btaens/cakephp-hier-auth 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

btaens/cakephp-hier-auth

Composer 安装命令:

composer require btaens/cakephp-hier-auth

包简介

A CakePHP plugin for hierarchical, role based, simple authorization.

README 文档

README

Latest Stable Version Build Status Coverage Status Scrutinizer Code Quality Total Downloads License

HierAuth is a simple, hierarchical ACL authorization plugin for CakePHP 3. You can grant and deny access based on roles, and create virtual ones to include sub-roles.

Installing

Using composer, install the plugin:

composer require btaens/cakephp-hier-auth

Insert the following line into your config/bootstrap.php file:

Plugin::load('HierAuth');

Setup

Load and configure HierAuth through AuthComponent:

$this->loadComponent('Auth', [
    'authorize' => [
        'HierAuth.Hier' => [
            'hierarchyFile' => 'hierarchy.yml',
            'aclFile' => 'acl.yml',
            'roleColumn' => false,
            'roleKeys' => [
                'roles' => [
                    'multi' => true,
                    'column' => 'label',
                ],
            ],
        ],
    ],
]);

Hierarchy and ACL

hierarchyFile is a YAML file in which you will define the hierarchy of your roles. Put this in your config directory. The basic structure of it is the following:

hierarchy:
   ROOT:
       - DEVELOPER
       - OWNER
   MODERATOR:
       - FINANCE
       - LABOR
   ADMIN:
       - "@MODERATOR"
       - SALES
       - CONTACT
   USER:
       - MEMBER

Here you have defined a ROOT role. ROOT doesn't necessarily have to be an actual role your users have, however any users with the role DEVELOPER or OWNER will be granted access to any route that ROOT has access to.

ADMIN also includes @MODERATOR. This means that all roles in MODERATOR will have all access (or deny) rights of ADMIN. You can do this recursively (up to 10 depth) as well, so one role could include another, which in turn could also include another.

Not all roles need to be written into your hierarchy file if you don't need to setup a hierarchy for them, you can also grant and deny access to roles not listed here.

You can also include existing roles, and give them the access rights of other existing roles:

hierarchy:
    SALES:
        - CONTACT

In this case, all your users with the CONTACT role would get all the access rights of your SALES role.

aclFile is a YAML file in which you will grant or deny access to your routes. Put this in your config directory. The basic structure is the following:

controllers:
    ALL: [ROOT, ADMIN]
    Posts:
        ALL: [MODERATOR, -ADMIN, CONTACT]
        index: [USER, NEWBIE]

The controllers you wish to define access rights to sit under a controllers key. The ALL key (all caps) defines access to all sub-members (the one under controllers to all controllers, the ones under the individual controllers to all its actions (even the ones not listed).

According to this example, ROOT and ADMIN are by default granted access to all controllers and actions (even the ones not listed).

All actions of Posts get access by MODERATOR, however all actions in Posts are denied to ADMIN (- signifies access denial), except CONTACT, who is granted access as well. From this, you can see order matters ([CONTACT, -ADMIN] would've meant CONTACT is denied, as that role is later set to denied as it's part of ADMIN, however [-ADMIN, CONTACT] grants access to CONTACT, as first we denied it to all in ADMIN, but then granted it to CONTACT).

Table setup

HierAuth can get your user's roles from multiple tables, all of which can be associated through hasMany or hasAndBelongsToMany, or even a column of the User table itself, as a JSON field.

If you're using one of your user table's column for your users' role setup, you'll have to save the roles JSON encoded, or return them through dataType manipulation in the form of an array (so a user with DEVELOPER and MEMBER roles would have, say, a roles column with a value of: ["DEVELOPER","MEMBER"]. Then you'd set roleColumn in the above config to be the name of the column: 'roleColumn' => 'roles'.

A more recommended way however is to store your roles in a seperate table, and associate it with your users' table. Pass in the associations you'd like to use in the roleKeys config key, in the following manner:

'roleKeys' => [
    'roles' => [
        'multi' => true,
        'column' => 'label',
    ],
    'right' => [
        'multi' => false,
        'column' => 'label',
    ],
],

For each association, you have to provide whether the user has multiple or single ones through the multi key, which is either true or false. The column key is the column in the table from which HierAuth reads the role's label (the one you write an your acl and hirarchy configuration). This can be 'id', however, a more verbose unique column is recommended for readability (and maintainability, if you later want to move your database and the role table happens to start with a different id, you have to rewrite your entire ACL roles configuration).

Whichever associations you choose to define, you also have to make sure they get saved in the session when the user logs in through whichever authentication method you use. You will need to write a custom finder method to ensure the correct data is contained.

$this->loadComponent('Auth', [
    'authenticate' => [
        'Form' => [
            'finder'=>'AuthUser'
        ],
    ],
]);
// In your UsersTable
public function findAuthUser(Query $query, $options)
{
    $query->contain([
        'Roles',
        'Rights'
    ]);
    return $query;
}

Requirements

  • PHP >= 5.4.16
  • CakePHP >= 3.0
  • Symfony/YAML >= 2.6

Future plans

  • Create a component to check whether a user's role passes a certain super-role
  • Create a helper as above

Inspired by dereuromark's TinyAuth.

btaens/cakephp-hier-auth 适用场景与选型建议

btaens/cakephp-hier-auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.19k 次下载、GitHub Stars 达 6, 最近一次更新时间为 2015 年 05 月 10 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「plugin」 「cakephp」 「acl」 「hierarchy」 「roles」 「hierauth」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 btaens/cakephp-hier-auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 btaens/cakephp-hier-auth 我们能提供哪些服务?
定制开发 / 二次开发

基于 btaens/cakephp-hier-auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 2.19k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 6
  • 点击次数: 16
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 6
  • Watchers: 4
  • Forks: 4
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2015-05-10