $conventionForm->convention, 'conventionForm' => $conventionForm])) {
return [
'code' => 14021,
'message' => '你没有权限',
];
}
6、在 main.php 中配置默认角色
'authManager' => [
'class' => 'yii\rbac\DbManager',
'cache' => 'cache',
'defaultRoles' => ['companyEmployeeRole', 'conventionContactRole', 'checkinManagerRole', 'participantShareRecipientRole', 'formContentShareRecipientRole'], // @see <a href="https://www.yiiframework.com/doc/guide/2.0/zh-cn/security-authorization#using-default-roles">使用默认角色</a>
],
7、最终实现的效果如下
查看分享链接的权限调整如下: 不是接收者 且 不是企业员工 无浏览下载权限 是接收者且具有浏览权限 且 不是企业员工 有浏览权限 是接收者且具有下载权限 且 不是企业员工 有下载权限 不是接收者 且 是企业员工 有浏览下载权限 是接收者 且 是企业员工 有浏览下载权限
