public function safeUp()
{
Route::refreshRoutes();
Role::create('Admin');
// ================= User management permissions =================
$group = new AuthItemGroup();
$group->name = 'User management';
$group->code = 'userManagement';
$group->save(false);
Role::assignRoutesViaPermission('Admin', 'viewUsers', ['/user-management/user/index', '/user-management/user/view', '/user-management/user/grid-page-size'], 'View users', $group->code);
Role::assignRoutesViaPermission('Admin', 'createUsers', ['/user-management/user/create'], 'Create users', $group->code);
Role::assignRoutesViaPermission('Admin', 'editUsers', ['/user-management/user/update', '/user-management/user/bulk-activate', '/user-management/user/bulk-deactivate'], 'Edit users', $group->code);
Role::assignRoutesViaPermission('Admin', 'deleteUsers', ['/user-management/user/delete', '/user-management/user/bulk-delete'], 'Delete users', $group->code);
Role::assignRoutesViaPermission('Admin', 'changeUserPassword', ['/user-management/user/change-password'], 'Change user password', $group->code);
Role::assignRoutesViaPermission('Admin', 'assignRolesToUsers', ['/user-management/user-permission/set', '/user-management/user-permission/set-roles'], 'Assign roles to users', $group->code);
Permission::assignRoutes('viewVisitLog', ['/user-management/user-visit-log/index', '/user-management/user-visit-log/grid-page-size', '/user-management/user-visit-log/view'], 'View visit log', $group->code);
Permission::create('viewUserRoles', 'View user roles', $group->code);
Permission::create('viewRegistrationIp', 'View registration IP', $group->code);
Permission::create('viewUserEmail', 'View user email', $group->code);
Permission::create('editUserEmail', 'Edit user email', $group->code);
Permission::create('bindUserToIp', 'Bind user to IP', $group->code);
Permission::addChildren('assignRolesToUsers', ['viewUsers', 'viewUserRoles']);
Permission::addChildren('changeUserPassword', ['viewUsers']);
Permission::addChildren('deleteUsers', ['viewUsers']);
Permission::addChildren('createUsers', ['viewUsers']);
Permission::addChildren('editUsers', ['viewUsers']);
Permission::addChildren('editUserEmail', ['viewUserEmail']);
// ================= User common permissions =================
$group = new AuthItemGroup();
$group->name = 'User common permission';
$group->code = 'userCommonPermissions';
$group->save(false);
Role::assignRoutesViaPermission('Admin', 'changeOwnPassword', ['/user-management/auth/change-own-password'], 'Change own password', $group->code);
}
/**
* Assign route to role via permission and create permission or route if it don't exists
* Helper mainly for migrations
*
* @param string $roleName
* @param string $permissionName
* @param array $routes
* @param null|string $permissionDescription
* @param null|string $groupCode
*
* @throws \InvalidArgumentException
* @return true|static|string
*/
public static function assignRoutesViaPermission($roleName, $permissionName, $routes, $permissionDescription = null, $groupCode = null)
{
$role = static::findOne(['name' => $roleName]);
if (!$role) {
throw new \InvalidArgumentException("Role with name = {$roleName} not found");
}
$permission = Permission::findOne(['name' => $permissionName]);
if (!$permission) {
$permission = Permission::create($permissionName, $permissionDescription, $groupCode);
if ($permission->hasErrors()) {
return $permission;
}
}
try {
Yii::$app->db->createCommand()->insert(Yii::$app->getModule('user-management')->auth_item_child_table, ['parent' => $role->name, 'child' => $permission->name])->execute();
} catch (Exception $e) {
// Don't throw Exception because we may have this permission for this role,
// but need to add new routes to it
}
$routes = (array) $routes;
foreach ($routes as $route) {
Route::create($route);
try {
Yii::$app->db->createCommand()->insert(Yii::$app->getModule('user-management')->auth_item_child_table, ['parent' => $permission->name, 'child' => $route])->execute();
} catch (Exception $e) {
// Don't throw Exception because this permission may already have this route,
// so just go to the next route
}
}
AuthHelper::invalidatePermissions();
return true;
}
/**
* Check if user has access to current route
*
* @param Action $action the action to be executed.
*
* @return boolean whether the action should continue to be executed.
*/
public function beforeAction($action)
{
if ($action->id == 'captcha') {
return true;
}
$route = '/' . $action->uniqueId;
if (Route::isFreeAccess($route, $action)) {
return true;
}
if (Yii::$app->user->isGuest) {
$this->denyAccess();
}
// If user has been deleted, then destroy session and redirect to home page
if (!Yii::$app->user->isGuest and Yii::$app->user->identity === null) {
Yii::$app->getSession()->destroy();
$this->denyAccess();
}
// Superadmin owns everyone
if (Yii::$app->user->isSuperadmin) {
return true;
}
if (Yii::$app->user->identity and Yii::$app->user->identity->status != User::STATUS_ACTIVE) {
Yii::$app->user->logout();
Yii::$app->getResponse()->redirect(Yii::$app->getHomeUrl());
}
if (User::canRoute($route)) {
return true;
}
if (isset($this->denyCallback)) {
call_user_func($this->denyCallback, null, $action);
} else {
$this->denyAccess();
}
return false;
}
public function safeUp()
{
Route::refreshRoutes();
(new AuthItemGroup(['name' => 'Settings', 'code' => 'settings']))->save();
Role::assignRoutesViaPermission('Admin', 'fullAccessToSettings', ['settings/manage/*'], null, 'settings');
Role::assignRoutesViaPermission('SeoManager', 'accessToSeoSettings', ['settings/manage/seo'], 'Access to SEO settings', 'settings');
AuthHelper::invalidatePermissions();
}
/**
* Gather all user permissions and roles and store them in the session
*
* @param UserIdentity $identity
*/
public static function updatePermissions($identity)
{
$session = Yii::$app->session;
// Clear data first in case we want to refresh permissions
$session->remove(self::SESSION_PREFIX_ROLES);
$session->remove(self::SESSION_PREFIX_PERMISSIONS);
$session->remove(self::SESSION_PREFIX_ROUTES);
// Set permissions last mod time
$session->set(self::SESSION_PREFIX_LAST_UPDATE, filemtime(self::getPermissionsLastModFile()));
// Save roles, permissions and routes in session
$session->set(self::SESSION_PREFIX_ROLES, array_keys(Role::getUserRoles($identity->id)));
$session->set(self::SESSION_PREFIX_PERMISSIONS, array_keys(Permission::getUserPermissions($identity->id)));
$session->set(self::SESSION_PREFIX_ROUTES, Route::getUserRoutes($identity->id));
}
/**
* Check if current route allowed for everyone (in commonPermission routes)
*
* @param string $currentFullRoute
*
* @return bool
*/
protected static function isInCommonPermission($currentFullRoute)
{
$commonRoutes = Yii::$app->cache->get('__commonRoutes');
if ($commonRoutes === false) {
$commonRoutesDB = (new Query())->select('child')->from(Yii::$app->getModule('user-management')->auth_item_child_table)->where(['parent' => Yii::$app->getModule('user-management')->commonPermissionName])->column();
$commonRoutes = Route::withSubRoutes($commonRoutesDB, ArrayHelper::map(Route::find()->asArray()->all(), 'name', 'name'));
Yii::$app->cache->set('__commonRoutes', $commonRoutes, 3600);
}
return in_array($currentFullRoute, $commonRoutes);
}
/**
* Useful for Menu widget
*
* <example>
* ...
* [ 'label'=>'Some label', 'url'=>['/site/index'], 'visible'=>User::canRoute(['/site/index']) ]
* ...
* </example>
*
* @param string|array $route
* @param bool $superAdminAllowed
*
* @return bool
*/
public static function canRoute($route, $superAdminAllowed = true)
{
if ($superAdminAllowed and Yii::$app->user->isSuperadmin) {
return true;
}
$baseRoute = AuthHelper::unifyRoute($route);
if (Route::isFreeAccess($baseRoute)) {
return true;
}
AuthHelper::ensurePermissionsUpToDate();
return Route::isRouteAllowed($baseRoute, Yii::$app->session->get(AuthHelper::SESSION_PREFIX_ROUTES, []));
}
/**
* Add new routes and remove unused (for example if module or controller was deleted)
*
* @param string $id
* @param null $deleteUnused
*
* @return \yii\web\Response
*/
public function actionRefreshRoutes($id, $deleteUnused = null)
{
Route::refreshRoutes($deleteUnused !== null);
return $this->redirect(['view', 'id' => $id]);
}
/**
* Add new routes and remove unused (for example if module or controller was deleted)
*
* @param string $id
*
* @return \yii\web\Response
*/
public function actionRefreshRoutes($id)
{
Route::refreshRoutes();
return $this->redirect(['view', 'id' => $id]);
}
