我正在尝试在Kohana中编写自己的RBAC模块。 我不想使用现有模块,我只想这样做才能学习。
我的表是:用户,角色,权限和users_roles,roles_permissions(由于用户< - >角色之间的多对多关系,以及角色< - >权限);
我的用户模型:
class Model_User extends ORM {
protected $_primary_key = 'user_id';
protected $_has_many = array(
'roles' => array(
'model' => 'role',
'through' => 'users_roles',
),
);
}
我的角色模型:
class Model_Role extends ORM {
protected $_primary_key = 'role_id';
protected $_has_many = array(
'users' => array(
'model' => 'user',
'through' => 'users_roles',
),
'permissions' => array(
'model' => 'permission',
'through' => 'roles_permissions',
),
);
}
和我的权限模型:
class Model_Permission extends ORM {
protected $_primary_key = 'permission_id';
protected $_has_many = array(
'roles' => array(
'model' => 'role',
'through' => 'roles_permissions',
),
);
}
我创建用户:
$user = ORM::factory('user');
$user->username = 'johndoe';
$user->email = 'john@doe.com';
//etc
$user.save();
我创建了角色:
$author = ORM::factory('role');
$author->name = 'author';
$author->save();
我创建权限:
$read = ORM::factory('permission');
$read->name = 'read';
$read->description = 'can read posts';
$read->save();
$write = ORM::factory('permission');
$write->name = 'write';
$write->description = 'can write posts';
$write->save();
我向用户添加角色:
$user->add('roles', $author);
我为角色添加权限:
$author->add('permissions', $read);
$author->add('permissions', $write);
一切正常。
但是,我的问题是如何检查用户是否拥有给定的权限:在这种情况下如何检查 johndoe 是否有权写一个帖子?
感谢您的帮助!
答案 0 :(得分:1)
一个查询,但与前一个答案相比只有两个联接
class Model_User extends ORM {
// ... some stuff here
public function has_permission($permission_name)
{
return (bool) ORM::factory('permission')
->where('permission.name', '=', $permission_name)
->join('roles_permissions')
->on('roles_permissions.permission_id', '=', 'permision.permission_id')
->join('roles_users')
->on('roles_users.role_id', '=', 'roles_permissions.role_id')
->on('roles_users.user_id', '=', DB::expr((int) $this->user_id))
->count_all();
}
}
答案 1 :(得分:0)
我在一个查询中找到了一个解决方案:
$count = ORM::factory('permission')
->join('roles_permissions')
->on('permission.permission_id', '=', 'roles_permissions.permission_id')
->join('roles')
->on('roles.role_id', '=', 'roles_permissions.role_id')
->join('users_roles')
->on('roles.role_id', '=', 'users_roles.role_id')
->join('users')
->on('users.user_id', '=', 'users_roles.user_id')
->on('users.user_id', '=', DB::expr($user->user_id))
->where('permission.name', '=', 'write')
->find_all()
->count();
然后如果$count > 0,则表示$ user有权写。
是否有更简单的解决方案?
答案 2 :(得分:-1)
这是一个更好的解决方案,可以在提供主键或模型实例时执行更快的查询:
<?php
class Model_User extends ORM {
// ...
/**
* Check if a user is allowed to perform an action based on permissions
* attached to the user's roles.
*
* @param int|string|Model_Permission $permission name, primary key or instance of permission
* @return boolean TRUE if allowed; FALSE otherwise
*/
public function is_allowed_to($permission)
{
// We have a permission name
if (is_string($permission) AND ! is_numeric($permission))
return (bool) ORM::factory('permission')
->where('permission.name', '=', $permission)
->join('roles_permissions')
->on('roles_permissions.permission_id', '=', 'permission.permission_id')
->join('roles_users')
->on('roles_users.role_id', '=', 'roles_permissions.role_id')
->where('roles_users.user_id', '=', $this->pk())
->count_all();
// We can get the permission primary key
// to perform a faster query
$permission_id = ($permission instanceof Model_Permission)
? $permission->pk()
: $permission;
return (bool) DB::select(array(DB::expr('COUNT(*)'), 'records_found'))
->from('roles_permissions')
->join('roles_users')
->on('roles_users.role_id', '=', 'roles_permissions.role_id')
->where('roles_permissions.permission_id', '=', $permission_id)
->where('roles_users.user_id', '=', $this->pk())
->execute()
->get('records_found');
}
// ...
}