CakePHP ACL 数据库设置:ARO / ACO 结构?
我正在努力在 CakePHP 中实现 ACL。 阅读蛋糕手册中的文档以及其他几个教程后,博客文章等,我发现 Aran Johnson 的优秀教程帮助填补了许多空白。 他的例子似乎与我在一些地方见过的其他例子相冲突——特别是在他使用的 ARO 树结构中。
在他的示例中,他的用户组被设置为级联树,最通用的用户类型位于树的顶部,其子级针对每个更受限制的访问类型进行分支。 在其他地方,我通常将每个用户类型视为同一通用用户类型的子类型。
如何在 CakePHP 中设置 ARO 和 ACO? 任何和所有提示表示赞赏!
I'm struggling to implement ACL in CakePHP. After reading the documentation in the cake manual as well as several other tutorials, blog posts etc, I found Aran Johnson's excellent tutorial which has helped fill in many of the gaps. His examples seem to conflict with others I've seen though in a few places - specifically in the ARO tree structure he uses.
In his examples his user groups are set up as a cascading tree, with the most general user type being at the top of the tree, and its children branching off for each more restricted access type. Elsewhere I've usually seen each user type as a child of the same generic user type.
How do you set up your AROs and ACOs in CakePHP? Any and all tips appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
CakePHP 的内置 ACL 系统确实很强大,但在实际实现细节方面却缺乏文档记录。 我们在许多基于 CakePHP 的项目中使用的系统取得了一些成功,如下所示。
它是对一些组级访问系统的修改,这些系统已在其他地方记录。 我们系统的目标是建立一个简单的系统,其中用户在组级别上获得授权,但他们可以对他们创建的项目或每个用户拥有特定的附加权限。 我们希望避免在
aros_acos
表中为每个用户(或者更具体地说为每个ARO)创建特定条目。我们有一个用户表和一个角色表。
Users
user_id, user_name, role_id
Roles
id, role_name
为每个角色创建 ARO 树(我们通常有 4 个角色)角色 - 未经授权的访客 (id 1)、授权用户 (id 2)、站点版主 (id 3) 和管理员 (id 4)):
cake acl create aro / Role.1
cake acl create aro 1 Role.2 ... etc ...
此后,您必须使用 SQL 或 phpMyAdmin 或类似工具为所有这些添加别名,因为 cake 命令行工具不会这样做。 我们对所有角色使用“Role-{id}”和“User-{id}”。
然后,我们创建一个 ROOT ACO -
Cake acl create aco / 'ROOT'
,然后为该 ROOT 下的所有控制器创建 ACO:
cake acl create aco 'ROOT' 'MyController' .. . 等等...
到目前为止一切正常。 我们在 aros_acos 表中添加一个名为
_editown
的附加字段,我们可以将其用作 ACL 组件的 actionMap 中的附加操作。然后,我们可以设置 Auth 组件以使用“crud”方法,该方法根据 AclComponent::check() 验证请求的控制器/操作。 在 app_controller 中,我们有一些类似的东西:
再说一次,这是相当标准的 CakePHP 东西。 然后,我们在 AppController 中添加一个 checkAccess 方法,该方法添加组级别的内容来检查是否检查组 ARO 或用户 ARO 的访问权限:
setupAuth()
和checkAccess()
方法在AppController
的beforeFilter(
) 回调中调用。 AppControler 中也有一个 isMine 方法(见下文),它仅检查所请求项目的 user_id 是否与当前经过身份验证的用户相同。 为了清楚起见,我省略了这一点。这就是全部内容了。 然后,您可以允许/拒绝特定组访问特定的 acos -
cake acl grant 'Role-2' 'MyController' 'read'
cake acl grant 'Role-2' 'MyController' 'editown '
cake acl Deny 'Role-2' 'MyController' 'update'
cake acl Deny 'Role-2' 'MyController' 'delete'
我是确保你明白了。
不管怎样,这个答案比我想要的要长得多,而且它可能几乎没有任何意义,但我希望它对你有一些帮助......
- 编辑 -
根据要求,这是一个编辑过的(纯粹是为了清楚起见 - 有我们的样板代码中的很多内容在这里毫无意义)AppController 中的
isMine()
方法。 我也删除了很多错误检查的内容,但这就是它的本质:CakePHP's built-in ACL system is really powerful, but poorly documented in terms of actual implementation details. A system that we've used with some success in a number of CakePHP-based projects is as follows.
It's a modification of some group-level access systems that have been documented elsewhere. Our system's aims are to have a simple system where users are authorised on a group-level, but they can have specific additional rights on items that were created by them, or on a per-user basis. We wanted to avoid having to create a specific entry for each user (or, more specifically for each ARO) in the
aros_acos
table.We have a Users table, and a Roles table.
Users
user_id, user_name, role_id
Roles
id, role_name
Create the ARO tree for each role (we usually have 4 roles - Unauthorised Guest (id 1), Authorised User (id 2), Site Moderator (id 3) and Administrator (id 4)) :
cake acl create aro / Role.1
cake acl create aro 1 Role.2 ... etc ...
After this, you have to use SQL or phpMyAdmin or similar to add aliases for all of these, as the cake command line tool doesn't do it. We use 'Role-{id}' and 'User-{id}' for all of ours.
We then create a ROOT ACO -
cake acl create aco / 'ROOT'
and then create ACOs for all the controllers under this ROOT one:
cake acl create aco 'ROOT' 'MyController' ... etc ...
So far so normal. We add an additional field in the aros_acos table called
_editown
which we can use as an additional action in the ACL component's actionMap.We can then setup the Auth component to use the 'crud' method, which validates the requested controller/action against an AclComponent::check(). In the app_controller we have something along the lines of:
Again, this is fairly standard CakePHP stuff. We then have a checkAccess method in the AppController that adds in the group-level stuff to check whether to check a group ARO or a user ARO for access:
The
setupAuth()
andcheckAccess()
methods are called in theAppController
'sbeforeFilter(
) callback. There's anisMine
method in the AppControler too (see below) that just checks that the user_id of the requested item is the same as the currently authenticated user. I've left this out for clarity.That's really all there is to it. You can then allow / deny particular groups access to specific acos -
cake acl grant 'Role-2' 'MyController' 'read'
cake acl grant 'Role-2' 'MyController' 'editown'
cake acl deny 'Role-2' 'MyController' 'update'
cake acl deny 'Role-2' 'MyController' 'delete'
I'm sure you get the picture.
Anyway, this answer's way longer than I intended it to be, and it probably makes next to no sense, but I hope it's some help to you ...
-- edit --
As requested, here's an edited (purely for clarity - there's a lot of stuff in our boilerplate code that's meaningless here)
isMine()
method that we have in our AppController. I've removed a lot of error checking stuff too, but this is the essence of it: