原理:利用yii2-admin来管理api权限
1 安装yii2-admin
pre-install composer
$ composer config -g repo.packagist composer https://packagist.phpcomposer.com
$ composer require mdmsoft/yii2-admin "~2.0"
2 配置backend/config/main.php
<?php
$params = array_merge(
require __DIR__ . '/../../common/config/params.php',
require __DIR__ . '/../../common/config/params-local.php',
require __DIR__ . '/params.php',
require __DIR__ . '/params-local.php'
);
return [
'id' => 'app-backend',
'basePath' => dirname(__DIR__),
'controllerNamespace' => 'backend\controllers',
'bootstrap' => ['log'],
'modules' => [
'admin' => [
'class' => 'mdm\admin\Module',
]
],
'components' => [
'request' => [
'csrfParam' => '_csrf-backend',
],
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'identityCookie' => ['name' => '_identity-backend', 'httpOnly' => true],
],
'session' => [
// this is the name of the session cookie used for login on the backend
'name' => 'advanced-backend',
],
'log' => [
'traceLevel' => YII_DEBUG ? 3 : 0,
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error', 'warning'],
],
],
],
'errorHandler' => [
'errorAction' => 'site/error',
],
/*
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
],
],
*/
'authManager' => [
'class' => 'yii\rbac\PhpManager', // or use 'yii\rbac\DbManager'
]
],
'as access' => [
'class' => 'mdm\admin\components\AccessControl',
'allowActions' => [
'site/*',
'admin/*',
'some-controller/some-action',
]
],
'params' => $params,
];
3 访问 yourpath/index.php?r=admin
或者index.php?r=admin%2Froute (ps: 访问encodeURIComponent后的url,直接admin/route会有问题)
4 利用 AdminLTE 渲染后台模板,优化用户体验
4.1 进入 cmd,切换到 advanced 目录,输入
composer require dmstr/yii2-adminlte-asset "2.*"
4.2 复制 vendor/dmstr/yii2-adminlte-asset/example-views/yiisoft/yii2-app里面的两个文件夹 到 backend/views/,覆盖views下的对应文件夹(自己写的先备份,这里只覆盖系统生成的)
再访问 http://localhost/path/to/index.php?r=admin 看效果
4.3 自己记控制器命令总不如点击链接来得方便,所以可以配置下左侧菜单,
修改backend\views\layouts\left.php
[
'label' => '权限管理',
'icon' => 'share',
'url' => '#',
'items' => [
['label' => '权限', 'icon' => 'file-code-o', 'url' => ['/admin/permission'],],
['label' => '角色', 'icon' => 'dashboard', 'url' => ['/admin/role'],],
['label' => '分配', 'icon' => 'dashboard', 'url' => ['/admin/assignment'], ],
['label' => '菜单', 'icon' => 'dashboard', 'url' => ['/admin/menu'], ],
['label' => '路由', 'icon' => 'dashboard', 'url' => ['/admin/route'],],
],
],
进入 cmd,切换到 advanced 目录,输入
yii migrate --migrationPath=@mdm/admin/migrations
成功执行以后查看数据库会发现里面多了张menu表
5 配置用数据库表来存储rbac数据
5.1 修改backend/config/main.php
'authManager' => [
'class' => 'yii\rbac\DbManager', // or use 'yii\rbac\DbManager'
]
修改common/config/main-local.php,components里加入上面代码
5.2 执行
yii migrate --migrationPath=@yii/rbac/migrations
成功执行以后查看数据库会发现里面多了四张auth开头的授权表
配置这块就先到这里,接下来学习怎么使用这么强大的权限分配工具
思路:先从route里把要设置的function拉到一个权限池子里;然后新建permission,用来打包池子里的function;接着给用户分配权限包
5.3 api的权限分配分两种情况
5.3.1 控制系统生成的function(比如view,index,delete,modify)
在控制器里加上如下函数checkAccess:
//rbac情况一:系统生成的方法,testview,test为打包好route的permission名称
public function checkAccess($action,$model=null,$params=[])
{
if($action==="view"){
if(\Yii::$app->user->can('testview')){
return true;
}
}
if($action==="view"||$action==="update"||$action==="delete"||$action==="create"||$action==="index"){
if(\Yii::$app->user->can('test')){
return true;
}
}
throw new ForbiddenHttpException("sorry , no authority!");
}
5.3.2 控制自定义或者重写的function
就在每个定义的function前面加上判断,比如:
//rbac情况二:自定义的方法或者重写的方法,fun为打包好route的permission名称
public function actionFun(){
if(!\Yii::$app->user->can('fun')){
throw new ForbiddenHttpException("sorry , no authority!");
}
return "ok";
}