/**
* Redefine constructor for RBAC
*
* @access public
*
* @param array $params configuration array
*
* @result void
*/
public function __construct(array $params = [])
{
parent::__construct();
if (!empty($params['roles'])) {
$this->roles = $this->tree($params['roles']);
}
}
public function index()
{
if (IS_POST) {
//处理后台登录
$gzdata = array('username' => $_POST['username'], 'password' => md5($_POST['password']));
// p($gzdata);die;
$code = K('User')->adminCheck($gzdata);
switch ($code) {
case 1:
$msg = "管理员账户不存在,请检查填写是否正确!";
$url = __APP__ . '?m=admin&c=login';
$this->error($msg, $url);
break;
case 2:
Rbac::login($gzdata['username'], $gzdata['password']);
// p($_SESSION);die;
$msg = "验证成功,即将进入后台!!";
$url = __APP__ . '?m=admin&c=index';
$this->success($msg, $url);
break;
case 3:
$msg = "密码错误,请重新检验你的管理账户密码!!";
$url = __APP__ . '?m=admin&c=login';
$this->error($msg, $url);
break;
}
}
$this->display();
}
/**
* @rule access rbac
*/
public function action_index()
{
Rbac::check();
$rules = Rbac::parse_controllers();
$roles = ORM::factory('role')->where('name', '!=', 'admin')->find_all();
$view = View::factory('rbac_index')->set(array('rules' => $rules, 'roles' => $roles));
$this->request->response = $view;
}
public function __init()
{
// p(!Rbac::checkAccess());
// p(!isset($_SESSION['uid']));
// p(!isset($_SESSION['uname']));
// p(!Rbac::isLogin());die;
if (!isset($_SESSION['uid']) || !isset($_SESSION['uname']) || !Rbac::isLogin()) {
go(__APP__ . '?c=Login');
}
if (!Rbac::checkAccess()) {
$this->error('对不起没有操作权限,请联系管理员获取0_0');
}
}
public function __construct()
{
parent::__construct();
$this->auto = new LoginController();
if (!Rbac::isLogin()) {
go("Login/login");
}
if (!Rbac::verify()) {
if (__HISTORY__) {
$this->error('没有操作权限');
} else {
go('Login/login');
}
}
}
public function login()
{
if (IS_POST) {
$admin = K('AdminUser');
$userInfo = $admin->validate($_POST['admin_username'], $_POST['admin_pwd']);
if ($userInfo) {
$_SESSION['uid'] = $userInfo['id'];
$_SESSION['uname'] = $userInfo['admin_username'];
$data = array('admin_logintime' => time(), 'admin_loginip' => ipton(ip_get_client()));
// p($userInfo);
$admin->update_admin('id=' . $userInfo['id'], $data);
Rbac::login($userInfo['admin_username'], $userInfo['admin_pwd']);
// p($_SESSION);die;
$this->success('登录成功', __APP__ . '?c=Index');
} else {
$this->error('登录失败,请检查您的用户名和密码');
}
}
}
/**
* 用户登录操作
* 用户登录成功后将权限信息写入$_SESSION
* 如果用户登录成功并且用户名与$superadmin参数相同,此用户即为超级用户,不受任何访问权限限制
* @param string $username 用户名
* @param string $password 密码
* @param string $superadmin 超级管理员帐号
* @param string $fieldUserName 用户表中的用户名字段名称
* @param string $fieldPassword 用户表中的密码字段名称
* @return boolean
*/
public static function login($username, $password, $superadmin = null, $fieldUserName = null, $fieldPassword = null)
{
$superadmin = is_null($superadmin) ? C("RBAC_SUPER_ADMIN") : $superadmin;
$fieldUserName = is_null($fieldUserName) ? C("RBAC_USERNAME_FIELD") : $fieldUserName;
//用户表中的用户名字段名称
$fieldPassword = is_null($fieldPassword) ? C("RBAC_PASSWORD_FIELD") : $fieldPassword;
//用户表中的密码字段名称
if (!C("RBAC_USER_TABLE")) {
error(L("rbac_rbac_user_login1"));
}
$table_user = C('DB_PREFIX') . str_ireplace(C('DB_PREFIX'), "", C("RBAC_USER_TABLE"));
//验证有无前缀得到用户表
$db = M($table_user, true);
$user = $db->find("{$fieldUserName}='{$username}'");
if (!$user) {
self::$error = L("rbac_rbac_user_login2");
return false;
}
if ($user[$fieldPassword] != $password) {
self::$error = L("rbac_rbac_user_login3");
return false;
}
$db->table(C("RBAC_ROLE_USER_TABLE"));
$sql = "SELECT * FROM " . C("DB_PREFIX") . C("RBAC_ROLE_TABLE") . " AS r," . C('DB_PREFIX') . C('RBAC_ROLE_USER_TABLE') . " AS r_u WHERE r_u.rid = r.rid AND uid = '" . $user['uid'] . "'";
$userRoleInfo = $db->query($sql);
//获得用户组信息
$_SESSION['username'] = $user['username'];
$_SESSION[C("RBAC_AUTH_KEY")] = $user['uid'];
$_SESSION['role'] = $userRoleInfo[0]['rname'];
$_SESSION['rid'] = $userRoleInfo[0]['rid'];
//是否判断超管理员
if (strtoupper($user['username']) == strtoupper($superadmin)) {
//登录成功
$_SESSION[C("RBAC_SUPER_ADMIN")] = 1;
$_SESSION["RBAC"] = array();
return true;
}
if (!$_SESSION['rid']) {
//不属于任何角色
self::$error = L("rbac_rbac_user_login4");
return false;
}
self::getAccess();
//获得权限写入SESSION
return true;
}
function setaccess()
{
$rid = $_GET['rid'];
$db = k("role");
$role = $db->find($rid);
$this->assign('role', $role);
$node = Rbac::getNodeList($rid);
if (!$node) {
$this->error("还没有设置权限节点,请设置", 'showaddnode');
}
$this->assign('node', $node);
$this->display();
}
<table id="rbac_table" class="tablesorter" border="0" cellpadding="0" cellspacing="1">
<thead>
<tr>
<th></th>
<th>guest</th>
<?php
foreach ($roles as $role) {
echo '<th>' . $role->name . '</th>';
}
?>
</tr>
</thead>
<tbody>
<?php
foreach ($rules as $rule => $action) {
$rule = explode('|', $rule);
count($rule) == 2 ? $expression = $rule[1] : ($expression = '');
echo '<tr>';
echo '<td>' . $rule[0] . '</td>';
$checked = Rbac::match(0, $action, $expression);
echo '<td><input action="' . $action . '" role="0" ' . $checked . ' expression="' . $expression . '" type="checkbox" /></td>';
foreach ($roles as $role) {
$checked = Rbac::match($role->id, $action, $expression);
echo '<td><input action="' . $action . '" role="' . $role->id . '" ' . $checked . ' expression="' . $expression . '" type="checkbox" /></td>';
}
echo '</tr>';
}
?>
</tbody>
</table>
Rbac::action('API\\FolderController@destroy', 'folders.delete');
// questions
Rbac::action(['API\\QuestionController@index', 'API\\QuestionController@my', 'API\\QuestionController@show'], 'questions.view');
Rbac::action('API\\QuestionController@store', 'questions.create');
Rbac::action('API\\QuestionController@update', 'questions.edit');
Rbac::action('API\\QuestionController@destroy', 'questions.delete');
// answers
Rbac::action(['API\\Question\\AnswerController@index', 'API\\Question\\AnswerController@my'], 'answers.view');
Rbac::action('API\\Question\\AnswerController@store', 'answers.create');
Rbac::action('API\\Question\\AnswerController@update', 'answers.edit');
Rbac::action('API\\Question\\AnswerController@setClosed', 'questions.close');
Rbac::action('API\\Question\\AnswerController@destroy', 'answers.delete');
// comments
Rbac::action('API\\Question\\CommentController@store', 'comments.create');
Rbac::action('API\\Question\\CommentController@update', 'comments.edit');
Rbac::action('API\\Question\\CommentController@destroy', 'comments.delete');
// tags
Rbac::action('API\\TagController@index', 'tags.view');
//Rbac::action('API\\TagController@update', 'tags.edit');
//Rbac::action('API\\TagController@destroy', 'tags.delete');
// votes
Rbac::action('API\\VoteController@store', 'votes.create.own');
Rbac::action('API\\VoteController@destroy', 'votes.delete.own');
//images
Rbac::action('API\\ImageController@show', 'images.view');
Rbac::action('API\\ImageController@store', 'images.create');
//link preview
Rbac::action('API\\PreviewController@index', 'preview.view');
//roles
Rbac::action('API\\RoleController@update', 'roles.update');
// folders
Rbac::action(['API\\FolderController@index', 'API\\FolderController@foldersForCrud'], 'folders.view');
Rbac::action('API\\FolderController@store', 'folders.create');
Rbac::action('API\\FolderController@update', 'folders.edit');
Rbac::action('API\\FolderController@destroy', 'folders.delete');
// questions
Rbac::action(['API\\QuestionController@index', 'API\\QuestionController@my', 'API\\QuestionController@show'], 'questions.view');
Rbac::action('API\\QuestionController@store', 'questions.create');
//Rbac::action('API\\QuestionController@update', 'questions.edit');
Rbac::action('API\\QuestionController@destroy', 'questions.delete');
// answers
Rbac::action(['API\\Question\\AnswerController@index', 'API\\Question\\AnswerController@my'], 'answers.view');
Rbac::action('API\\Question\\AnswerController@store', 'answers.create');
//Rbac::action('API\\Question\\AnswerController@update', 'answers.edit');
Rbac::action('API\\Question\\AnswerController@destroy', 'answers.delete');
// comments
Rbac::action('API\\Question\\CommentController@store', 'comments.create');
//Rbac::action('API\\Question\\CommentController@update', 'comments.edit');
Rbac::action('API\\Question\\CommentController@destroy', 'comments.delete');
// tags
Rbac::action('API\\TagController@index', 'tags.view');
//Rbac::action('API\\TagController@update', 'tags.edit');
//Rbac::action('API\\TagController@destroy', 'tags.delete');
// votes
Rbac::action('API\\VoteController@store', 'votes.create.own');
Rbac::action('API\\VoteController@destroy', 'votes.delete.own');
//images
Rbac::action('API\\ImageController@show', 'images.view');
Rbac::action('API\\ImageController@store', 'images.create');
});
Rbac::permission('comments.delete');
Rbac::permission('comments.delete.own', ['comments.delete'], function ($params) {
return Ownership::isCommentsOwner($params);
});
Rbac::permission('comments.manage', ['comments.view', 'comments.create', 'comments.edit', 'comments.delete']);
Rbac::permission('comments.manage.own', ['comments.create', 'comments.edit.own', 'comments.delete.own']);
// tags
Rbac::permission('tags.view');
//Rbac::permission('tags.create');
//Rbac::permission('tags.edit');
//Rbac::permission('tags.delete');
Rbac::permission('tags.manage', ['tags.view']);
// votes
Rbac::permission('votes.view');
Rbac::permission('votes.create.own');
Rbac::permission('votes.delete.own');
Rbac::permission('votes.own', ['votes.create.own', 'votes.delete.own']);
// images
Rbac::permission('images.view');
Rbac::permission('images.create');
// link preview
Rbac::permission('preview.view');
// roles
Rbac::permission('roles.update');
/*
* Roles
*/
Rbac::role('ADMIN', ['users.manage', 'folders.manage', 'questions.manage', 'answers.manage', 'comments.manage', 'tags.manage', 'votes.view', 'votes.own', 'images.view', 'images.create', 'preview.view', 'roles.update']);
Rbac::role('USER', ['users.edit.own', 'folders.view', 'questions.view', 'questions.manage.own', 'answers.view', 'answers.manage.own', 'comments.view', 'comments.manage.own', 'tags.view', 'votes.view', 'votes.own', 'images.view', 'images.create', 'preview.view']);
/**
* 用户登录操作
* 用户登录成功后将权限信息写入$_SESSION
* 如果用户登录成功并且用户名与$superadmin参数相同,此用户即为超级用户,不受任何访问权限限制
* @param string $username 用户名
* @param string $password 密码
* @param string $superadmin 超级管理员帐号
* @param string $fieldUserName 用户表中的用户名字段名称
* @param string $fieldPassword 用户表中的密码字段名称
* @return boolean
*/
public static function login($username, $password, $superadmin = null, $fieldUserName = null, $fieldPassword = null)
{
$superadmin = is_null($superadmin) ? C("RBAC_SUPER_ADMIN") : $superadmin;
$fieldUserName = is_null($fieldUserName) ? C("RBAC_USERNAME_FIELD") : $fieldUserName;
//用户表中的用户名字段名称
$fieldPassword = is_null($fieldPassword) ? C("RBAC_PASSWORD_FIELD") : $fieldPassword;
//用户表中的密码字段名称
if (!C("RBAC_USER_TABLE")) {
halt('用户表设置错误,请在配置文件中添加用户表');
}
$table_user = str_ireplace(C('DB_PREFIX'), "", C("RBAC_USER_TABLE"));
//验证有无前缀得到用户表
// echo "$fieldUserName='******'";die;
$db = M($table_user);
$user = $db->where("{$fieldUserName}='{$username}'")->all();
// p($user);//die;
if (!$user) {
self::$error = '用户不存在';
return false;
}
if ($user[0][$fieldPassword] != $password) {
self::$error = '密码输入错误';
return false;
}
$uid = C("RBAC_AUTH_KEY");
//验证session中的key
$db->table = C("RBAC_ROLE_USER_TABLE");
$sql = "SELECT * FROM " . C("DB_PREFIX") . C("RBAC_ROLE_TABLE") . " AS r," . C('DB_PREFIX') . C('RBAC_ROLE_USER_TABLE') . " AS r_u WHERE r_u.role_id = r.id AND user_id = '" . $user[0]['id'] . "'";
// echo $sql;die;
$userRoleInfo = $db->query($sql);
//获得用户组信息
// p($userRoleInfo);
$_SESSION['username'] = $user[0]['admin_username'];
$_SESSION[C("RBAC_AUTH_KEY")] = $user[0]['id'];
$_SESSION['role'] = $userRoleInfo[0]['name'];
$_SESSION['rid'] = $userRoleInfo[0]['role_id'];
//是否判断超管理员
// echo strtoupper($user[0]['admin_username']);
// echo strtoupper($superadmin);
// p($superadmin);die;
// p($_SESSION);die;
if (strtoupper($user[0]['admin_username']) == strtoupper($superadmin)) {
//登录成功
// echo C("RBAC_SUPER_ADMIN");die;
$_SESSION[C("RBAC_SUPER_ADMIN")] = 1;
$_SESSION["RBAC"] = array();
return true;
}
if (!$_SESSION['rid']) {
//不属于任何角色
self::$error = '不属于任何组,没有访问权限';
return false;
}
self::getAccess();
//获得权限写入SESSION
return true;
}
<?php
Rbac::permission('event.create');
Rbac::permission('blog.create');
Rbac::permission('test.create');
Rbac::permission('course.create');
Rbac::role('teacher', ['event.create', 'blog.create', 'test.create', 'course.create']);
Rbac::role('director', ['event.create', 'blog.create', 'test.create', 'course.create']);
/*
* Describe you permissions here.
*
* Rbac::permission('users.show');
* Rbac::permission('users.index');
* Rbac::permission('users.update');
*
* Rbac::permission('users.view', [
* 'users.show',
* 'users.index'
* ]);
*
* Rbac::permission('users.update.self', ['users.update'], function($params)
* {
* return $this->user->id == $params['user']->id;
* });
*
*
* Rbac::role('user', [
* 'users.view',
* 'users.update.self'
* ]);
*
/**
* @param $controllerName
* @param $actionName
* @param bool $auth
* @return bool
*/
public function checkacl($controllerName, $actionName, $auth = AUTH)
{
return Rbac::check($controllerName, $actionName, $auth);
}
<?php
Rbac::permission('news.destroy');
Rbac::permission('news.update');
Rbac::permission('news.manage', ['news.destroy', 'news.update']);
Rbac::permission('news.manage.own', ['news.manage'], function ($params) {
return $this->user->id == $params['news']->author_id;
});
Rbac::resource('article', 'ArticlesController', 'author_id');
Rbac::role('admin', ['news.manage', 'article.manage']);
Rbac::role('user', ['news.manage.own', 'article.manage.own']);