Commit 5f0f721c by Qiang Xue

Finished AccessControl.

parent b505a9d9
...@@ -35,22 +35,16 @@ class AccessRule extends Component ...@@ -35,22 +35,16 @@ class AccessRule extends Component
*/ */
public $controllers; public $controllers;
/** /**
* @var array list of user names that this rule applies to. The comparison is case-insensitive. * @var array list of roles that this rule applies to. Two special roles are recognized, and
* If not set or empty, it means this rule applies to all users. Two special tokens are recognized: * they are checked via [[User::isGuest]]:
* *
* - `?`: matches a guest user (not authenticated yet) * - `?`: matches a guest user (not authenticated yet)
* - `@`: matches an authenticated user * - `@`: matches an authenticated user
* *
* @see \yii\web\Application::user * Using additional role names requires RBAC (Role-Based Access Control), and
*/ * [[User::hasAccess()]] will be called.
public $users; *
/** * If this property is not set or empty, it means this rule applies to all roles.
* @var array list of roles that this rule applies to. For each role, the current user's
* {@link CWebUser::checkAccess} method will be invoked. If one of the invocations
* returns true, the rule will be applied.
* Note, you should mainly use roles in an "allow" rule because by definition,
* a role represents a permission collection.
* If not set or empty, it means this rule applies to all roles.
*/ */
public $roles; public $roles;
/** /**
...@@ -106,7 +100,6 @@ class AccessRule extends Component ...@@ -106,7 +100,6 @@ class AccessRule extends Component
public function allows($action, $user, $request) public function allows($action, $user, $request)
{ {
if ($this->matchAction($action) if ($this->matchAction($action)
&& $this->matchUser($user)
&& $this->matchRole($user) && $this->matchRole($user)
&& $this->matchIP($request->getUserIP()) && $this->matchIP($request->getUserIP())
&& $this->matchVerb($request->getRequestMethod()) && $this->matchVerb($request->getRequestMethod())
...@@ -138,27 +131,6 @@ class AccessRule extends Component ...@@ -138,27 +131,6 @@ class AccessRule extends Component
} }
/** /**
* @param User $user the user
* @return boolean whether the rule applies to the user
*/
protected function matchUser($user)
{
if (empty($this->users)) {
return true;
}
foreach ($this->users as $u) {
if ($u === '?' && $user->getIsGuest()) {
return true;
} elseif ($u === '@' && !$user->getIsGuest()) {
return true;
} elseif (!strcasecmp($u, $user->getName())) {
return true;
}
}
return false;
}
/**
* @param User $user the user object * @param User $user the user object
* @return boolean whether the rule applies to the role * @return boolean whether the rule applies to the role
*/ */
...@@ -168,7 +140,11 @@ class AccessRule extends Component ...@@ -168,7 +140,11 @@ class AccessRule extends Component
return true; return true;
} }
foreach ($this->roles as $role) { foreach ($this->roles as $role) {
if ($user->checkAccess($role)) { if ($role === '?' && $user->getIsGuest()) {
return true;
} elseif ($role === '@' && !$user->getIsGuest()) {
return true;
} elseif ($user->hasAccess($role)) {
return true; return true;
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment