CakePHP ACL 数据库设置：ARO / ACO 结构？

发布于 2024-07-05 03:53:40 字数 478 浏览 7 评论 0原文

我正在努力在 CakePHP 中实现 ACL。阅读蛋糕手册中的文档以及其他几个教程后，博客文章等，我发现 Aran Johnson 的优秀教程帮助填补了许多空白。他的例子似乎与我在一些地方见过的其他例子相冲突——特别是在他使用的 ARO 树结构中。

在他的示例中，他的用户组被设置为级联树，最通用的用户类型位于树的顶部，其子级针对每个更受限制的访问类型进行分支。在其他地方，我通常将每个用户类型视为同一通用用户类型的子类型。

如何在 CakePHP 中设置 ARO 和 ACO？任何和所有提示表示赞赏！

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

断桥再见 2024-07-12 03:53:40

CakePHP 的内置 ACL 系统确实很强大，但在实际实现细节方面却缺乏文档记录。我们在许多基于 CakePHP 的项目中使用的系统取得了一些成功，如下所示。

它是对一些组级访问系统的修改，这些系统已在其他地方记录。我们系统的目标是建立一个简单的系统，其中用户在组级别上获得授权，但他们可以对他们创建的项目或每个用户拥有特定的附加权限。我们希望避免在aros_acos 表中为每个用户（或者更具体地说为每个ARO）创建特定条目。

我们有一个用户表和一个角色表。

Users

user_id, user_name, role_id

Roles

id, role_name

为每个角色创建 ARO 树（我们通常有 4 个角色）角色 - 未经授权的访客 (id 1)、授权用户 (id 2)、站点版主 (id 3) 和管理员 (id 4))：

cake acl create aro / Role.1

cake acl create aro 1 Role.2 ... etc ...

此后，您必须使用 SQL 或 phpMyAdmin 或类似工具为所有这些添加别名，因为 cake 命令行工具不会这样做。我们对所有角色使用“Role-{id}”和“User-{id}”。

然后，我们创建一个 ROOT ACO -

Cake acl create aco / 'ROOT'

，然后为该 ROOT 下的所有控制器创建 ACO：

cake acl create aco 'ROOT' 'MyController' .. . 等等...

到目前为止一切正常。我们在 aros_acos 表中添加一个名为 _editown 的附加字段，我们可以将其用作 ACL 组件的 actionMap 中的附加操作。

CREATE TABLE IF NOT EXISTS `aros_acos` (
`id` int(11) NOT NULL auto_increment,
`aro_id` int(11) default NULL,
`aco_id` int(11) default NULL,
`_create` int(11) NOT NULL default '0',
`_read` int(11) NOT NULL default '0',
`_update` int(11) NOT NULL default '0',
`_delete` int(11) NOT NULL default '0',
`_editown` int(11) NOT NULL default '0',
PRIMARY KEY  (`id`),
KEY `acl` (`aro_id`,`aco_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8;

然后，我们可以设置 Auth 组件以使用“crud”方法，该方法根据 AclComponent::check() 验证请求的控制器/操作。在 app_controller 中，我们有一些类似的东西：

private function setupAuth() {
    if(isset($this->Auth)) {
        ....
        $this->Auth->authorize = 'crud';
        $this->Auth->actionMap = array( 'index'     => 'read',
                        'add'       => 'create',
                        'edit'      => 'update'
                        'editMine'  => 'editown',
                        'view'      => 'read'
                        ... etc ...
                        );
        ... etc ...
    }
}

再说一次，这是相当标准的 CakePHP 东西。然后，我们在 AppController 中添加一个 checkAccess 方法，该方法添加组级别的内容来检查是否检查组 ARO 或用户 ARO 的访问权限：

private function checkAccess() {
    if(!$user = $this->Auth->user()) {
        $role_alias = 'Role-1';
        $user_alias = null;
    } else {
        $role_alias = 'Role-' . $user['User']['role_id'];
        $user_alias = 'User-' . $user['User']['id'];
    }

    // do we have an aro for this user?
    if($user_alias && ($user_aro = $this->User->Aro->findByAlias($user_alias))) {
        $aro_alias = $user_alias;
    } else {
        $aro_alias = $role_alias;
    }

    if ('editown' == $this->Auth->actionMap[$this->action]) {
        if($this->Acl->check($aro_alias, $this->name, 'editown') and $this->isMine()) {
            $this->Auth->allow();
        } else {
            $this->Auth->authorize = 'controller';
            $this->Auth->deny('*');
        }
    } else {
        // check this user-level aro for access
        if($this->Acl->check($aro_alias, $this->name, $this->Auth->actionMap[$this->action])) {
            $this->Auth->allow();
        } else {
            $this->Auth->authorize = 'controller';
            $this->Auth->deny('*');
        }
    }
}

setupAuth() 和 checkAccess() 方法在 AppController 的 beforeFilter() 回调中调用。 AppControler 中也有一个 isMine 方法（见下文），它仅检查所请求项目的 user_id 是否与当前经过身份验证的用户相同。为了清楚起见，我省略了这一点。

这就是全部内容了。然后，您可以允许/拒绝特定组访问特定的 acos -

cake acl grant 'Role-2' 'MyController' 'read'

cake acl grant 'Role-2' 'MyController' 'editown '

cake acl Deny 'Role-2' 'MyController' 'update'

cake acl Deny 'Role-2' 'MyController' 'delete'

我是确保你明白了。

不管怎样，这个答案比我想要的要长得多，而且它可能几乎没有任何意义，但我希望它对你有一些帮助......

- 编辑 -

根据要求，这是一个编辑过的（纯粹是为了清楚起见 - 有我们的样板代码中的很多内容在这里毫无意义）AppController 中的 isMine() 方法。我也删除了很多错误检查的内容，但这就是它的本质：

function isMine($model=null, $id=null, $usermodel='User', $foreignkey='user_id') {
    if(empty($model)) {
        // default model is first item in $this->uses array
        $model = $this->uses[0];
    }

    if(empty($id)) {
        if(!empty($this->passedArgs['id'])) {
        $id = $this->passedArgs['id'];
        } elseif(!empty($this->passedArgs[0])) {
            $id = $this->passedArgs[0];
        }
    }

    if(is_array($id)) {
        foreach($id as $i) {
            if(!$this->_isMine($model, $i, $usermodel, $foreignkey)) {
                return false;
            }
        }

        return true;
    }

    return $this->_isMine($model, $id, $usermodel, $foreignkey);
}


function _isMine($model, $id, $usermodel='User', $foreignkey='user_id') {
    $user = Configure::read('curr.loggedinuser'); // this is set in the UsersController on successful login

    if(isset($this->$model)) {
        $model = $this->$model;
    } else {
        $model = ClassRegistry::init($model);
    }

    //read model
    if(!($record = $model->read(null, $id))) {
        return false;
    }

    //get foreign key
    if($usermodel == $model->alias) {
        if($record[$model->alias][$model->primaryKey] == $user['User']['id']) {
            return true;
        }
    } elseif($record[$model->alias][$foreignkey] == $user['User']['id']) {
        return true;
    }

    return false;
}

CakePHP's built-in ACL system is really powerful, but poorly documented in terms of actual implementation details. A system that we've used with some success in a number of CakePHP-based projects is as follows.

It's a modification of some group-level access systems that have been documented elsewhere. Our system's aims are to have a simple system where users are authorised on a group-level, but they can have specific additional rights on items that were created by them, or on a per-user basis. We wanted to avoid having to create a specific entry for each user (or, more specifically for each ARO) in the aros_acos table.

We have a Users table, and a Roles table.

Users

user_id, user_name, role_id

Roles

id, role_name

Create the ARO tree for each role (we usually have 4 roles - Unauthorised Guest (id 1), Authorised User (id 2), Site Moderator (id 3) and Administrator (id 4)) :

cake acl create aro / Role.1

cake acl create aro 1 Role.2 ... etc ...

After this, you have to use SQL or phpMyAdmin or similar to add aliases for all of these, as the cake command line tool doesn't do it. We use 'Role-{id}' and 'User-{id}' for all of ours.

We then create a ROOT ACO -

cake acl create aco / 'ROOT'

and then create ACOs for all the controllers under this ROOT one:

cake acl create aco 'ROOT' 'MyController' ... etc ...

So far so normal. We add an additional field in the aros_acos table called _editown which we can use as an additional action in the ACL component's actionMap.

CREATE TABLE IF NOT EXISTS `aros_acos` (
`id` int(11) NOT NULL auto_increment,
`aro_id` int(11) default NULL,
`aco_id` int(11) default NULL,
`_create` int(11) NOT NULL default '0',
`_read` int(11) NOT NULL default '0',
`_update` int(11) NOT NULL default '0',
`_delete` int(11) NOT NULL default '0',
`_editown` int(11) NOT NULL default '0',
PRIMARY KEY  (`id`),
KEY `acl` (`aro_id`,`aco_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8;

We can then setup the Auth component to use the 'crud' method, which validates the requested controller/action against an AclComponent::check(). In the app_controller we have something along the lines of:

private function setupAuth() {
    if(isset($this->Auth)) {
        ....
        $this->Auth->authorize = 'crud';
        $this->Auth->actionMap = array( 'index'     => 'read',
                        'add'       => 'create',
                        'edit'      => 'update'
                        'editMine'  => 'editown',
                        'view'      => 'read'
                        ... etc ...
                        );
        ... etc ...
    }
}

Again, this is fairly standard CakePHP stuff. We then have a checkAccess method in the AppController that adds in the group-level stuff to check whether to check a group ARO or a user ARO for access:

private function checkAccess() {
    if(!$user = $this->Auth->user()) {
        $role_alias = 'Role-1';
        $user_alias = null;
    } else {
        $role_alias = 'Role-' . $user['User']['role_id'];
        $user_alias = 'User-' . $user['User']['id'];
    }

    // do we have an aro for this user?
    if($user_alias && ($user_aro = $this->User->Aro->findByAlias($user_alias))) {
        $aro_alias = $user_alias;
    } else {
        $aro_alias = $role_alias;
    }

    if ('editown' == $this->Auth->actionMap[$this->action]) {
        if($this->Acl->check($aro_alias, $this->name, 'editown') and $this->isMine()) {
            $this->Auth->allow();
        } else {
            $this->Auth->authorize = 'controller';
            $this->Auth->deny('*');
        }
    } else {
        // check this user-level aro for access
        if($this->Acl->check($aro_alias, $this->name, $this->Auth->actionMap[$this->action])) {
            $this->Auth->allow();
        } else {
            $this->Auth->authorize = 'controller';
            $this->Auth->deny('*');
        }
    }
}

The setupAuth() and checkAccess() methods are called in the AppController's beforeFilter() callback. There's an isMine method in the AppControler too (see below) that just checks that the user_id of the requested item is the same as the currently authenticated user. I've left this out for clarity.

That's really all there is to it. You can then allow / deny particular groups access to specific acos -

cake acl grant 'Role-2' 'MyController' 'read'

cake acl grant 'Role-2' 'MyController' 'editown'

cake acl deny 'Role-2' 'MyController' 'update'

cake acl deny 'Role-2' 'MyController' 'delete'

I'm sure you get the picture.

Anyway, this answer's way longer than I intended it to be, and it probably makes next to no sense, but I hope it's some help to you ...

-- edit --

As requested, here's an edited (purely for clarity - there's a lot of stuff in our boilerplate code that's meaningless here) isMine() method that we have in our AppController. I've removed a lot of error checking stuff too, but this is the essence of it:

function isMine($model=null, $id=null, $usermodel='User', $foreignkey='user_id') {
    if(empty($model)) {
        // default model is first item in $this->uses array
        $model = $this->uses[0];
    }

    if(empty($id)) {
        if(!empty($this->passedArgs['id'])) {
        $id = $this->passedArgs['id'];
        } elseif(!empty($this->passedArgs[0])) {
            $id = $this->passedArgs[0];
        }
    }

    if(is_array($id)) {
        foreach($id as $i) {
            if(!$this->_isMine($model, $i, $usermodel, $foreignkey)) {
                return false;
            }
        }

        return true;
    }

    return $this->_isMine($model, $id, $usermodel, $foreignkey);
}


function _isMine($model, $id, $usermodel='User', $foreignkey='user_id') {
    $user = Configure::read('curr.loggedinuser'); // this is set in the UsersController on successful login

    if(isset($this->$model)) {
        $model = $this->$model;
    } else {
        $model = ClassRegistry::init($model);
    }

    //read model
    if(!($record = $model->read(null, $id))) {
        return false;
    }

    //get foreign key
    if($usermodel == $model->alias) {
        if($record[$model->alias][$model->primaryKey] == $user['User']['id']) {
            return true;
        }
    } elseif($record[$model->alias][$foreignkey] == $user['User']['id']) {
        return true;
    }

    return false;
}

回复收藏 0 原文

~没有更多了~