[英]Yii2 rbac user can not update his own post
因此,我創建的權限和角色比注冊時每個用戶都獲得“用戶”角色。 當用戶嘗試更新其他人的帖子時,他不能這樣做,這沒關系。 問題在於他甚至無法更新自己的帖子。 無法弄清楚。 (當我在控制器中將“用戶”替換為“ @”時,所有這些工作正常)
public function up()
{
$auth = Yii::$app->authManager;
//creating post
$createPost = $auth->createPermission('createPost');
$createPost->description = 'Create Post';
$auth->add($createPost);
//deleting post
$deletePost = $auth->createPermission('deletePost');
$deletePost->description = 'Delete Post';
$auth->add($deletePost);
//update post
$updatePost = $auth->createPermission('updatePost');
$updatePost->description = 'Update Post';
$auth->add($updatePost);
//delete user
$deleteUser = $auth->createPermission('deleteUser');
$deleteUser->description = 'Delete User';
$auth->add($deleteUser);
//create role 'user' and add permissions
$user = $auth->createRole('user');
$user->description = 'User';
$auth->add($user);
$auth->addChild($user, $createPost);
$auth->addChild($user, $deletePost);
$auth->addChild($user, $updatePost);
//create role 'admin' and add permissions
$admin = $auth->createRole('admin');
$admin->description = 'Administrator';
$auth->add($admin);
$auth->addChild($admin, $user);
$auth->addChild($admin, $deleteUser);
}
public function down()
{
Yii::$app->authManager->removeAll();
}
AuthorAccessRule(在stackoverflow上找到它):
class AuthorAccessRule extends AccessRule
{
public $allow = true;
public $roles = ['@'];
public function allows($action, $user, $request)
{
$parentRules = parent::allows($action, $user, $request);
// $parentRes can be `null`, `false` or `true`.
// True means the parent rule matched and allows access.
if($parentRules != true)
{
return $parentRules;
}
return ($this->getProjectAuthorId($request) == $user->id);
}
private function getProjectAuthorId($request)
{
// Fill in code to receive the right project.
// assuming the project id is given à la `project/update?id=1
$postId = $request->get('id');
$post = Post::findOne($postId);
return isset($post) ? $post->user_id : null;
}
}
和控制器:
'access' => [
'class' => AccessControl::className(),
'only' => ['update', 'delete'],
'rules' => [
[
'allow' => true,
'actions' => ['delete', 'update'],
'roles' => ['user'],
'class' => 'app\filters\AuthorAccessRule'
],
[
'allow' => true,
'actions' => ['delete', 'update'],
'roles' => ['admin'],
],
嘗試在不通過parent :: allow的條件下進行調試。 可以通過以下方式做到這一點:
public function allows($action, $user, $request)
{
$a = $this->matchAction($action);
$b = $this->matchRole($user);
$c = $this->matchIP($request->getUserIP());
$d = $this->matchVerb($request->getMethod());
$e = $this->matchController($action->controller);
$f = $this->matchCustom($action);
$g = $this->allow;
throw new \Exception("$a, $b, $c, $d, $e, $f, $g");
$parentRules = parent::allows($action, $user, $request);
// $parentRes can be `null`, `false` or `true`.
// True means the parent rule matched and allows access.
if($parentRules != true)
{
return $parentRules;
}
return ($this->getProjectAuthorId($request) == $user->id);
}
在異常消息中檢查是否為0?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.