[英]Yii2 - Override checkAccess in rest ActiveController
Product.supplierID = Supplier.supplierID
--------- ----------
|Product|---------|Supplier|
--------- ----------
|
| Supplier.supplierID = User.supplierID
|
---------
| User |
---------
Using the above table structure, the application uses sub-classes of ActiveController
, with overridden prepareDataProvider
to limit the index
list of each Product
a logged in User
can see to those with matching supplierID
values. 使用上面的表结构,应用程序使用ActiveController
子类,并使用重写的prepareDataProvider
来限制登录的每个Product
的index
列表User
可以看到具有匹配的supplierID
值的那些。 Something like this in the actions()
method of ProductController
. 在ProductController
的actions()
方法中有类似的东西。
$actions['index']['prepareDataProvider'] = function($action)
{
$query = Product::find();
if (Yii::$app->user->can('supplier') &&
Yii::$app->user->identity->supplierID) {
$query->andWhere(['supplierID' => Yii::$app->user->identity->supplierID]);
}
return new ActiveDataProvider(['query' => $query]);
};
This works fine, however I'm looking to use checkAccess()
to limit actionView()
for a single Product
. 这工作正常,但我希望使用checkAccess()
来限制单个Product
actionView()
。
At the moment, a logged in User
can access a Product
by changing the productID
in the URL, whether or not the have the appropriate supplierID
. 目前,登录User
可以通过更改URL中的productID
来访问Product
,无论是否具有相应的supplierID
。
It looks like I can't access the particular instance of Product
, to check the supplierID
, until actionView()
has returned which is when I want the check to happen. 看起来我无法访问Product
的特定实例,检查supplierID
,直到actionView()
返回,这是我希望检查发生的时间。
Can I override checkAccess()
to restrict access and throw the appropriate ForbiddenHttpException
? 我可以覆盖checkAccess()
来限制访问并抛出适当的ForbiddenHttpException
吗?
What about a function that checks if a model exist : 如何检查模型是否存在:
protected function modelExist($id)
{
return Product::find()
->where([ 'productID' => $id ])
->andWhere(['supplierID' => Yii::$app->user->identity->supplierID ])
->exists();
}
If productID
is your Product Primary Key, then a request to /products/1
will be translated by yii\\rest\\UrlRule to /products?productID=1
. 如果productID
是您的产品主键,那么对/products/1
的请求将由yii \\ rest \\ UrlRule翻译为/products?productID=1
。
In that case, when productID
is provided as a param , you can use beforeAction
to make a quick check if such model exist & let the action be executed or throw an error if it doesn't : 在这种情况下,当productID
作为参数提供时,您可以使用beforeAction
快速检查是否存在此类模型并执行操作或如果不执行则抛出错误:
// this array will hold actions to which you want to perform a check
public $checkAccessToActions = ['view','update','delete'];
public function beforeAction($action) {
if (!parent::beforeAction($action)) return false;
$params = Yii::$app->request->queryParams;
if (isset($params['productID']) {
foreach ($this->checkAccessToActions as $action) {
if ($this->action->id === $action) {
if ($this->modelExist($params['productID']) === false)
throw new NotFoundHttpException("Object not found");
}
}
}
return true;
}
As the question is about Overriding the checkAccess method in rest ActiveController I thought it would be useful to leave an example. 由于问题是关于覆盖休息ActiveController中的checkAccess方法,我认为留下一个例子会很有用。
In the way how Yii2 REST was designed, all of delete
, update
and view
actions will invoke the checkAccess
method once the model instance is loaded: 在设计Yii2 REST的方式中,所有delete
, update
和view
操作都会在加载模型实例后调用checkAccess
方法:
// code snippet from yii\rest\ViewAction
$model = $this->findModel($id);
if ($this->checkAccess) {
call_user_func($this->checkAccess, $this->id, $model);
}
The same is true for the create
and index
actions except that they won't pass any model instance to it: call_user_func($this->checkAccess, $this->id)
. 对于create
和index
操作也是如此,除了它们不会将任何模型实例传递给它: call_user_func($this->checkAccess, $this->id)
。
So what you are trying to do ( throwing a ForbiddenHttpException when a user is trying to view, update or delete a product he is not its supplier ) may also be achieved this way: 因此,您尝试做的事情( 当用户试图查看,更新或删除他不是供应商的产品时抛出ForbiddenHttpException )也可以通过以下方式实现:
public function checkAccess($action, $model = null, $params = [])
{
if ($action === 'view' or $action === 'update' or $action === 'delete')
{
if ( Yii::$app->user->can('supplier') === false
or Yii::$app->user->identity->supplierID === null
or $model->supplierID !== \Yii::$app->user->identity->supplierID )
{
throw new \yii\web\ForbiddenHttpException('You can\'t '.$action.' this product.');
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.