修改Yii的SRBAC模块,使group(你的用户组表)取代User那一层作为权限分配的标准。在此基础上可以修改成去除User层,直接使用Role作为用户组的方案。
需要修改的有这几个地方:
1)./components/UserIdentity.php
修改这个文件是因为Yii默认登录后是将username作为id来保存在session中的(这点可以在CWebUser.php里的CWebUser::login里看到),这里添加一个属性:private $_id;然后重写父类的getId()方法:
else{
$this->_id = $users->uid;
$this->username = $users->username;
$this->errorCode=self::ERROR_NONE;
}
//重写接口的方法,返回的唯一标识是uid而不是username
public function getId(){
return $this->_id;
}
2).在Yii的配置文件中加上组权限判断的一些信息:
//配置srbac模块的数据库结构
'authManager'=>array(
'class'=>'CDbAuthManager',
'connectionID'=>'db',
'itemTable'=>'tbl_items',
'assignmentTable'=>'tbl_assignments',
'itemChildTable'=>'tbl_itemchildren',
//srbac扩展--根据用户组判断权限
'groupAuth'=>TRUE,
'userGetGroupTable'=>array(
'tableName'=>'tbl_user',
'userid'=>'uid',
'groupid'=>'groupid',
),
),
3).修改CWebUser.php,增加一个属性:public $groupid,这样以后既可以根据Yii::app()->user->groupid来访问当前用户的组id了
4).从SBaseController找到验证的动作是Yii::app()->user->checkAccess($access),然后接着往下找,找到最后的执行者是CDbAuthManager::checkAccess
继续找到CDbAuthManager::getAuthAssignments这个方法,这个方法做的事情是:根据参数$userId去tbl_assignments表里找到对应id拥有者的所有权限返回。(此时这里的$userId已经是uid而不是username了)
添加一个方法getAuthAssignmentsByGroup($userId),这个方法主要就是从用户表中取当前用户groupid,再用groupid向assignments表中取相应组的所有权限。
/**
* Returns the item assignments for the specified user.
* @param mixed $userId the user ID (see {@link IWebUser::getId})
* @return array the item assignment information for the user. An empty array will be
* returned if there is no item assigned to the user.
*/
public function getAuthAssignments($userId)
{
if($this->groupAuth){
return $this->getAuthAssignmentsByGroup($userId);
}
$rows=$this->db->createCommand()
->select()
->from($this->assignmentTable)
->where('userid=:userid', array(':userid'=>$userId))
->queryAll();
$assignments=array();
foreach($rows as $row)
{
if(($data=@unserialize($row['data']))===false)
$data=null;
$assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
}
return $assignments;
}
//根据用户组获取所有权限
public function getAuthAssignmentsByGroup($userId){
$assignments=array();
//先获取用户的groupid
if(!isset(Yii::app()->user->groupid)){
$groupID = $this->userGetGroupTable['groupid'];
$group = $this->db->createCommand()->select($groupID)->from($this->userGetGroupTable['tableName'])->where($this->userGetGroupTable['userid'].'='.intval($userId))->queryRow();
if(empty($group)){
return $assignments;
}
Yii::app()->user->groupid = $group[$groupID];
}
//然后根据当前用户的groupid来判断其身份(User)
$rows=$this->db->createCommand()->select()->from($this->assignmentTable)->where('userid=:userid', array(':userid'=>Yii::app()->user->groupid))->queryAll();
foreach($rows as $row)
{
if(($data=@unserialize($row['data']))===false)
$data=null;
$assignments[$row['itemname']]=new CAuthAssignment($this,$row['itemname'],$row['userid'],$row['bizrule'],$data);
}
return $assignments;
}
还有,别忘了给CDbAuthManager类添加用到的属性,否则人家不认识:
//用户组权限配置信息
public $groupAuth = false;
public $userGetGroupTable = null;
5).打开SRBAC看下,是不是User变成了你的tbl_group了,Role和Task依然没变。