使用BjyAuthorize在基于角色的路由中进行配置不起作用

时间:2013-08-19 14:27:11

标签: zend-framework2 acl zfcuser bjyauthorize

这是我的bjyauthorize.global.php内容

<?php

return array(
'bjyauthorize' => array(

    // set the 'guest' role as default (must be defined in a role provider)
    // 'default_role' => 'guest',

    /* this module uses a meta-role that inherits from any roles that should
     * be applied to the active user. the identity provider tells us which
     * roles the "identity role" should inherit from.
     *
     * for ZfcUser, this will be your default identity provider
     */
    'identity_provider' => 'BjyAuthorize\Provider\Identity\ZfcUserZendDb',

    /* If you only have a default role and an authenticated role, you can
     * use the 'AuthenticationIdentityProvider' to allow/restrict access
     * with the guards based on the state 'logged in' and 'not logged in'.
     */
      // 'default_role'       => 'guest',         // not authenticated
      // 'authenticated_role' => 'user',          // authenticated
      // 'identity_provider'  => 'BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider',


    /* role providers simply provide a list of roles that should be inserted
     * into the Zend\Acl instance. the module comes with two providers, one
     * to specify roles in a config file and one to load roles using a
     * Zend\Db adapter.
     */
    'role_providers' => array(

        /* here, 'guest' and 'user are defined as top-level roles, with
         * 'admin' inheriting from user
         */
        'BjyAuthorize\Provider\Role\Config' => array(
            'admin' => array(),
            'guest' => array()
        ),

        // this will load roles from the user_role table in a database
        // format: user_role(role_id(varchar), parent(varchar))
        'BjyAuthorize\Provider\Role\ZendDb' => array(
            'table'             => 'user_role',
            'role_id_field'     => 'roleId',
            'parent_role_field' => 'parent_id',
        ),

        // this will load roles from the 'BjyAuthorize\Provider\Role\Doctrine'
        // service
        // 'BjyAuthorize\Provider\Role\Doctrine' => array(),
    ),

    // resource providers provide a list of resources that will be tracked
    // in the ACL. like roles, they can be hierarchical
    'resource_providers' => array(
        // 'BjyAuthorize\Provider\Resource\Config' => array(
        //     'pants' => array(),
        // ),

        'BjyAuthorize\Provider\Resource\Config' => array(
            'Collections\Controller\CollectionsController' => array('admin'),
        ),
    ),

    /* rules can be specified here with the format:
     * array(roles (array), resource, [privilege (array|string), assertion])
     * assertions will be loaded using the service manager and must implement
     * Zend\Acl\Assertion\AssertionInterface.
     * *if you use assertions, define them using the service manager!*
     */
    'rule_providers' => array(
        'BjyAuthorize\Provider\Rule\Config' => array(
            'allow' => array(
                // allow guests and users (and admins, through inheritance)
                // the "wear" privilege on the resource "pants"
                // array(array('guest', 'user'), 'pants', 'wear')
                array(array('admin'), 'Collections\Controller\CollectionsController', 'index')
            ),

            // Don't mix allow/deny rules if you are using role inheritance.
            // There are some weird bugs.
            'deny' => array(
                // ...
                 // array(array('admin', 'guest'), 'collections', 'add')
            ),
        ),
    ),

    /* Currently, only controller and route guards exist
     *
     * Consider enabling either the controller or the route guard depending on your needs.
     */
    'guards' => array(
        /* If this guard is specified here (i.e. it is enabled), it will block
         * access to all controllers and actions unless they are specified here.
         * You may omit the 'action' index to allow access to the entire controller
         */
        'BjyAuthorize\Guard\Controller' => array(
            array('controller' => 'index', 'action' => 'index', 'roles' => array('admin','guest')),
            array('controller' => 'index', 'action' => 'stuff', 'roles' => array('admin')),
            array('controller' => 'Collections\Controller\CollectionsController', 'roles' => array('admin', 'guest')),

            // You can also specify an array of actions or an array of controllers (or both)
            // allow "guest" and "admin" to access actions "list" and "manage" on these "index",
            // "static" and "console" controllers
            // array(
            //     'controller' => array('index', 'static', 'console'),
            //     'action' => array('list', 'manage'),
            //     'roles' => array('guest', 'admin')
            // ),
            array('controller' => 'zfcuser', 'roles' => array('admin', 'guest')),
            // Below is the default index action used by the ZendSkeletonApplication
            array('controller' => 'Application\Controller\Index', 'roles' => array('guest', 'admin')),
        ),

        /* If this guard is specified here (i.e. it is enabled), it will block
         * access to all routes unless they are specified here.
         */
        'BjyAuthorize\Guard\Route' => array(
            array('route' => 'zfcuser', 'roles' => array('admin', 'guest')),
            array('route' => 'zfcuser/logout', 'roles' => array('admin', 'guest')),
            array('route' => 'zfcuser/login', 'roles' => array('admin', 'guest')),
            array('route' => 'zfcuser/register', 'roles' => array('guest', 'admin')),
            // Below is the default index action used by    the ZendSkeletonApplicationarray('route' => 'zfcuser/register', 'roles' => array('guest', 'admin')),
            array('route' => 'collections/index', 'roles' => array('guest', 'admin')),
            array('route' => 'home', 'roles' => array('guest', 'admin')),
        ),
    ),
),
);

我有这样的数据库结构:

--
-- Table structure for table `user`
--

CREATE TABLE IF NOT EXISTS `user` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(255) DEFAULT NULL,
`email` varchar(255) DEFAULT NULL,
`display_name` varchar(50) DEFAULT NULL,
`password` varchar(128) NOT NULL,
`state` smallint(5) unsigned DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`),
UNIQUE KEY `email` (`email`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=7 ;

--
-- Dumping data for table `user`
--

INSERT INTO `user` (`id`, `username`, `email`, `display_name`, `password`, `state`) VALUES
(1, NULL, 'test@test.com', NULL, '$2y$14$fL.K0rieXO.kHsHfOogH8Oaf..C.1GsYqEB49A3Dmxy9ZiMhWHx7.', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `user_role`
--

CREATE TABLE IF NOT EXISTS `user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`roleId` varchar(255) NOT NULL,
`is_default` tinyint(1) NOT NULL,
`parent_id` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=3 ;

--
-- Dumping data for table `user_role`
--

INSERT INTO `user_role` (`id`, `roleId`, `is_default`, `parent_id`) VALUES
(1, 'admin', 1, 'admin'),
(2, 'guest', 1, 'admin');

-- --------------------------------------------------------

-- 
-- Table structure for table `user_role_linker`
--

CREATE TABLE IF NOT EXISTS `user_role_linker` (
`user_id` int(11) unsigned NOT NULL,
`role_id` int(11) NOT NULL,
PRIMARY KEY (`user_id`,`role_id`),
KEY `role_id` (`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--
-- Dumping data for table `user_role_linker`
--

INSERT INTO `user_role_linker` (`user_id`, `role_id`) VALUES
(1, 1);

我已根据此issue修改了用户表的列。我已将user_id的ZfcUser的Mapper修改为id。它工作正常,因为它没有显示任何错误。

即使没有任何错误,我登录之前的任何模块(/ user和/ collections)除了登录页面(zfcuser / login)之外总是得到“403 Forbidden”。

我对数据库中的user_role_linker表数据存在疑问。我没有找到适当的文档来输入BjyAuth library中user_role表的角色数据。建议我在配置文件或数据库表中没有任何错误配置或此处未提及的任何其他内容。

2 个答案:

答案 0 :(得分:1)

user_role_linker表的问题,字段role_id应该是varchar而不是int。我遇到过同样的问题。检查以下转储以获取样本数据。

CREATE TABLE IF NOT EXISTS `user_role_linker` (
`user_id` int(11) unsigned NOT NULL,
`role_id` varchar(128) NOT NULL,
 PRIMARY KEY (`user_id`,`role_id`),
 KEY `role_id` (`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--
--   Dumping data for table `user_role_linker`
--

INSERT INTO `user_role_linker` (`user_id`, `role_id`) VALUES(1, 'admin'); 

答案 1 :(得分:0)

如果你没有正确设置基础,你可能会尝试做太多。不是一个完整的答案,但我建议如下;

  • 安装Zend Framework Developer Tools( https://github.com/zendframework/ZendDeveloperTools)一旦运行它 页面底部有一个工具栏,告诉你什么角色 你现在有。它对一堆其他东西也很有用。 假设您在登录时拥有适当的角色,仅限 一次设置一个警卫。即。你现在两个都有 “BjyAuthorize \ Guard \ Controller”和“BjyAuthorize \ Guard \ Route”设置

  • 您可以只使用其中一个或另一个来运行,当您有一个正在运行时,您可以测试另一个。只需删除或注释掉 bjyauthorize.global.php中的适当部分。

请注意,行为是如果启用防护,则阻止未指定的所有内容。

如果没有看到您的控制器和路由,我不知道上面的一些配置是否正确,但是仔细检查路由名称并使用完全限定的控制器名称可能更安全。而不是

array('controller' => 'index',

array('controller' => 'YourModuleName\Controller\IndexController',

我希望这是一些帮助。

此外,如果您最终在某个时间点使用Doctrine ORM https://github.com/manuakasam/SamUser是一个很好的模块,可以轻松地将BjyAuthorize,ZFcuser和Doctrine绑定在一起。