O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
a permission that is atomic. For example, we can have a system with administrator role<br />
which consists of post management task and user management task. The user<br />
management task may consist of create user, update user and delete user operations. For<br />
more flexibility, <strong>Yii</strong> also allows a role to consist of other roles or operations, a task to<br />
consist of other tasks, and an operation to consist of other operations.<br />
An authorization item is uniquely identified by its name.<br />
An authorization item may be associated with a business rule. A business rule is a piece of<br />
PHP code that will be executed when performing access checking with respect to the item.<br />
Only when the execution returns true, will the user be considered to have the permission<br />
represented by the item. For example, when defining an operation updatePost, we would<br />
like to add a business rule that checks if the user ID is the same as the post's author ID so<br />
that only the author himself can have the permission to update a post.<br />
Using authorization items, we can build up an authorization hierarchy. An item A is a parent<br />
of another item Bin the hierarchy if A consists of B (or say A inherits the permission(s)<br />
represented by B). An item can have multiple child items, and it can also have multiple<br />
parent items. Therefore, an authorization hierarchy is a partial-order graph rather than a<br />
tree. In this hierarchy, role items sit on top levels, operation items on bottom levels, while<br />
task items in between.<br />
Once we have an authorization hierarchy, we can assign roles in this hierarchy to<br />
application users. A user, once assigned with a role, will have the permissions represented<br />
by the role. For example, if we assign the administrator role to a user, he will have the<br />
administrator permissions which include post management and user management (and<br />
the corresponding operations such as create user).<br />
Now the fun part starts. In a controller action, we want to check if the current user can<br />
delete the specified post. Using the RBAC hierarchy and assignment, this can be <strong>do</strong>ne<br />
easily as follows:<br />
if(<strong>Yii</strong>::app()->user->checkAccess('deletePost'))<br />
{<br />
// delete the post<br />
}<br />
Configuring Authorization Manager<br />
Before we set off to define an authorization hierarchy and perform access checking, we<br />
need to configure the authManager application component. <strong>Yii</strong> provides two types of<br />
authorization managers: CPhpAuthManager and CDbAuthManager. The former uses a<br />
PHP script file to store authorization data, while the latter stores authorization data in<br />
database. When we configure the authManager application component, we need to<br />
specify which component class to use and what are the initial property values for the<br />
component. For example,