在使用SRBAC的过程中发现,SRBAC的确是一个很好的角色权限检查方案,但是SRBAC无法控制基于内容的权限判断。比如说我想实现只有角色为编辑同时文章为自己创建的时候才能修改它,但是SRBAC只能检查用户是不是编辑,无法检查文章是不是用户创建的。因为基于类容的角色判断一般是通过bizrule来实现的比如:
$auth=Yii::app()->authManager; $auth->createOperation('createPost','create a post'); $auth->createOperation('readPost','read a post'); $auth->createOperation('updatePost','update a post'); $auth->createOperation('deletePost','delete a post'); $bizRule='return Yii::app()->user->id==$params["post"]->authID;'; $task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule); $task->addChild('updatePost'); $role=$auth->createRole('reader'); $role->addChild('readPost'); $role=$auth->createRole('author'); $role->addChild('reader'); $role->addChild('createPost'); $role->addChild('updateOwnPost'); $role=$auth->createRole('editor'); $role->addChild('reader'); $role->addChild('updatePost'); $role=$auth->createRole('admin'); $role->addChild('editor'); $role->addChild('author'); $role->addChild('deletePost'); $auth->assign('reader','readerA'); $auth->assign('author','authorB'); $auth->assign('editor','editorC'); $auth->assign('admin','adminD');
上面的update a post by author himself就是只有作者才能更改的意思,然后通过传参数的方式来检查权限:
$params=array('post'=>$post);if(Yii::app()->user->checkAccess('updateOwnPost',$params)){ // update post}
然而SRBAC的SBaseController并不传参数,SBaseController重载了beforeAction来检查权限,但是beforeAction并不接受参数:
protected function beforeAction($action) { $del = Helper::findModule('srbac')->delimeter; //srbac access $mod = $this->module !== null ? $this->module->id . $del : ""; $contrArr = explode($del, $this->id); $contrArr[sizeof($contrArr) - 1] = ucfirst($contrArr[sizeof($contrArr) - 1]); $controller = implode(".", $contrArr); $contr = str_replace($del, ".", $this->id); $access = $mod . $controller . ucfirst($this->action->id); //Always allow access if $access is in the allowedAccess array if (in_array($access, $this->allowedAccess())) { return true; } //Allow access if srbac is not installed yet if (!Yii::app()->getModule('srbac')->isInstalled()) { return true; } //Allow access when srbac is in debug mode if (Yii::app()->getModule('srbac')->debug) { return true; } // Check for srbac access if (!Yii::app()->user->checkAccess($access) || Yii::app()->user->isGuest) { $this->onUnauthorizedAccess(); } else { return true; } }