定制 yiisoft/rbac 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

yiisoft/rbac

Composer 安装命令:

composer require yiisoft/rbac

包简介

Yii Role-Based Access Control

关键字:

README 文档

README

Yii

Yii Role-Based Access Control


Latest Stable Version Total Downloads Build status codecov Mutation testing badge static analysis type-coverage

This package provides RBAC (Role-Based Access Control) library. It is used in Yii Framework but is usable separately as well.

Features

  • Flexible RBAC hierarchy with roles, permissions, and rules.
  • Role inheritance.
  • Data could be passed to rules when checking access.
  • Multiple storage adapters.
  • Separate storages could be used for user-role assignments and role hierarchy.
  • API to manage RBAC hierarchy.

Requirements

  • PHP 8.1 - 8.5.

Installation

The package could be installed with Composer:

composer require yiisoft/rbac

One of the following storages could be installed as well:

Also, there is a rule factory implementation - Rules Container (based on Yii Factory).

All these can be replaced with custom implementations.

General usage

Setting up manager

First step when using RBAC is to configure an instance of Manager:

use Yiisoft\Rbac\AssignmentsStorageInterface;
use Yiisoft\Rbac\ItemsStorageInterface;
use Yiisoft\Rbac\RuleFactoryInterface;

/**
* @var ItemsStorageInterface $itemsStorage
* @var AssignmentsStorageInterface $assignmentsStorage
* @var RuleFactoryInterface $ruleFactory
*/
$manager = new Manager($itemsStorage, $assignmentsStorage, $ruleFactory);

It requires the following dependencies:

  • Items storage (hierarchy itself).
  • Assignments storage where user IDs are mapped to roles.
  • Rule factory. Creates a rule instance by a given name.

While storages are required, rule factory is optional and, when omitted, SimpleRuleFactory will be used. For more advanced usage, such as resolving rules by aliases and passing arguments in rules constructor, install Rules Container additionally or write your own implementation.

A few tips for choosing storage backend:

  • Roles and permissions could usually be considered "semi-static," as they only change when you update your application code, so it may make sense to use PHP storage for it.
  • Assignments, on the other hand, could be considered "dynamic." They change more often: when creating a new user, or when updating a user role from within your application. So it may make sense to use database storage for assignments.

Managing RBAC hierarchy

Before being able to check for permissions, an RBAC hierarchy must be defined. Usually it is done via either console commands or migrations. Hierarchy consists of permissions, roles, and rules:

  • Permissions are granules of access such as "create a post" or "read a post."
  • A role is what is assigned to the user. The Role is granted one or more permissions. Typical roles are "manager" or "admin."
  • Rule is a PHP class that has given some data answers a single question "given the data has the user the permission asked for."

To create a permission, use the following code:

use Yiisoft\Rbac\ManagerInterface;
use Yiisoft\Rbac\Permission;

/** @var ManagerInterface $manager */
$manager->addPermission(new Permission('createPost'));
$manager->addPermission(new Permission('readPost'));
$manager->addPermission(new Permission('deletePost'));

To add some roles:

use Yiisoft\Rbac\ManagerInterface;
use Yiisoft\Rbac\Role;

/** @var ManagerInterface $manager */
$manager->addRole(new Role('author'));
$manager->addRole(new Role('reader'));

Next, we need to attach permissions to roles:

use Yiisoft\Rbac\ManagerInterface;

/** @var ManagerInterface $manager */
$manager->addChild('reader', 'readPost');
$manager->addChild('author', 'createPost');
$manager->addChild('author', 'deletePost');
$manager->addChild('author', 'reader');

Hierarchy for the example above:

flowchart LR
  createPost:::permission ---> author:::role
  readPost:::permission --> reader:::role --> author:::role
  deletePost:::permission ---> author:::role
  classDef permission fill:#fc0,stroke:#000,color:#000
  classDef role fill:#9c0,stroke:#000,color:#000
Loading

Sometimes, basic permissions are not enough. In this case, rules are helpful. Rules are PHP classes that could be added to permissions and roles:

use Yiisoft\Rbac\Item;
use Yiisoft\Rbac\RuleContext;
use Yiisoft\Rbac\RuleInterface;

class ActionRule implements RuleInterface
{
    public function execute(?string $userId, Item $item, RuleContext $context): bool;
    {
        return $context->getParameterValue('action') === 'home';
    }
}

With rule added, the role or permission is considered only when rule's execute() method returns true.

The parameters are:

  • $userId is user id to check permission against;
  • $item is RBAC hierarchy item that rule is attached to;
  • $context is a rule context providing access to parameters.

To use rules with Manager, specify their names with added permissions or roles:

use Yiisoft\Rbac\ManagerInterface;
use Yiisoft\Rbac\Permission;

/** @var ManagerInterface $manager */
$manager->addPermission( 
    (new Permission('viewList'))->withRuleName(ActionRule::class),
);

// or

$manager->addRole(
    (new Role('NewYearMaintainer'))->withRuleName(NewYearOnlyRule::class)
);

The rule names action_rule and new_year_only_rule are resolved to ActionRule and NewYearOnlyRule class instances accordingly via rule factory.

If you need to aggregate multiple rules at once, use composite rule:

use Yiisoft\Rbac\CompositeRule;

// Fresh and owned
$compositeRule = new CompositeRule(CompositeRule::AND, [FreshRule::class, OwnedRule::class]);

// Fresh or owned
$compositeRule = new CompositeRule(CompositeRule::OR, [FreshRule::class, OwnedRule::class]);

Assigning roles to users

To assign a certain role to a user with a given ID, use the following code:

use Yiisoft\Rbac\ManagerInterface;

/** @var ManagerInterface $manager */
$userId = 100;
$manager->assign('author', $userId);

It could be done in an admin panel, via console command, or it could be built into the application business logic itself.

Check for permission

To check for permission, obtain an instance of Yiisoft\Access\AccessCheckerInterface and use it:

use Psr\Http\Message\ResponseInterface; 
use Yiisoft\Access\AccessCheckerInterface;

public function actionCreate(AccessCheckerInterface $accessChecker): ResponseInterface
{
    $userId = getUserId();

    if ($accessChecker->userHasPermission($userId, 'createPost')) {
        // author has permission to create post
    }
}

Sometimes you need to add guest-only permission, which is not assigned to any user ID. In this case, you can specify a role which is assigned to guest user:

use Yiisoft\Access\AccessCheckerInterface;
use Yiisoft\Rbac\Permission;
use Yiisoft\Rbac\Role;

/** 
 * @var ManagerInterface $manager
 * @var AccessCheckerInterface $accessChecker 
 */
$manager->setGuestRoleName('guest');
$manager->addPermission(new Permission('signup'));
$manager->addRole(new Role('guest'));
$manager->addChild('guest', 'signup');

$guestId = null;
if ($accessChecker->userHasPermission($guestId, 'signup')) {
    // Guest has "signup" permission.
}

If there is a rule involved, you may pass extra parameters:

use Yiisoft\Rbac\ManagerInterface;

/** @var ManagerInterface $manager */
$anotherUserId = 103;
if (!$manager->userHasPermission($anotherUserId, 'viewList', ['action' => 'home'])) {
    echo 'reader hasn\'t "index" permission';
}

Documentation

If you need help or have a question, the Yii Forum is a good place for that. You may also check out other Yii Community Resources.

License

The Yii Role-Based Access Control is free software. It is released under the terms of the BSD License. Please see LICENSE for more information.

Maintained by Yii Software.

Support the project

Open Collective

Follow updates

Official website Twitter Telegram Facebook Slack

yiisoft/rbac 适用场景与选型建议

yiisoft/rbac 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 164.17k 次下载、GitHub Stars 达 74, 最近一次更新时间为 2018 年 08 月 11 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「yii」 「rbac」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 yiisoft/rbac 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 yiisoft/rbac 我们能提供哪些服务?
定制开发 / 二次开发

基于 yiisoft/rbac 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 164.17k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 76
  • 点击次数: 22
  • 依赖项目数: 20
  • 推荐数: 2

GitHub 信息

  • Stars: 74
  • Watchers: 21
  • Forks: 26
  • 开发语言: PHP

其他信息

  • 授权协议: BSD-3-Clause
  • 更新时间: 2018-08-11