``` <?php // +---------------------------------------------------------------------- // | ThinkPHP [ WE CAN DO IT JUST THINK IT ] // +---------------------------------------------------------------------- // | Copyright (c) 2009 http://thinkphp.cn All rights reserved. // +---------------------------------------------------------------------- // | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 ) // +---------------------------------------------------------------------- // | Author: liu21st <liu21st@gmail.com> // +---------------------------------------------------------------------- namespace Org\Util; use Think\Db; /** +------------------------------------------------------------------------------ * 基于角色的數據庫方式驗證類 +------------------------------------------------------------------------------ */ // 配置文件增加設置 // USER_AUTH_ON 是否需要認證 // USER_AUTH_TYPE 認證類型 1為登錄后才認證 2為實時認證 // USER_AUTH_KEY 認證識別號 // REQUIRE_AUTH_MODULE 需要認證模塊 // NOT_AUTH_MODULE 無需認證模塊 // USER_AUTH_GATEWAY 認證網關 // RBAC_DB_DSN 數據庫連接DSN // RBAC_ROLE_TABLE 角色表名稱 // RBAC_USER_TABLE 用戶表名稱 // RBAC_ACCESS_TABLE 權限表名稱 // RBAC_NODE_TABLE 節點表名稱 // // //'ADMIN_AUTH_KEY' => 'superadmin', //超級管理員識別 /* -- -------------------------------------------------------- CREATE TABLE IF NOT EXISTS `think_access` ( `role_id` smallint(6) unsigned NOT NULL, `node_id` smallint(6) unsigned NOT NULL, `level` tinyint(1) NOT NULL, `module` varchar(50) DEFAULT NULL, KEY `groupId` (`role_id`), KEY `nodeId` (`node_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `think_node` ( `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(20) NOT NULL, `title` varchar(50) DEFAULT NULL, `status` tinyint(1) DEFAULT '0', `remark` varchar(255) DEFAULT NULL, `sort` smallint(6) unsigned DEFAULT NULL, `pid` smallint(6) unsigned NOT NULL, `level` tinyint(1) unsigned NOT NULL, PRIMARY KEY (`id`), KEY `level` (`level`), KEY `pid` (`pid`), KEY `status` (`status`), KEY `name` (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `think_role` ( `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(20) NOT NULL, `pid` smallint(6) DEFAULT NULL, `status` tinyint(1) unsigned DEFAULT NULL, `remark` varchar(255) DEFAULT NULL, PRIMARY KEY (`id`), KEY `pid` (`pid`), KEY `status` (`status`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 ; CREATE TABLE IF NOT EXISTS `think_role_user` ( `role_id` mediumint(9) unsigned DEFAULT NULL, `user_id` char(32) DEFAULT NULL, KEY `group_id` (`role_id`), KEY `user_id` (`user_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; */ class Rbac { // 認證方法 static public function authenticate($map,$model='') { if(empty($model)) $model = C('USER_AUTH_MODEL'); //使用給定的Map進行認證 return M($model)->where($map)->find(); } //用于檢測用戶權限的方法,并保存到Session中 static function saveAccessList($authId=null) { if(null===$authId) $authId = $_SESSION[C('USER_AUTH_KEY')]; // 如果使用普通權限模式，保存當前用戶的訪問權限列表 // 對管理員開發所有權限 if(C('USER_AUTH_TYPE') !=2 && !$_SESSION[C('ADMIN_AUTH_KEY')] ) $_SESSION['_ACCESS_LIST'] = self::getAccessList($authId); return ; } // 取得模塊的所屬記錄訪問權限列表 返回有權限的記錄ID數組 static function getRecordAccessList($authId=null,$module='') { if(null===$authId) $authId = $_SESSION[C('USER_AUTH_KEY')]; if(empty($module)) $module = CONTROLLER_NAME; //獲取權限訪問列表 $accessList = self::getModuleAccessList($authId,$module); return $accessList; } //檢查當前操作是否需要認證 static function checkAccess() { //如果項目要求認證，并且當前模塊需要認證，則進行權限認證 if( C('USER_AUTH_ON') ){ $_module = array(); $_action = array(); if("" != C('REQUIRE_AUTH_MODULE')) { //需要認證的模塊 $_module['yes'] = explode(',',strtoupper(C('REQUIRE_AUTH_MODULE'))); }else { //無需認證的模塊 $_module['no'] = explode(',',strtoupper(C('NOT_AUTH_MODULE'))); } //檢查當前模塊是否需要認證 if((!empty($_module['no']) && !in_array(strtoupper(CONTROLLER_NAME),$_module['no'])) || (!empty($_module['yes']) && in_array(strtoupper(CONTROLLER_NAME),$_module['yes']))) { if("" != C('REQUIRE_AUTH_ACTION')) { //需要認證的操作 $_action['yes'] = explode(',',strtoupper(C('REQUIRE_AUTH_ACTION'))); }else { //無需認證的操作 $_action['no'] = explode(',',strtoupper(C('NOT_AUTH_ACTION'))); } //檢查當前操作是否需要認證 if((!empty($_action['no']) && !in_array(strtoupper(ACTION_NAME),$_action['no'])) || (!empty($_action['yes']) && in_array(strtoupper(ACTION_NAME),$_action['yes']))) { return true; }else { return false; } }else { return false; } } return false; } // 登錄檢查 static public function checkLogin() { //檢查當前操作是否需要認證 if(self::checkAccess()) { //檢查認證識別號 if(!$_SESSION[C('USER_AUTH_KEY')]) { if(C('GUEST_AUTH_ON')) { // 開啟游客授權訪問 if(!isset($_SESSION['_ACCESS_LIST'])) // 保存游客權限 self::saveAccessList(C('GUEST_AUTH_ID')); }else{ // 禁止游客訪問跳轉到認證網關 redirect(PHP_FILE.C('USER_AUTH_GATEWAY')); } } } return true; } //權限認證的過濾器方法 static public function AccessDecision($appName=MODULE_NAME) { $appName=$appName|MODULE_NAME; //檢查是否需要認證 if(self::checkAccess()) { //存在認證識別號，則進行進一步的訪問決策 $accessGuid = md5($appName.CONTROLLER_NAME.ACTION_NAME); if(empty($_SESSION[C('ADMIN_AUTH_KEY')])) { if(C('USER_AUTH_TYPE')==2) { //加強驗證和即時驗證模式 更加安全 后臺權限修改可以即時生效 //通過數據庫進行訪問檢查 $accessList = self::getAccessList($_SESSION[C('USER_AUTH_KEY')]); }else { // 如果是管理員或者當前操作已經認證過，無需再次認證 if( $_SESSION[$accessGuid]) { return true; } //登錄驗證模式，比較登錄后保存的權限訪問列表 $accessList = $_SESSION['_ACCESS_LIST']; } //判斷是否為組件化模式，如果是，驗證其全模塊名 if(!isset($accessList[strtoupper($appName)][strtoupper(CONTROLLER_NAME)][strtoupper(ACTION_NAME)])) { $_SESSION[$accessGuid] = false; return false; } else { $_SESSION[$accessGuid] = true; } }else{ //管理員無需認證 return true; } } return true; } /** +---------------------------------------------------------- * 取得當前認證號的所有權限列表 +---------------------------------------------------------- * @param integer $authId 用戶ID +---------------------------------------------------------- * @access public +---------------------------------------------------------- */ static public function getAccessList($authId) { // Db方式權限數據 $db = Db::getInstance(C('RBAC_DB_DSN')); $table = array('role'=>C('RBAC_ROLE_TABLE'),'user'=>C('RBAC_USER_TABLE'),'access'=>C('RBAC_ACCESS_TABLE'),'node'=>C('RBAC_NODE_TABLE')); $sql = "select node.id,node.name from ". $table['role']." as role,". $table['user']." as user,". $table['access']." as access ,". $table['node']." as node ". "where user.user_id='{$authId}' and user.role_id=role.id and ( access.role_id=role.id or (access.role_id=role.pid and role.pid!=0 ) ) and role.status=1 and access.node_id=node.id and node.level=1 and node.status=1"; $apps = $db->query($sql); $access = array(); foreach($apps as $key=>$app) { $appId = $app['id']; $appName = $app['name']; // 讀取項目的模塊權限 $access[strtoupper($appName)] = array(); $sql = "select node.id,node.name from ". $table['role']." as role,". $table['user']." as user,". $table['access']." as access ,". $table['node']." as node ". "where user.user_id='{$authId}' and user.role_id=role.id and ( access.role_id=role.id or (access.role_id=role.pid and role.pid!=0 ) ) and role.status=1 and access.node_id=node.id and node.level=2 and node.pid={$appId} and node.status=1"; $modules = $db->query($sql); // 判斷是否存在公共模塊的權限 $publicAction = array(); foreach($modules as $key=>$module) { $moduleId = $module['id']; $moduleName = $module['name']; if('PUBLIC'== strtoupper($moduleName)) { $sql = "select node.id,node.name from ". $table['role']." as role,". $table['user']." as user,". $table['access']." as access ,". $table['node']." as node ". "where user.user_id='{$authId}' and user.role_id=role.id and ( access.role_id=role.id or (access.role_id=role.pid and role.pid!=0 ) ) and role.status=1 and access.node_id=node.id and node.level=3 and node.pid={$moduleId} and node.status=1"; $rs = $db->query($sql); foreach ($rs as $a){ $publicAction[$a['name']] = $a['id']; } unset($modules[$key]); break; } } // 依次讀取模塊的操作權限 foreach($modules as $key=>$module) { $moduleId = $module['id']; $moduleName = $module['name']; $sql = "select node.id,node.name from ". $table['role']." as role,". $table['user']." as user,". $table['access']." as access ,". $table['node']." as node ". "where user.user_id='{$authId}' and user.role_id=role.id and ( access.role_id=role.id or (access.role_id=role.pid and role.pid!=0 ) ) and role.status=1 and access.node_id=node.id and node.level=3 and node.pid={$moduleId} and node.status=1"; $rs = $db->query($sql); $action = array(); foreach ($rs as $a){ $action[$a['name']] = $a['id']; } // 和公共模塊的操作權限合并 $action += $publicAction; $access[strtoupper($appName)][strtoupper($moduleName)] = array_change_key_case($action,CASE_UPPER); } } return $access; } // 讀取模塊所屬的記錄訪問權限 static public function getModuleAccessList($authId,$module) { // Db方式 $db = Db::getInstance(C('RBAC_DB_DSN')); $table = array('role'=>C('RBAC_ROLE_TABLE'),'user'=>C('RBAC_USER_TABLE'),'access'=>C('RBAC_ACCESS_TABLE')); $sql = "select access.node_id from ". $table['role']." as role,". $table['user']." as user,". $table['access']." as access ". "where user.user_id='{$authId}' and user.role_id=role.id and ( access.role_id=role.id or (access.role_id=role.pid and role.pid!=0 ) ) and role.status=1 and access.module='{$module}' and access.status=1"; $rs = $db->query($sql); $access = array(); foreach ($rs as $node){ $access[] = $node['node_id']; } return $access; } } ```