In Yii2, it is necessary to determine whether the current logged in user has specific data access permissions for the interface (based on RBAC, default role, sub-permissions)
2. The authority mechanism is designed as follows:
1. There are now 2 characters in RBAC: CompanyEmployeerole ParticipantShareRecipientRole 1 2. Each character is bound to a rule: companyEmployeEerole(companyEreUle) ParticipantShareRecipientRole(ParticipantShareRecipientRule) 1 3. Now there are 4 permissions in RBAC: ParticipantShareFilterViewPermission ParticipantShareFilterDownloadPermission ParticipantShareFilterOwnViewPermission ParticipantShareFilterErowDownloadPermission 1 4. The role companyEmployeerole is given permissions: ParticipantShareFilterViewPermission ParticipantShareFilterDownloadPermission 1 5. Two permissions are bound to one rule: ParticipantShareFilterOwnViewPermission(ParticiPantShareFilterOwnViewRule) ParticipantShareFilterOadPermission(participantShareFilterOadrule) 1 6. "ParticipantShareFilterOwnViewPermission" permission will be "ParticipantShareFilterViewPermission" Permission to use, "ParticipantShareFilterOadPermission" permission will be used by the "ParticiPantShareFilterDownloadPermission" permission 1 7. Allow the recipient to browse and download the registration list of their own advanced filtered sharing records Role ParticipantShareRecipientRole granted: ParticipantShareFilterOwnViewPermission 1 Role ParticipantShareRecipientRole granted permissions: ParticipantShareFilterErowDownloadPermission 1 8. Automatically assign 2 roles to the current login user 1 based on the rules of role binding at point 2 9. Use the CAN method to check the user's ParticipantShareFilterViewPermission ParticipantShareFilterDownloadPermission permission
3. Add a new database migration file, the code is implemented as follows
<?php
use common\rbac\participantsharefilterrowdownloadrule;
use common\rbac\participantshareFilterownViewRule;
use common\rbac\participantsharerecipientrule;
use yii\db\migration;
/**
* class m250407_132039_init_convention_participant_share_filter_rbac
*/
class m250407_132039_init_convention_participant_share_filter_rbac extends migration
{
/**
* {@inheritdoc}
*/
public function SafeUp()
{
$auth = yii::$app->authmanager;
// create custom rules
$ParticipantShareRecipientRule = new ParticipantShareRecipientRule();
$auth->add($participantShareRecipientRule);
$ParticipantShareFilterOwnViewRule = new ParticipantShareFilterOwnViewRule();
$auth->add($participantshareFilterownViewRule);
$ParticipantShareFilterOadRule = new ParticipantShareFilterOadRule();
$auth->add($participantShareFilterOadrule);
// create permission
$ParticipantShareFilterViewPermission = $auth->CreatePermission(ParticipantShareFilterViewPermission);
$ParticipantShareFilterViewPermission->Description =Browsing permissions for advanced screening results;
$auth->add($participantshareFilterViewPermission);
$ParticipantShareFilterDownloadPermission = $auth->CreatePermission(ParticipantShareFilterDownloadPermission);
$ParticipantShareFilterDownloadPermission->Description =Download permissions for advanced filter results;
$auth->add($participantShareFilterDownloadPermission);
// Create roles and assign rules, give permissions
$companyEreole = $auth->getRole(CompanyEmployeerole);
$auth->AddChild($companyEreole, $participantShareFilterViewPermission);
$auth->addChild($companyEreole, $participantShareFilterDownloadPermission);
$participantShareRecipientRole = $auth->createRole(ParticipantShareRecipientRole);
$ParticipantShareRecipientRole->ruleName = $ParticipantShareRecipientRule->name;
$auth->add($participantShareRecipientRole);
// Add "ParticipantShareFilterOwnViewPermission", "ParticiPantShareFilterOwnDownloadPermission" permission and associate with the rule
$ParticipantShareFilterOwnViewPermission = $auth->CreatePermission(ParticipantShareFilterOwnViewPermission);
$ParticipantShareFilterOwnViewPermission->Description =As a recipient, the browsing permission of the advanced screening results;
$ParticipantShareFilterOwnViewPermission->ruleName = $ParticipantShareFilterOwnViewRule->name;
$auth->add($participantShareFilterOwnViewPermission);
$ParticipantShareFilterOadPermission = $auth->CreatePermission(ParticipantShareFilterOadPermission);
$ParticipantShareFilterOadPermission->Description =As a recipient, download permission for advanced screening results;
$ParticipantShareFilterOadPermission->ruleName = $ParticipantShareFilterOadrule->name;
$auth->add($participantShareFilterOwnDownloadPermission);
// "ParticipantShareFilterOwnViewPermission" permission will be used by the "ParticiPantShareFilterViewPermission" permission
$auth->AddChild($ParticipantShareFilterOwnViewPermission, $ParticipantShareFilterViewPermission);
// "ParticipantShareFilterOadPermission" permission will be used by the "ParticiPantShareFilterDownloadPermission" permission
$auth->AddChild($ParticipantShareFilterOadPermission, $ParticipantShareFilterDownloadPermission);
// Allow recipients to browse and download the registration list of their own advanced filtered sharing records
$auth->AddChild($ParticipantShareRecipientRole, $ParticipantShareFilterOwnViewPermission);
$auth->AddChild($ParticipantShareRecipientRole, $ParticipantShareFilterOwnDownloadPermission);
}
/**
* {@inheritdoc}
*/
public function SafeDown()
{
echo "m250407_132039_init_convention_participant_share_filter_rbac cannot be reverted.\n";
return false;
}
tiveting
// use up()/down() to run migration code without a transaction.
public function up()
{
}
public function down()
{
echo "m250407_132039_init_convention_participant_share_filter_rbac cannot be reverted.\n";
return false;
}
*/
}
4. The 4 rule files are implemented as follows
CompanyEmployeerule.php
<?php
namespace common\rbac;
use yii\rbac\item;
use yii\rbac\rule;
use common\models\companyemployemapping;
/**
* Check if user_id matches the user parameter passed in
*/
class companyemployeerule extends rule
{
public $name =isCompanyEmployee;
/**
* @param string|integer $userid user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($userid, $item, $params): BOOL
{
if (!isSet($params)['convention'])) {
return false;
}
return companyEmploYeMapping::find()
->where([
user_id=> $userid,
company_id=> $params[convention]#atfp_close_translate_span#->company_id,
;)
->exists();
}
}
FormContentShareRecipientRule.php
<?php
namespace common\rbac;
Use API\Models\ConventionFormContentShareRecipient;
Use common\models\ConventionFormContentShareRecipient as CommonConventionFormContentShareRecipient;
use yii;
use yii\rbac\item;
use yii\rbac\rule;
/**
* Check whether the current logged-in user is the recipient of the shared content of the information form
*/
Class FormContentShareRecipientRule extends rule
{
public $name =IsFormContentShareRecipient;
/**
* @param string|integer $userid user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($userid, $item, $params): BOOL
{
if (!isSet($params)['conventionForm'])) {
return false;
}
Return ConventionFormContentShareRecipient::find()
->where([
form_id=> $params[conventionform]#atfp_close_translate_span#-->id
;)
->andwhere(['user_id' => Yii::$app->user->id])
->andwhere(['status' => [CommonConventionFormContentShareRecipient::STATUS_NORMAL, CommonConventionFormContentShareRecipient::STATUS_SUSPENDED];)
->exists();
}
}
ParticipantShareFilterOwnDownloadRule.php
<?php
namespace common\rbac;
Use API\Models\ConventionParticipantShareRecipient;
Use common\models\conventionparticipantsharerecipient as commonconventionpartisansharerecipient;
use yii;
use yii\rbac\item;
use yii\rbac\rule;
/**
* Check if the current logged in user is the recipient of the advanced filtered sharing record, and has download permission
*/
Class ParticipantShareFilterOadrule extends rule
{
public $name =AllowparticipantShareFilterOwnDownload;
/**
* @param string|integer $userid user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($userid, $item, $params): BOOL
{
if (!isSet($params)['conventionParticipantShareFilter'])) {
return false;
}
return conventionparticipantsharerecipient::find()
->where([
share_filter_id=> $params[conventionparticipantsharefilter]#atfp_close_translate_span#-->id
;)
->andwhere(['user_id' => Yii::$app->user->id])
->andwhere(['status' => [CommonConventionParticipantShareRecipient::STATUS_NORMAL, CommonConventionParticipantShareRecipient::STATUS_SUSPENDED];)
->andwhere(['download' => CommonConventionParticipantShareRecipient::DOWNLOAD_YES])
->exists();
}
}
ParticipantShareFilterOwnViewRule.php
<?php
namespace common\rbac;
Use API\Models\ConventionParticipantShareRecipient;
Use common\models\conventionparticipantsharerecipient as commonconventionpartisansharerecipient;
use yii;
use yii\rbac\item;
use yii\rbac\rule;
/**
* Check if the current logged in user is the recipient of the advanced filtered sharing record, and has browsing permissions
*/
Class ParticipantShareFilterOwnViewRule extends rule
{
public $name =AllowparticipantshareFilterOwnView;
/**
* @param string|integer $userid user ID.
* @param item $item The role or permissions related to this rule
* @param array $params parameters passed to managerInterface::checkAccess()
* @return boolean represents whether the role or permissions related to the rule are allowed
*/
public function execute($userid, $item, $params): BOOL
{
if (!isSet($params)['conventionParticipantShareFilter'])) {
return false;
}
return conventionparticipantsharerecipient::find()
->where([
share_filter_id=> $params[conventionparticipantsharefilter]#atfp_close_translate_span#-->id
;)
->andwhere(['user_id' => Yii::$app->user->id])
->andwhere(['status' => [CommonConventionParticipantShareRecipient::STATUS_NORMAL, CommonConventionParticipantShareRecipient::STATUS_SUSPENDED];)
->andwhere(['view' => CommonConventionParticipantShareRecipient::VIEW_YES])
->exists();
}
}
5. The realization of the final check permission is as follows, directly in the controller method implementation
if (!yii::$app->user->can(FormDownloadPermission,['convention' => $conventionForm->convention, 'conventionForm' => $conventionForm])) {
return[
code=> 14021,
Message=>you do not have permission,
]#atfp_close_translate_span#;
}
6. Configure the default role in main.php
authmanager=>[ class=>yii\rbac\dbmanager, cache=>cache, DefaultRoles=> [CompanyEmployeerole,ConventionContactRole,CheckinManagerRole,ParticipantShareRecipientRole,FormContentShareRecipientRole]#atfp_close_translate_span#, // @see <a href="https://www.yiiframework.com/doc/guide/2.0/zh-cn/secu rity-authorization#using-default-roles">Use the default role</a> ],
7. The final effect is as follows
The permissions for viewing the sharing link are adjusted as follows: Not the recipient and not the enterprise employee No browsing permissions is the receiver and has browsing permission and is not a corporate employee Have browsing permission is the recipient and has download permission and is not a corporate employee With download permission Not the receiver and the company employee has browsing permissions is the receiver and the company employee has browsing and download permission
