将控制器操作限制为Yii2中帖子的创建者
有没有一种简单的方法可以在不使用完全RBAC的情况下将控制器操作限制为帖子的所有者/创建者 现在,我正在为每个控制器执行以下操作:将控制器操作限制为Yii2中帖子的创建者,yii2,Yii2,有没有一种简单的方法可以在不使用完全RBAC的情况下将控制器操作限制为帖子的所有者/创建者 现在,我正在为每个控制器执行以下操作: public function actionUpdate( $id ) { $model = $this->findModel( $id ); if ( $model->user_id != Yii::$app->user->identity->id ) { throw new NotFoundHttpE
public function actionUpdate( $id ) {
$model = $this->findModel( $id );
if ( $model->user_id != Yii::$app->user->identity->id ) {
throw new NotFoundHttpException( 'The requested page does not exist.' );
}
}
$modeluse yii\filters\AccessControl;
class SiteController extends Controller
{
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['update','delete'],
'rules' => [
[
'actions' => ['update'],
'allow' => false,
'denyCallback' => function ($rule, $action) { //PHP callable that should be called when this rule will deny the access.
//Write your logic here to deny the action
throw new \Exception('You are not allowed to access this page');
}
],
],
],
];
}
public function actionUpdate()
{
return $this->render('update');
}
}
namespace app\rbac;
use yii\rbac\Rule;
/**
* Checks if authorID matches user passed via params
*/
class AuthorRule extends Rule
{
public $name = 'isAuthor';
/**
* @param string|integer $user the user ID.
* @param Item $item the role or permission that this rule is associated with
* @param array $params parameters passed to ManagerInterface::checkAccess().
* @return boolean a value indicating whether the rule permits the role or permission it is associated with.
*/
public function execute($user, $item, $params)
{
return isset($params['post']) ? $params['post']->createdBy == $user : false;
}
}
use yii\web\ForbiddenHttpException;
use Yii;
public function actionUpdate($id)
{
$model = $this->findModel($id);
if (!Yii::$app->user->can('updatePost', ['post' => $model])) {
throw new ForbiddenHttpException('You are not allowed to edit this post');
}
...
}
AccessControl[
'allow' => true,
'actions' => ['update'],
'roles' => ['@'],
],
updateuse yii\web\ForbiddenHttpException;
public function actionUpdate($id)
{
$model = $this->findModel($id);
if ($model->user_id != Yii::$app->user->id ) {
throw new ForbiddenHttpException('You are not allowed to edit this post.');
}
...
}
namespace app\posts\components;
use Yii;
class PostPermission
{
/**
* @param $model Post
* @return boolean
*/
public static function allowedToUpdate($model)
{
return $model->user_id = Yii:$app->user->id;
}
}
use app\posts\components\PostPermission;
use yii\web\ForbiddenHttpException;
if (!PostPermission::allowedToUpdate($model) {
throw new ForbiddenHttpException('You are not allowed to edit this post.');
}
$modelPostuse yii\web\NotFoundHttpException;
/**
* @param integer $id
* @return Post
* @throws NotFoundHttpException
*/
protected function findModel($id)
{
$model = Post::find(['id'=> $id, 'user_id' => Yii::$app->user->id])->one();
if ($model) {
return $model;
} else {
throw new NotFoundHttpException('This post does not exist.');
}
}
use yii\web\NotFoundHttpException;
/**
* @param integer $id
* @return Post
* @throws NotFoundHttpException
*/
protected function findModel($id)
{
$query = Post::find()->where(['id' => $id]);
if (!Yii::$app->user->is_admin) { // replace with your own check
$query->andWhere(['user_id' => Yii::$app->user->id]);
}
$model = $query->one();
if ($model) {
return $model;
} else {
throw new NotFoundHttpException('This post does not exist.');
}
}
public function actionUpdate($id)
{
$model = $this->findModel($id);
...
}
这样,在这两种情况下(模型未找到且当前用户不允许编辑),都会引发404未找到异常。从另一方面看,这并没有什么错,因为从技术上讲,对于这个用户来说,这个模型并不存在(因为他不是它的作者)。我们需要先找到模型,然后执行检查,但访问控制在操作之前执行。或者我们可以复制代码来查找模型。另外,最好根据HTTP异常抛出,而不是泛型异常。感谢您提供如此详细的回答
public function actionUpdate($id)
{
$model = $this->findModel($id);
...
}