问题描述

我完成了Cakephp的ACL组件的完整课程，但是巨大的ACL组件似乎无法满足我的非常简单的要求。

I went through complete lesson on cakephp's ACL component, but gigantic ACL component do not seem to meet my very simple requirements.

我只有基于组的访问控制，三个组是用户，管理者和管理员，第四个是没有登录名的匿名用户，我不会为此创建任何组。

I have only group based access control, three groups are users, managers and administrators the fourth is a anonymous users without logins for which I am not creating any group.

从acl概念创建三个表

from acl concept it creates three table

aros ->这看起来有点多余的数据从组表复制，我什至不需要组表，而只是在用户表中输入字段group_id。

aros -> this looks somewhat redundant data copied from groups table, I dont even need to have a group table but just field group_id in users table.

acos ->这是一个控制器中的公共方法列表，我不得不使用AclExtra插件来填充表中的250多个动作，现在这是我认为难以管理的部分，我注意到用于填充acos表的工具每次执行时都无法可靠地同步更改控制器，对于每次更改，必须在远程站点执行相同的工作，这意味着可怕的事情！这也意味着我必须在更新和迁移期间进行数据库备份。

acos -> this is a list of public methods in controllers, I had to use AclExtra plugin to populate over 250+ actions in table, now this is the part which I think un-manageable, I noticed that tool used to populate acos table cannot reliably sync everytime when I do changes in controllers, the same work must be done at remote site for each changes that means terrible thing! this also mean i have to have a database backup during updates and migration.

如果我使用基于php文件的acos，这又是不可管理的，因为我们必须确保在控制器和ACL文件之间进行同步。

Other side if I use php file based acos that is again un-manageable because we have to make sure syncing between controller and acl file.

aros_acos ->显然

可以我们有一个更简单的机制，例如我拒绝使用Auth组件执行所有操作，然后在每个操作中或在beforeRender方法中指定可以向哪些组开放的方法？

can we have a simpler mechanism something like i deny all actions using Auth component and then inside each action or maybe in beforeRender method i can specify what methods are open to what group ?

谢谢

推荐答案

有一个未记录的acl类 PhpAcl ，它要简单得多

There is an undocumented acl class PhpAcl it is much simpler to use than then the database driven ACL and more dynamic than the ini bassed ACL.

在 Config / core.php

/**
 * The class name and database used in CakePHP's
 * access control lists.
 */
Configure::write('Acl.classname', 'PhpAcl');
// Configure::write('Acl.database', 'default');

这告诉您的ACL使用PhpAcl

This tells your ACL to use the PhpAcl

然后打开 Config / acl.php

那里有一些很好的说明

1. 在您的应用程序中，您使用以下属性：用户名，group_id，密码，电子邮件，名字，
   姓氏，等等。


2. 您已将AuthComponent配置为通过 $ this->授权操作; Auth-> authorize = array（'Actions'=> array（'actionPath'=>
'controllers /'),...)

1. In your application you created a User model with the following properties: username, group_id, password, email, firstname, lastname and so on.
2. You configured AuthComponent to authorize actions via $this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers/'),...)

现在，当用户（即jeff）成功进行身份验证并请求$不允许的
控制器操作（即/ invoices / delete）时， b $ b默认值（例如，通过发票
控制器中的$ this-> Auth-> allow（'edit'）），则AuthComponent将询问已配置的ACL接口
是否授予访问权限。在假设1.和2.下，将通过调用Acl-> check（）来完成
，其中

Now, when a user (i.e. jeff) authenticates successfully and requests a controller action (i.e. /invoices/delete) that is not allowed by default (e.g. via $this->Auth->allow('edit') in the Invoices controller) then AuthComponent will ask the configured ACL interface if access is granted. Under the assumptions 1. and 2. this will be done via a call to Acl->check() with

array('User' => array('username' => 'jeff', 'group_id' => 4, ...))

为ARO，

'/controllers/invoices/delete'

作为ACO。

我想为组或角色使用静态名称，以便您可以向用户添加角色字段表，然后像这样设置$ map：

I wanted to use static names for Groups or Roles so you can add a role field to your user table, and then set up the $map like this:

 **
 * The role map defines how to resolve the user record from your application
 * to the roles you defined in the roles configuration.
 */
$config['map'] = array(
    'User' => 'User/username',
    'Role' => 'User/role',
);

对于我的应用，我们不使用仅基于用户的权限角色，因此我们可以删除 User 从$ map。

For my app we aren't using user based permissions only role, so we could remove the User from the $map.

然后您需要设置一些角色：

Then you need to set up some roles:

/**
 * role configuration
 */
$config['roles'] = array(
    'Role/admin' => null,
);

任何不在此数组中的角色都将获得角色/默认值

Any role not in this array will get 'Role/default'

现在只需设置您的权限，它们非常容易解释。

Now just set up your permissions, they are pretty self explanatory.

/**
 * rule configuration
 */
$config['rules'] = array(
    'allow' => array(
        '*' => 'Role/admin',
        'controllers/Reports/*' => 'Role/default',
        'controllers/EurRates/*' => 'Role/default',
        'controllers/Posts/index' => 'Role/default',
        'controllers/Users/(edit|index)' => 'Role/default',
    ),
    'deny' => array(
        'controllers/ProtectedController/*' => 'Role/default',
        'controllers/EurRates/(edit|add|delete)' => 'Role/default',
        'controllers/Reports/(edit|add|delete)' => 'Role/default',
        ),
);

就是这样，现在您可以根据角色允许或拒绝许可操作。

That's it, now you can allow or deny permission to actions based on role.