在 Yii2 中，需要判断当前登录用户是否具体接口访问权限（基于 RBAC、默认角色）

永夜 — Mon, 26 May 2025 02:14:40 +0000

Post Views: 195

1、当前的权限判断，是在控制器方法中实现如下



$conventionId = $this->request->post('convention_id', '');

$convention = Convention::find()->where([
	'id' => $conventionId
])->limit(1)->one();
if (!$convention) {
	return [
		'code' => 10403,
		'message' => '大会不存在！',
	];
}

$mapping = CompanyEmployeeMapping::find()->where([
	'user_id' => Yii::$app->user->id,
	'company_id' => $convention->company_id,
])->limit(1)->one();
if (!$mapping) {
	//判断是否为联络员
	$contact = ConventionContact::find()->where('convention_id = :conventionId AND (user_id = :userId OR phone = :phone)', [
		':conventionId' => $conventionId,
		':userId' => Yii::$app->user->id,
		':phone' => Yii::$app->user->identity->pure_phone_number,
	])->limit(1)->one();
	//判断是否为签到管理员
	$checkinManager = ConventionCheckinManager::find()->where('convention_id = :conventionId AND (user_id = :userId OR phone = :phone)', [
		':conventionId' => $conventionId,
		':userId' => Yii::$app->user->id,
		':phone' => Yii::$app->user->identity->pure_phone_number,
	])->limit(1)->one();
	if (!$contact && !$checkinManager) {
		return [
			'code' => 10001,
			'message' => '您没有数据权限',
		];
	}
}


SELECT * FROM `conventions` WHERE `id`='1826937119386051' LIMIT 1

SELECT * FROM `company_employee_mapping` WHERE (`user_id`='1826937119386043') AND (`company_id`='1826937119386040') LIMIT 1

SELECT * FROM `convention_contacts` WHERE convention_id = '1826937119386051' AND (user_id = '1826937119386043' OR phone = '13980074657') LIMIT 1

SELECT * FROM `convention_checkin_managers` WHERE convention_id = '1826937119386051' AND (user_id = '1826937119386043' OR phone = '13980074657') LIMIT 1

2、计划基于 RBAC 实现，避免在每个控制器方法中重复复制（即使提炼出一个公共的方法，也不够灵活）

3、创建自定义规则类在 common/rbac/ 目录下创建以下规则类：

CompanyEmployeeRule.php

where([
                'user_id' => $user,
                'company_id' => $params['convention']->company_id,
            ])
            ->exists();
    }
}

ConventionContactRule.php

where([
                'convention_id' => $params['convention']->id,
                'user_id' => $user,
                'phone' => $userModel->pure_phone_number,
            ])->exists();
    }
}

CheckinManagerRule.php

where([
                'convention_id' => $params['convention']->id,
                'user_id' => $user,
                'phone' => $userModel->pure_phone_number,
            ])->exists();
    }
}

4、所谓默认角色就是隐式地指派给所有用户的角色。不需要调用 yii\rbac\ManagerInterface::assign() 方法做显示指派，并且授权数据中不包含指派信息。使用 ./yii migrate/create init_convention_rbac 创建新迁移，然后实现创建层次结构

authManager;
 
        // 清除所有现有RBAC数据
        $auth->removeAll();
         
        // 创建自定义规则
        $companyEmployeeRule = new CompanyEmployeeRule();
        $auth->add($companyEmployeeRule);
 
        $conventionContactRule = new ConventionContactRule();
        $auth->add($conventionContactRule);
 
        $checkinManagerRule = new CheckinManagerRule();
        $auth->add($checkinManagerRule);
 
        // 创建权限
        $accessConvention = $auth->createPermission('accessConvention');
        $accessConvention->description = '访问大会数据权限';
        $auth->add($accessConvention);
 
        // 创建角色并分配规则
        $companyEmployee = $auth->createRole('companyEmployee');
        $companyEmployee->ruleName = $companyEmployeeRule->name;
        $auth->add($companyEmployee);
        $auth->addChild($companyEmployee, $accessConvention);
 
        $conventionContact = $auth->createRole('conventionContact');
        $conventionContact->ruleName = $conventionContactRule->name;
        $auth->add($conventionContact);
        $auth->addChild($conventionContact, $accessConvention);
 
        $checkinManager = $auth->createRole('checkinManager');
        $checkinManager->ruleName = $checkinManagerRule->name;
        $auth->add($checkinManager);
        $auth->addChild($checkinManager, $accessConvention);
    }
 
    /**
     * {@inheritdoc}
     */
    public function safeDown()
    {
        echo "m250331_034538_init_convention_rbac cannot be reverted.\n";
 
        return false;
    }
 
    /*
    // Use up()/down() to run migration code without a transaction.
    public function up()
    {
 
    }
 
    public function down()
    {
        echo "m250331_034538_init_convention_rbac cannot be reverted.\n";
 
        return false;
    }
    */
}

5、现在角色有 3 个：companyEmployee、conventionContact、checkinManager，皆具有权限 accessConvention。且检查一个用户是否满足角色的规则已经定义完成。

6、下一步不计划手动指定用户的角色，而是基于默认角色，自动指定。参考：使用默认角色 https://www.yiiframework.com/doc/guide/2.0/zh-cn/security-authorization#using-default-roles 在配置 authManager 时指定 yii\rbac\BaseManager::$defaultRoles 选项。如图1

图1


return [
    // ...
    'components' => [
        'authManager' => [
            'class' => 'yii\rbac\DbManager',
            // 'cache' => 'cache',
            'defaultRoles' => ['companyEmployee', 'conventionContact', 'checkinManager'],
        ],
        // ...
    ],
];

7、检查当前用户是否具有 accessConvention 权限。确认检查通过，具有 accessConvention 权限。通过 ‘can()’ 方法会检查角色和权限。用户拥有角色或其继承角色，符合预期。如图2

图2


        if (Yii::$app->user->can('accessConvention', ['convention' => $convention])) {
            $roles = Yii::$app->authManager->getRolesByUser(Yii::$app->user->id);
            print_r($roles);
        }
        if (Yii::$app->user->can('companyEmployee', ['convention' => $convention])) {  // 'can()' 方法会检查角色和权限
            echo '用户拥有 \'companyEmployee\' 角色或其继承角色';
        }
        if (Yii::$app->user->can('conventionContact', ['convention' => $convention])) {  // 'can()' 方法会检查角色和权限
            echo '用户拥有 \'conventionContact\' 角色或其继承角色';
        }
        if (Yii::$app->user->can('checkinManager', ['convention' => $convention])) {  // 'can()' 方法会检查角色和权限
            echo '用户拥有 \'checkinManager\' 角色或其继承角色';
        }


SELECT * FROM `auth_assignment` WHERE `user_id`='1826937119386043'

SELECT * FROM `auth_item` WHERE `name`='accessConvention'

SELECT `parent` FROM `auth_item_child` WHERE `child`='accessConvention'

SELECT * FROM `auth_item` WHERE `name`='checkinManager'

SELECT `data` FROM `auth_rule` WHERE `name`='isCheckinManager'

SELECT * FROM `users` WHERE `id`='1826937119386043'

SELECT EXISTS(SELECT * FROM `convention_checkin_managers` WHERE (`convention_id`='1826937119386051') AND (`user_id`='1826937119386043') AND (`phone`='13980074657'))

SELECT * FROM `auth_item` WHERE `name`='companyEmployee'

SELECT `data` FROM `auth_rule` WHERE `name`='isCompanyEmployee'

SELECT EXISTS(SELECT * FROM `company_employee_mapping` WHERE (`user_id`='1826937119386043') AND (`company_id`='1826937119386040'))

SELECT `b`.* FROM `auth_assignment` `a`, `auth_item` `b` WHERE (`a`.`item_name`=`b`.`name`) AND (`a`.`user_id`='1826937119386043') AND (`b`.`type`=1)

8、检查当前用户是否具有 accessConvention 权限。确认检查不通过，无任何输出。不具有 accessConvention 权限。通过 ‘can()’ 方法会检查角色和权限。用户拥有角色或其继承角色，符合预期。如图3

图3


SELECT * FROM `auth_assignment` WHERE `user_id`='1827082629726231'

SELECT * FROM `users` WHERE `id`='1827082629726231'

SELECT EXISTS(SELECT * FROM `convention_checkin_managers` WHERE (`convention_id`='1826937119386051') AND (`user_id`='1827082629726231') AND (`phone`='15609979522'))

SELECT EXISTS(SELECT * FROM `company_employee_mapping` WHERE (`user_id`='1827082629726231') AND (`company_id`='1826937119386040'))

SELECT * FROM `users` WHERE `id`='1827082629726231'

SELECT EXISTS(SELECT * FROM `convention_contacts` WHERE (`convention_id`='1826937119386051') AND (`user_id`='1827082629726231') AND (`phone`='15609979522'))

SELECT EXISTS(SELECT * FROM `company_employee_mapping` WHERE (`user_id`='1827082629726231') AND (`company_id`='1826937119386040'))

SELECT * FROM `users` WHERE `id`='1827082629726231'

SELECT EXISTS(SELECT * FROM `convention_contacts` WHERE (`convention_id`='1826937119386051') AND (`user_id`='1827082629726231') AND (`phone`='15609979522'))

SELECT * FROM `users` WHERE `id`='1827082629726231'

SELECT EXISTS(SELECT * FROM `convention_checkin_managers` WHERE (`convention_id`='1826937119386051') AND (`user_id`='1827082629726231') AND (`phone`='15609979522'))

BaseManager::$defaultRoles – 永夜

在 Yii2 中，需要判断当前登录用户是否具体接口访问权限（基于 RBAC、默认角色）