PHP 中基于 Casbin 做 RBAC + RESTful 權限控制 · Casbin在PHP中的使用教程

[PHP-Casbin](https://github.com/php-casbin/php-casbin) 是一個強大的、高效的開源訪問控制框架，它支持基于各種訪問控制模型的權限管理。這里使用官方提供的數據庫適配器擴展：[Database adapter](https://github.com/php-casbin/database-adapter). ### 安裝通過`composer`安裝： ``` composer require casbin/casbin composer require casbin/database-adapter ``` ### 使用 RBAC Model model.conf 如下: ``` [request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act # RBAC角色繼承關系的定義 [role_definition] g = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act) ``` ### 初始化一個Casbin enforcer ```php use Casbin\Enforcer; use CasbinAdapter\Database\Adapter; $adapter = Adapter::newAdapter([ 'type' => 'mysql', 'hostname' => '127.0.0.1', 'database' => 'test', 'username' => 'root', ]); $enforcer = new Enforcer('path/to/model.conf', $adapter); ``` ### 添加策略給alice和bob分配角色： ```php // alice has the admin role $enforcer->addRoleForUser('alice', 'admin'); // bob has the member role $enforcer->addRoleForUser('bob', 'member'); ``` 給member角色分配權限，`member` 角色僅對`foo`資源有查看權限: ```php $enforcer->addPermissionForUser('member', '/foo', 'GET'); $enforcer->addPermissionForUser('member', '/foo/:id', 'GET'); ``` `admin`角色對`foo`擁有增刪改查權限： ```php // admin inherits all permissions of member $enforcer->addRoleForUser('admin', 'member'); $enforcer->addPermissionForUser('admin', '/foo', 'POST'); $enforcer->addPermissionForUser('admin', '/foo/:id', 'PUT'); $enforcer->addPermissionForUser('admin', '/foo/:id', 'DELETE'); ``` 分配完角色和權限后，數據庫中的策略規則大致如下： ``` g, alice, admin g, bob, member p, memeber, /foo, GET p, memeber, /foo/:id, GET g, admin, member p, admin, /foo, POST p, admin, /foo/:id, PUT p, admin, /foo/:id, DELETE ``` ### 驗證權限 `alice` 具有`admin`角色，繼承`admin`和`member`兩個角色的全部權限. ```php $enforcer->enforce('alice', '/foo', 'GET'); // true $enforcer->enforce('alice', '/foo', 'GET'); // true $enforcer->enforce('alice', '/foo', 'POST'); // true $enforcer->enforce('alice', '/foo/1', 'PUT'); // true $enforcer->enforce('alice', '/foo/1', 'DELETE'); // true ``` `bob` 具有`member`角色, 只繼承`member`的權限. ```php $enforcer->enforce('bob', '/foo', 'GET'); // true $enforcer->enforce('bob', '/foo', 'GET'); // true $enforcer->enforce('bob', '/foo', 'POST'); // false $enforcer->enforce('bob', '/foo/1', 'PUT'); // false $enforcer->enforce('bob', '/foo/1', 'DELETE'); // false ```