Yii的accessRules误解

I'm trying to build a site using Yii, and found myself in a situation which requires some clarifications on access control metaphor in Yii. Specifically, one can override accessRules method in CController's descendant.

Prerequisite:

Here is a code generated by default by Gii, much similar to the documentation:

public function accessRules()
{
    return array(
        array('allow',  // allow all users to perform 'index' and 'view' actions
            'actions'=>array('index','view'),
            'users'=>array('*'),
        ),
        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions'=>array('create','update'),
            'users'=>array('@'),
        ),
        array('allow', // allow admin user to perform 'admin' and 'delete' actions
            'actions'=>array('admin','delete'),
            'roles'=> array('admin'),
        ),
        array('deny',  // deny all users
            'users'=>array('*'),
        ),
    );
}

The Question:

What is not clear here to me, is -- why we need to define access rules for many different users and groups, and different actions instead of checking rights of only one current user and action? -- here in italics my main question is highlighted, just in case it may not so clear for readers (answer authors).

This code is executed in a context of specific request, for which a specific controller, a specific action, and a specific user are already known. If, for example, the user is a guest, I don't see any reason to define rules for "admin" role or authenticated users.

Reasoning:

After some elaboration I came up to the following implementation:

public function accessRules()
{
    return array(
      array(Yii::app()->user->hasRights()?'allow':'deny'),
      );
}

where hasRights is a simple custom method added into a CWebUser descendant:

class WebUser extends CWebUser
{
  private $ACL = // ACL example
    array('user' => // controller id
      array('index' => User::AC_MODERATOR, // action ids
            'view' => User::AC_MODERATOR,
            'create' => User::AC_MODERATOR,
            'update' => User::AC_ADMIN,
            'delete' => User::AC_ADMIN,
            'admin' => User::AC_ADMIN),
           // ...
      );

  public function hasRights()
  {
    return (Yii::app()->user->getState('accessRights') >=
      $this->ACL[Yii::app()->controller->id][Yii::app()->controller->action->id]);
  }
}

As you may see, hasRights uses current user "rights" (read from DB as usual), current controller and action to calculate single boolean true or false value as a decision about access.

What is wrong with this approach? Why Yii does not use something simple like that by default?

The Gii-generated accessRules above do not only look excessive, but also imply that access rules are scattered among many controllers. In my approach a single and compact ACL is used.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duande3134 2013-08-02 22:32
关注
Here's where I think you're confused.

First of all, Yii is in fact only looking at the current user and the current action. Just like how you got the current permissions for the controller by grabbing a nested array, indexed by the controller ID, Yii is creating an instance of your controller and only looking at those access rules. Also, just like you're only looking at the permissions of a particular action, Yii is only looking at the rules pertaining to the current action. It accesses those permissions just as easily as you return the value of the nested array.

As far as the user goes, it's also only looking at the current user; the current user name, the current user role, etc. The difference is, there are multiple attributes Yii will allow within a rule, in contrast to the single permission value associated with the user.

It seems what you don't like about this approach is you think permissions should be handled all in one place. This could be simpler in some cases, but more difficult in others. What happens when you have multiple controllers and multiple actions in each controller? You now have a very large array to manage, that references data from multiple different contexts. In the way Yii does it, the current controller has control over how it's data structure can be accessed. This lines up with Yii's MVC structure, and the concept of encapsulation.

Your solution is more elegant in some respects, but it hinges on the idea that permissions will only ever need to be structured in a cascading one directional structure. What I mean is your permissions are like one long hallway, with doors separating one area from another. If the user doesn't have the key to one door, they shouldn't be able to access the next, etc. But what happens if, in your example, you need a user to both view content, and update it without being able to create new content? This is a much more complicated scenario which will need to be handled using roles. So then you'd have to process rules within your array, much like Yii does. Except instead of Yii's object oriented approach, you've got everything embedded in one long array.

So perhaps your solution will work in some cases, but I'm sure you can see why Yii chose its approach since it will work, by default, for far more situations.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

Yii的accessRules误解 php
2013-01-09 16:04

回答 2 已采纳 Here's where I think you're confused. First of all, Yii is in fact only looking at the current us
Yii accessRules问题 - 对我不起作用 php
2014-09-15 15:01

回答 1 已采纳 array('allow', 'roles'=>array('user'), ), Here you need to define what actions are 'users
Yii：restfullyii在restEvents上的扩展accessRules php
2014-08-23 13:31

回答 1 已采纳 I figured it out with the following: /** * req.auth.uri * * return true to allow access to a
yii2中的rules 自定义验证规则详解
2020-12-19 17:32

yii2的一个强大之处之一就是他的Form组件，既方便又安全。有些小伙伴感觉用yii一段时间了，好嘛，除了比tp”难懂”好像啥都没有。领导安排搞一个注册的功能，这家伙刷刷刷的又是...我们来看看用Yii2自带的rules怎么
@如何在YII中的accessRules中运行 php
2013-05-11 12:05

回答 1 已采纳 What are you using to detect that the user is logged in? A simple session variable set manually by
如何在yii2中隐藏php警告？ php
2016-06-28 11:32

回答 4 已采纳 This can be achieved by changing two parameters in index.php file. 1) Setting YII_DEBUG to false
php yii框架问题与对象 mysql php
2016-01-28 20:01

回答 2 已采纳 seems is required this format <?php $this->widget('zii.widgets.CDetailView', array( 'da
详解Yii2.0 rules验证规则集合
2020-12-18 02:23

我最近也在学习Yii2的路上，那么今天也算个学习笔记吧！ required : 必须值验证属性复制代码代码如下: [[‘字段名’],required,’requiredValue’=>’必填值’,’message’=>’提示信息’]; #说明:...
PHP Yii2密码加密 php
2015-09-02 02:47

回答 6 已采纳 I want to encrypt the password before saving it to the database. No you don't. Well, you migh
PHP - Yii - 动态属性CActiveRecord php
2015-06-04 13:54

回答 1 已采纳 In Yii 1.x you can't. Only if you override CActiveRecord._get() by extending it.
Yii2 URL Manager规则 php
2016-12-02 12:53

回答 1 已采纳 Try <slug:[\w\-]+> as the part of left side URL rule.
php中rules,详解Yii2 rules 的验证规则
2021-04-12 23:37

机智的娜娜的博客 yii2 框架定义的约束public $builtInValidators = ['boolean' => 'yii\validators\BooleanValidator','captcha' => 'yii\captcha\CaptchaValidator','compare' => 'yii\validators\CompareValidator','date...
Yii2 - 在adminlte left.php布局中声明$ variable的地方 php
2018-10-11 10:20

回答 1 已采纳 Honestly i'am not sure what the actual question is exactly about, but since you talk about menu le
yii2-rules-generator
2021-03-07 02:49

yii2-rules-generator 为模型规则生成快速简便的数组，为验证器及其选项生成自动完成的提示。强调安装简单简化事情安装使用Composer以通常的方式进行安装。将以下内容添加到composer.json文件的require部分： " ...
Yii2 rules 自定义规则
2020-07-04 10:51

幽篁晓筑的博客 Yii2 提供了一套完善的参数校验规则，但有时可能不满足实际需求，需要我们自定义规则，这里简单介绍下自定义规则的使用。比如有个参数 country ，只能接收 'USA', 'Web'，其余校验不通过，代码如下： public $...
没有解决我的问题, 去提问

悬赏问题

¥15 高德地图点聚合中Marker的位置无法实时更新
¥15 DIFY API Endpoint 问题。
¥20 sub地址DHCP问题
¥15 delta降尺度计算的一些细节，有偿
¥15 Arduino红外遥控代码有问题
¥15 数值计算离散正交多项式
¥30 数值计算均差系数编程
¥15 redis-full-check比较两个集群的数据出错
¥15 Matlab编程问题
¥15 训练的多模态特征融合模型准确度很低怎么办

Yii的accessRules误解

2条回答 默认 最新

悬赏问题

2条回答默认最新