Yii2 rbac用戶無法更新自己的帖子

Question

因此，我創建的權限和角色比注冊時每個用戶都獲得“用戶”角色。 當用戶嘗試更新其他人的帖子時，他不能這樣做，這沒關系。 問題在於他甚至無法更新自己的帖子。 無法弄清楚。 （當我在控制器中將“用戶”替換為“ @”時，所有這些工作正常）

public function up()
{
    $auth = Yii::$app->authManager;

    //creating post
    $createPost = $auth->createPermission('createPost');
    $createPost->description = 'Create Post';
    $auth->add($createPost);

    //deleting post
    $deletePost = $auth->createPermission('deletePost');
    $deletePost->description = 'Delete Post';
    $auth->add($deletePost);

    //update post
    $updatePost = $auth->createPermission('updatePost');
    $updatePost->description = 'Update Post';
    $auth->add($updatePost);

    //delete user
    $deleteUser = $auth->createPermission('deleteUser');
    $deleteUser->description = 'Delete User';
    $auth->add($deleteUser);

    //create role 'user' and add permissions
    $user = $auth->createRole('user');
    $user->description = 'User';
    $auth->add($user);
    $auth->addChild($user, $createPost);
    $auth->addChild($user, $deletePost);
    $auth->addChild($user, $updatePost);

    //create role 'admin' and add permissions
    $admin = $auth->createRole('admin');
    $admin->description = 'Administrator';
    $auth->add($admin);
    $auth->addChild($admin, $user);
    $auth->addChild($admin, $deleteUser);
}

public function down()
{
    Yii::$app->authManager->removeAll();
}

AuthorAccessRule（在stackoverflow上找到它）：

class AuthorAccessRule extends AccessRule
{
    public $allow = true;
    public $roles = ['@'];

    public function allows($action, $user, $request)
    {
        $parentRules = parent::allows($action, $user, $request);
        // $parentRes can be `null`, `false` or `true`.
        // True means the parent rule matched and allows access.
        if($parentRules != true)
        {
            return $parentRules;
        }

        return ($this->getProjectAuthorId($request) == $user->id);
    }

    private function getProjectAuthorId($request)
    {
        // Fill in code to receive the right project.
        // assuming the project id is given à la `project/update?id=1
        $postId = $request->get('id');
        $post = Post::findOne($postId);
        return isset($post) ? $post->user_id : null;
    }
}

和控制器：

'access' => [
            'class' => AccessControl::className(),
            'only' => ['update', 'delete'],
            'rules' => [
                [
                    'allow' => true,
                    'actions' => ['delete', 'update'],
                    'roles' => ['user'],
                    'class' => 'app\filters\AuthorAccessRule'
                ],
                [
                    'allow' => true,
                    'actions' => ['delete', 'update'],
                    'roles' => ['admin'],
                ],

Answer 1

嘗試在不通過parent :: allow的條件下進行調試。 可以通過以下方式做到這一點：

public function allows($action, $user, $request)
{
    $a = $this->matchAction($action);
    $b = $this->matchRole($user);
    $c = $this->matchIP($request->getUserIP());
    $d = $this->matchVerb($request->getMethod());
    $e = $this->matchController($action->controller);
    $f = $this->matchCustom($action);
    $g = $this->allow;

    throw new \Exception("$a, $b, $c, $d, $e, $f, $g");

    $parentRules = parent::allows($action, $user, $request);
    // $parentRes can be `null`, `false` or `true`.
    // True means the parent rule matched and allows access.
    if($parentRules != true)
    {
        return $parentRules;
    }
    return ($this->getProjectAuthorId($request) == $user->id);
}

在異常消息中檢查是否為0？