搜索hanaboso / acl-bundle
Hanaboso - acl-bundle
Requires
- php: ^8.3
- hanaboso/user-bundle: ^1.9
Requires (Dev)
- doctrine/doctrine-bundle: ^2.12
- doctrine/doctrine-fixtures-bundle: ^3.6
- doctrine/mongodb-odm-bundle: ^5.0
- hanaboso/php-check-utils: ^1.6
- predis/predis: ^1.1
- symfony/security-bundle: ^7.1
Suggests
- doctrine/doctrine-bundle: Install me, if you using MySQL.
- doctrine/doctrine-fixtures-bundle: Install me, if you want using fixtures load.
- doctrine/mongodb-odm-bundle: Install me, if you using MongoDB.
- predis/predis: Install me, if you want to use Redis cache.
This package is auto-updated.
Last update: 2024-09-20 15:37:31 UTC
README
安装
- 通过composer下载包
composer require hanaboso/acl-bundle
资源
所有由ACL保护的资源与操作必须通过枚举和symfony参数进行注册。下面的配置显示了资源枚举和操作枚举的注册,以及标记属于给定资源的数据库文档。
acl_use_cache允许使用redis进行缓存,这样规则就不需要每次都从数据库加载。
parameters:
resource_enum: Hanaboso\AclBundle\Enum\ResourceEnum
action_enum: AclBundleTests\testApp\ExtActionEnum
acl_use_cache: true
db_res:
resources:
# Add new resources to ResourceEnum class
user: Hanaboso\UserBundle\Document\User
tmp_user: Hanaboso\UserBundle\Document\TmpUser
token: Hanaboso\UserBundle\Document\Token
file: Hanaboso\CommonsBundle\FileStorage\Document\File
group: Hanaboso\AclBundle\Document\Group
rule: Hanaboso\AclBundle\Document\Rule
# Optionals - can be empty: ~
resource_actions:
# [read, write, delete] by default (set in MaskFactory)
default_actions: ['read', 'write', 'delete', 'test']
# specific actions on top of default ones
resources:
token: ['test2']
resource_actions是可选参数,允许扩展默认的['read', 'write', 'delete']操作。最多允许32个不同的操作。
规则
规则分为两个独立的组。标准规则和所有者规则。
所有者规则仅在对象包含所有者属性且其ID与登录用户匹配时才应用。
在fixture_groups下设置的规则是全局的,适用于所有实例,而不管所有权如何。每个规则都有
- level:组的优先级。如果ACL规则和组可由用户编辑,则每个用户只能编辑自己及以下优先级的(保护superadmin不受低优先级admin的影响)
- extends:包括指定组中的规则
- users:预生成的用户
- rules:指定给定组允许的资源及其所有规则
parameters:
acl_rule:
owner:
# Key must match with key in acl.yml under resources
user: ['read', 'write']
group: ['read', 'write']
fixture_groups:
admin:
level: 1
extends: ['user', 'test']
users:
- {email: 'root@hanaboso.com', password: 'root'}
rules:
group: ['read']
user: ['read', 'write', 'delete']
tmp_user: ['read', 'write', 'delete']
token: ['read', 'write']
topology: ['read', 'write']
node: ['read', 'write']
file: ['read', 'write']
user:
level: 5
extends: ['test']
users:
rules:
topology: ['read']
node: ['read']
file: ['read']
实体/文档
AclBundle依赖于UserBundle,并且它自身的实体/文档都必须注册到doctrine。
ORM映射
UserEntity:
type: annotation
is_bundle: false
dir: "%src_dir%/src/Entity"
prefix: Hanaboso\UserBundle\Entity
AclEntity:
type: annotation
is_bundle: false
dir: "%src_dir%/src/Entity"
prefix: Hanaboso\AclBundle\Entity
ODM映射
UserDocument:
type: annotation
is_bundle: false
dir: "%src_dir%/src/Document"
prefix: Hanaboso\UserBundle\Document
AclDocument:
type: annotation
is_bundle: false
dir: "%src_dir%/src/Document"
prefix: Hanaboso\AclBundle\Document
代码中的使用
通过AccessManager的方法isAllowed(string $action, string $resource, UserInterface $user, $object = NULL)检查给定用户的规则
请求操作与资源与上述注册的枚举进行验证。UserInterface来自UserBundle,代表登录用户。Object是可选参数,可以是对象或其ID。
示例
isAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser);
isAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser, '1258');
isAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser, $resource);
对象参数的使用
-
NULL -> 检查用户是否有写权限或GroupPermission有读和删除权限isAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser); 如果允许则返回TRUE,否则抛出异常
-
string -> 想要的实体的IDisAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser, '1258'); 如果找到并用户有请求操作权限则返回所需的实体,否则抛出异常
-
object -> 检查给定实体的权限isAllowed(ActionEnum::READ, ResourceEnum::Node, $loggedUser, $something); 返回给定的对象或抛出异常
-
其他格式如数组或int将只会抛出异常
组与规则的生成
所有必需的实体/文档都是通过fixtures生成的。创建新规则后,它也可以通过fixtures添加,同时它也会检查唯一性。