thinkPHP3.2 Implementation of Privilege Management Using RBAC

In thinkphp3.2, we integrate RBAC to realize privilege management, and the address of RBAC implementation class in the project is: ThinkPHP/Librar/Org/Util/Rbac. class. php, which integrates the privilege management operations we need

1: Table design

In thinkPHP, Rbac, Rbac. class. php file 1 provides a total of 4 tables, and there is a user table that you need to build by yourself

The following is the sql related to permissions that I built

Where wj_ is the table prefix, change it to the table prefix in your project

1: Permission table:

CREATE TABLE IF NOT EXISTS `wj_access` (
 `role_id` SMALLINT(6) UNSIGNED NOT NULL COMMENT ' Role ID',
 `node_id` SMALLINT(6) UNSIGNED NOT NULL COMMENT ' Node ID',
 `level` TINYINT(1) NOT NULL COMMENT ' Depth ',
 `module` VARCHAR(50) DEFAULT NULL COMMENT ' Module ',
 KEY `groupId` (`role_id`),
 KEY `nodeId` (`node_id`)
) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT=' Permission table ';

2: Node table:

CREATE TABLE IF NOT EXISTS `wj_node` (
 `id` SMALLINT(6) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT ' Node ID',
 `name` VARCHAR(20) NOT NULL COMMENT ' Node name ',
 `title` VARCHAR(50) DEFAULT NULL COMMENT ' Node header ',
 `status` TINYINT(1) DEFAULT '0' COMMENT ' Status  0 Disable  1 Enable ',
 `remark` VARCHAR(255) DEFAULT NULL COMMENT ' Describe ',
 `sort` SMALLINT(6) UNSIGNED DEFAULT NULL COMMENT ' Sort ',
 `pid` SMALLINT(6) UNSIGNED NOT NULL COMMENT ' Parent node ',
 `level` TINYINT(1) UNSIGNED NOT NULL COMMENT ' Depth ',
 PRIMARY KEY (`id`),
 KEY `level` (`level`),
 KEY `pid` (`pid`),
 KEY `status` (`status`),
 KEY `name` (`name`)
) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT=' Node table ';

3: User role table:

CREATE TABLE IF NOT EXISTS `wj_role` (
 `id` SMALLINT(6) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT ' Role ID',
 `name` VARCHAR(20) NOT NULL COMMENT ' Role name ',
 `pid` SMALLINT(6) DEFAULT NULL ' Parent ID',
 `status` TINYINT(1) UNSIGNED DEFAULT NULL COMMENT ' Status  0 Disable  1 Enable ',
 `remark` VARCHAR(255) DEFAULT NULL COMMENT ' Remarks ',
 PRIMARY KEY (`id`),
 KEY `pid` (`pid`),
 KEY `status` (`status`)
) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT=' User role table ';

4: User Role Association Table:

CREATE TABLE IF NOT EXISTS `wj_role_user` (
 `role_id` MEDIUMINT(9) UNSIGNED DEFAULT NULL COMMENT ' Role ID',
 `user_id` CHAR(32) DEFAULT NULL COMMENT ' Users ID',
 KEY `group_id` (`role_id`),
 KEY `user_id` (`user_id`)
) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT=' User role association table ';

5: User table:

CREATE TABLE IF NOT EXISTS `wj_user` (
 `user_id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT ' Users ID',
 `username` VARCHAR(50) NOT NULL COMMENT ' User name ',
 `password` VARCHAR(100) NOT NULL COMMENT ' Password ',
 `create_time` INT(10) DEFAULT NULL COMMENT ' Creation time ',
 `update_time` INT(10) DEFAULT NULL COMMENT ' Update time ',
 `status` INT(1) DEFAULT NULL COMMENT ' Status  0 Disable  1 Enable ',
 PRIMARY KEY (`user_id`)
) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT=' User table ';

2: Common configurations for permission operations:

You can add to the array of config. php files:

//  Load Extended Configuration File 
'LOAD_EXT_CONFIG' => 'user',

In this way, we can place all our permission configurations in the user. php file at the same level of config. php, and the user. php file is configured as follows:

<?php
/**
 *  User rights profile 
 */
return array(
  //  Whether certification is required 
  'USER_AUTH_ON' => true,
  //  Type of authentication  1  Login authentication  2  Real-time authentication 
  'USER_AUTH_TYPE' => 1,
  //  Background user authentication SESSION Mark 
  'USER_AUTH_KEY' => 'wjAuthId',
  //  Default authentication gateway 
  'USER_AUTH_GATEWAY' => '?m=Admin&c=Login&a=index',
  // RBAC_DB_DSN  Database connection DSN
  //  Role table name ,C('DB_PREFIX') Presentation prefix 
  'RBAC_ROLE_TABLE' => C('DB_PREFIX') . 'role',
  //  User role association table name 
  'RBAC_USER_TABLE' => C('DB_PREFIX') . 'role_user',
  //  Permission table name 
  'RBAC_ACCESS_TABLE' => C('DB_PREFIX') . 'access',
  //  Node table name 
  'RBAC_NODE_TABLE' => C('DB_PREFIX') . 'node',
  //  Default validation datasheet model 
  'USER_AUTH_MODEL' => 'User',
  //  Super administrator's SESSION Mark 
  'ADMIN_AUTH_KEY' => 'wjAdministrator',
  //  Authentication module is required by default 
  'REQUIRE_AUTH_MODULE' => '',
  //  Authentication action is required by default 
  'REQUIRE_AUTH_ACTION' => '',
  //  No authentication module is required by default 
  'NOT_AUTH_MODULE' => 'Public',
  //  No authentication operation is required by default 
  'NOT_AUTH_ACTION' => '',
  //  Do you want to turn on authorized visitor access 
  'GUEST_AUTH_ON' => false,
  //  Users of tourists ID
  'GUEST_AUTH_ID' => 0,
  //  Object of the background user name SESSION Mark 
  'BACK_LOGIN_NAME' => 'loginBackName',
  //  Background role SESSION Mark 
  'BACK_USER_ROLE' => 'bakcUserRole',
  //  Backstage role ID Adj. SESSION Mark 
  'BACK_ROLE_ID' => 'backRoleId',
  //  Object of the login time of the background user SESSION Mark 
  'BACK_ONLINE_TIME' => 'backOnlineTime',
  //  Background online interval time , In minutes 
  'ONLINE_INTERVAL' => 180,
  // Log out of the login URL
  'LOGOUT_URL' => '/test',
);

3: Common methods of permission operation:

1: Rbac:: saveAccessList ($authId=null);

Cache permission list. This method can pass a null value only if you save the user's id in $_SESSION [C ('USER_AUTH_KEY')] when the user logs in, and then save the permissions of the user's corresponding role in $_SESSION ['_ ACCESS_LIST']

2: Rbac:: checkAccess ()

Judge whether the module and method accessed by the user need authority authentication

3: Rbac:: AccessDecision ()

Whether the user has access rights, that is, whether the current project module operation is in the $_SESSION ['_ACCESS_LIST'] array, that is, whether the $_SESSION '_ACCESS_LIST' 'Current controller' exists in the $_SESSION ['_ACCESS_LIST'] array. If it exists, it means it has permission otherwise it returns flase

4: Rbac:: checkLogin ();

Judge whether the user logs in or not, if not, jump to the specified path

5: Rbac:: getAccessList ($authId)

Returns the value of the permission list $_SESSION ['_ACCESS_LIST'] by querying the database

6: Rbac:: authenticate ($map, $model= '')

The MODEL return array passed into the query user's criteria and user table contains the user's information, using USER_AUTH_MODEL in the configuration item if the model value is not passed

4: Simple implementation example of permission management:

1: Login:

// Gets the user name and password passed 
$username = I('post.username');
$password = I('post.password');
// Generate authentication conditions 
$map = array();
$map['username'] = $username;
$map['status'] = array('eq', 1);
// Determine whether this user exists 
$authInfo = Rbac::authenticate($map);
if (!$authInfo) {
  $this->error(' The account number does not exist ');
}
if ($authInfo['password'] != md5($password)) {
  $this->error(' Password error ');
}
$user_id = $authInfo['user_id'];
$role_user = new Model();
$role = $role_user->Table(C("RBAC_USER_TABLE"))->alias("user")->where("user_id=" . $user_id)->join(C("RBAC_ROLE_TABLE") . " as role ON role.id=user.role_id")->field("id,name")->find();
if (empty($role)) {
  $this->error(' This user has no corresponding role , Unable to log in ');
}
// Backstage role ID Adj. SESSION Mark 
session(C('BACK_ROLE_ID'), $role['id']);
// Background role SESSION Mark 
session(C('BACK_USER_ROLE'), $role['name']);
// Background user authentication SESSION Mark 
session(C('USER_AUTH_KEY'), $authInfo['user_id']);
// Object of the background user name SESSION Mark 
session(C('BACK_LOGIN_NAME'), $authInfo['username']);
// Object of the login time of the background user SESSION Mark 
session(C('BACK_ONLINE_TIME'), time());
// Determine whether the user role is super administrator 
if ($role['id'] == '1') {
  // The super administrator will set the super administrator's SESSION Tag is set to true
  session(C('ADMIN_AUTH_KEY'), true);
}
//  Cache access rights 
Rbac::saveAccessList();
$this->success(' Login Successful ', U('Index/index'));

2: Permission verification after successful login:

// Verify login 
Rbac::checkLogin();
//  User rights check 
if (Rbac::checkAccess() && !Rbac::AccessDecision()) {
  //  No permissions   Clear login session  And throw an error 
  if (C('RBAC_ERROR_PAGE')) {
    //  Define Permission Error Page 
    redirect(C('RBAC_ERROR_PAGE'));
  } else {
    if (C('GUEST_AUTH_ON')) {
      // Open a tourist visit 
    }
    //  Prompt error message 
    $this->error(L('_VALID_ACCESS_'));
  }
}
// Automatic exit function to judge the login time of background users SESSION Whether the flag timed out 
if (session(C('BACK_ONLINE_TIME')) + C('ONLINE_INTERVAL') * 60 < time()) {
  if (session('?' . C('USER_AUTH_KEY'))) {
    session('[destroy]');
    if (isset($_COOKIE[session_name()])) {
      setcookie(session_name(), '', time() - 3600, '/');
    }
    session_destroy();
  }
  $this->error(' Please log in again after timeout ', U('Login/index'));
} else {
  session(C('BACK_ONLINE_TIME'), time());
}

According to the above, the authority management of user role can be realized