In Yii2, you need to determine whether the current logged in user has specific interface access rights (based on RBAC, default role)

1. The current permission judgment is implemented in the controller method as follows

$conventionId = $this->request->post(convention_id,);

$convention = convention::find()->where([
ID=> $conventionId
]#atfp_close_translate_span#)->limit(1)->one();
if (!$convention) {
return[
code=> 10403,
Message=>The conference does not exist!,
]#atfp_close_translate_span#;
}

$mapping = companyEmploYeEmapping::find()->where([
user_id=> yii::$app->user->id,
company_id=> $convention->company_id,
]#atfp_close_translate_span#)->limit(1)->one();
if (!$Mapping) {
//Determine whether it is a liaison
$contact = conventionContact::find()->where(convention_id = :conventionid and (user_id = :userid or phone = :phone),[
:conventionId=> $conventionId,
:userid=> yii::$app->user->id,
:phone=> yii::$app->user->identity->pure_phone_number,
]#atfp_close_translate_span#)->limit(1)->one();
//Determine whether it is a check-in administrator
$checkinmanager = conventioncheckinmanager::find()->where(convention_id = :conventionid and (user_id = :userid or phone = :phone),[
:conventionId=> $conventionId,
:userid=> yii::$app->user->id,
:phone=> yii::$app->user->identity->pure_phone_number,
]#atfp_close_translate_span#)->limit(1)->one();
if (!$Contact && !$CheckinManager) {
return[
code=> 10001,
Message=>you do not have data permissions,
]#atfp_close_translate_span#;
}
}

select * from `conventions` where `id`=1826937119386051limit 1

select * from `company_employee_mapping` where (`user_id`=1826937119386043) and (`company_id`=1826937119386040) limit 1

select * from `convention_contacts` where convention_id =1826937119386051and (user_id =1826937119386043or phone =13980074657) limit 1

select * from `convention_checkin_managers` where constantion_id =1826937119386051and (user_id =1826937119386043or phone =13980074657) limit 1

2. The plan is implemented based on RBAC, avoiding repeated duplication in each controller method (even if a common method is extracted, it is not flexible enough)

3. Create a custom rule class Create the following rule classes in the common/rbac/ directory:

CompanyEmployeerule.php

<?php

namespace common\rbac;

use yii\rbac\item;
use yii\rbac\rule;
use common\models\companyemployemapping;

/**
* Check if user_id matches the user parameter passed in
*/
class companyemployeerule extends rule
{
public $name =isCompanyEmployee;

/**
* @param string|integer $user user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($user, $item, $params): BOOL
{
if (!isSet($params)['convention'])) {
return false;
}

return companyEmploYeMapping::find()
->where([
user_id=> $user,
company_id=> $params[convention]#atfp_close_translate_span#->company_id,
;)
->exists();
}
}

ConventionContactRule.php

<?php

namespace common\rbac;

use common\models\user;
use yii\rbac\item;
use yii\rbac\rule;
use common\models\conventioncontact;

/**
* Check if user_id matches the user parameter passed in
*/
Class ConventionContactRule extends rule
{
public $name =isConventionContact;

/**
* @param string|integer $user user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($user, $item, $params): BOOL
{
if (!isSet($params)['convention'])) {
return false;
}

$usermodel = user::findone($user);

Return ConventionContact::find()
->where([
convention_id=> $params[convention]#ATFP_CLOSE_Translate_span#->id,
user_id=> $user,
Phone=> $usermodel->pure_phone_number,
])->exists();
}
}

checkinmanagerrule.php

<?php

namespace common\rbac;

use common\models\user;
use yii\rbac\item;
use yii\rbac\rule;
use common\models\conventioncheckinmanager;

/**
* Check if user_id matches the user parameter passed in
*/
class checkinmanagerrule extends rule
{
public $name =isCompanyEmployee;

/**
* @param string|integer $user user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($user, $item, $params): BOOL
{
if (!isSet($params)['convention'])) {
return false;
}

$usermodel = user::findone($user);

Return ConventionCheckinManager::find()
->where([
convention_id=> $params[convention]#ATFP_CLOSE_Translate_span#->id,
user_id=> $user,
Phone=> $usermodel->pure_phone_number,
])->exists();
}
}

4. The so-called default role is the role assigned to all users implicitly. There is no need to call the yii\rbac\managerInterface::assign() method for display assignment, and the authorization data does not contain the assignment information. Create a new migration with ./yii migrate/create init_convention_rbac and then implement the creation hierarchy

<?php

use yii\db\migration;
use common\rbac\companyemployeerule;
use common\rbac\conventioncontactRule;
use common\rbac\checkinmanagerrule;
use yii\base\exception;

/**
* class M250331_034538_init_convention_rbac
*/
class m250331_034538_init_convention_rbac extends migration
{
/**
* @return void
* @throws exception
*/
public function SafeUp()
{
$auth = yii::$app->authmanager;

// Clear all existing RBAC data
$auth->removeAll();

// create custom rules
$companyEmploYeRule = new CompanyEmploYeRule();
$auth->add($companyemployeerule);

$ConventionContactRule = new conventionContAcRule();
$auth->add($conventionContactRule);

$checkinManagerRule = new CheckinManagerRule();
$auth->add($checkinmanagerrule);

// create permission
$accessconvention = $auth->createPermission(accessConvention);
$accessconvention->description =Access to conference data permissions;
$auth->add($accessconvention);

// create roles and assign rules
$companyEmployee = $auth->createRole(CompanyEmployee);
$companyEmployee->rulename = $companyEreule->name;
$auth->add($companyEmployee);
$auth->addChild($companyEmployee, $accessConvention);

$conventionContact = $auth->createRole(conventioncontact);
$conventioncontact->rulename = $conventioncontactrule->name;
$auth->add($conventioncontact);
$auth->addChild($conventionContact, $accessConvention);

$checkinmanager = $auth->createRole(checkinmanager);
$checkinmanager->rulename = $checkinmanagerrule->name;
$auth->add($checkinmanager);
$auth->addChild($checkinmanager, $accessconvention);
}

/**
* {@inheritdoc}
*/
public function SafeDown()
{
echo "m250331_034538_init_convention_rbac cannot be reverted.\n";

return false;
}

tiveting
// use up()/down() to run migration code without a transaction.
public function up()
{

}

public function down()
{
echo "m250331_034538_init_convention_rbac cannot be reverted.\n";

return false;
}
*/
}

5. Now there are 3 roles: CompanyEmployee, ConventionContact, and CheckInManager, all have permissions to AccessConvention. And the rule to check if a user satisfies the role has been defined.

6. The next step is not to manually specify the user’s role, but automatically assign based on the default role. Reference: Use the default role https://www.yiiframework.com/doc/guide/2.0/en-en/security-authorization#using-default-roles Specify the yii\rbac\basemanager::$defaultroles option when configuring AuthManager. as shown in Figure 1

Figure 1

return[
// ...
components=> [
authmanager=> [
class=>yii\rbac\dbmanager,
//cache=>cache,
DefaultRoles=> [CompanyEmployee,conventioncontact,checkinmanager]#ATFP_CLOSE_Translate_span#,
],
// ...
],
];

7. Check whether the current user has AccessConvention permissions. Confirmation check passed, with AccessConvention permission. carrycan()Methods check roles and permissions. The user has a role or its inherited role, in line with expectations. as shown in Figure 2

Figure 2

if (yii::$app->user->can(accessConvention,['convention' => $convention])) {
$ROLES = yii::$app->AuthManager->getRolesByUser(yii::$app->User->id);
print_r($roles);
}
if (yii::$app->user->can(CompanyEmployee,['convention' => $convention])) { //can()Methods check roles and permissions
echouser owns \companyEmployee\character or its inherited role;
}
if (yii::$app->user->can(conventioncontact,['convention' => $convention])) { //can()Methods check roles and permissions
echouser owns \conventioncontact\character or its inherited role;
}
if (yii::$app->user->can(checkinmanager,['convention' => $convention])) { //can()Methods check roles and permissions
echouser owns \checkinmanager\character or its inherited role;
}

select * from `auth_assignment` where `user_id`=1826937119386043

select * from `auth_item` where `name`=accessConvention

select `parent` from `auth_item_child` where `child`=accessConvention

select * from `auth_item` where `name`=checkinmanager

select `data` from `auth_rule` where `name`=IsCheckinManager

select * from `users` where `id`=1826937119386043

select exists(select * from `convention_checkin_managers` where (`convention_id`=1826937119386051) and (`user_id`=1826937119386043) and (`phone`=13980074657)

select * from `auth_item` where `name`=CompanyEmployee

select `data` from `auth_rule` where `name`=isCompanyEmployee

select exists(select * from `company_employee_mapping` where (`user_id`=1826937119386043) and (`company_id`=1826937119386040)

select `b`.* from `auth_assignment` `a`, `auth_item` `b` where (`a`.`item_name`=`b`.`name`) and (`a`.`user_id`=1826937119386043) and (`b`.`type`=1)

8. Check whether the current user has AccessConvention permissions. Confirm that the check does not pass, and there is no output. Does not have AccessConvention permissions. carrycan()Methods check roles and permissions. The user has a role or its inherited role, in line with expectations. as shown in Figure 3

Figure 3

select * from `auth_assignment` where `user_id`=1827082629726231

select * from `users` where `id`=1827082629726231

select exists(select * from `convention_checkin_managers` where (`convention_id`=1826937119386051) and (`user_id`=1827082629726231) and (`phone`=15609979522)

select exists(select * from `company_employee_mapping` where (`user_id`=1827082629726231) and (`company_id`=1826937119386040)

select * from `users` where `id`=1827082629726231

select exists(select * from `convention_contacts` where (`convention_id`=1826937119386051) and (`user_id`=1827082629726231) and (`phone`=15609979522)

select exists(select * from `company_employee_mapping` where (`user_id`=1827082629726231) and (`company_id`=1826937119386040)

select * from `users` where `id`=1827082629726231

select exists(select * from `convention_contacts` where (`convention_id`=1826937119386051) and (`user_id`=1827082629726231) and (`phone`=15609979522)

select * from `users` where `id`=1827082629726231

select exists(select * from `convention_checkin_managers` where (`convention_id`=1826937119386051) and (`user_id`=1827082629726231) and (`phone`=15609979522)