Git Product home page Git Product logo

think-authz's Introduction

ThinkPHP Authorization

Think-authz 是一个专为 ThinkPHP 打造的授权(角色和权限控制)工具

Build Status Coverage Status Latest Stable Version Total Downloads License

它基于 PHP-Casbin, 一个强大的、高效的开源访问控制框架,支持基于ACL, RBAC, ABAC等访问控制模型。

在这之前,你需要了解 Casbin 的相关知识。

安装

该扩展需要 PHP 7.1+ 和 ThinkPHP 6.x/8.x,针对 TP 5.1 请使用 Think-Casbin .

使用composer安装:

composer require casbin/think-authz

注册服务,在应用的全局公共文件service.php中加入:

return [
    // ...

    tauthz\TauthzService::class,
];

发布配置文件和数据库迁移文件:

php think tauthz:publish

这将自动生成 config/tauthz-rbac-model.confconfig/tauthz.php 文件。

执行迁移工具(确保数据库配置信息正确):

php think migrate:run

这将创建名为 rules 的表。

用法

快速开始

安装成功后,可以这样使用:

use tauthz\facade\Enforcer;

// adds permissions to a user
Enforcer::addPermissionForUser('eve', 'articles', 'read');
// adds a role for a user.
Enforcer::addRoleForUser('eve', 'writer');
// adds permissions to a rule
Enforcer::addPolicy('writer', 'articles','edit');

你可以检查一个用户是否拥有某个权限:

// to check if a user has permission
if (Enforcer::enforce("eve", "articles", "edit")) {
    // permit eve to edit articles
} else {
    // deny the request, show an error
}

使用 Enforcer Api

它提供了非常丰富的 API,以促进对 Policy 的各种操作:

获取所有角色:

Enforcer::getAllRoles(); // ['writer', 'reader']

获取所有的角色的授权规则:

Enforcer::getPolicy();

获取某个用户的所有角色:

Enforcer::getRolesForUser('eve'); // ['writer']

获取某个角色的所有用户:

Enforcer::getUsersForRole('writer'); // ['eve']

决定用户是否拥有某个角色:

Enforcer::hasRoleForUser('eve', 'writer'); // true or false

给用户添加角色:

Enforcer::addRoleForUser('eve', 'writer');

赋予权限给某个用户或角色:

// to user
Enforcer::addPermissionForUser('eve', 'articles', 'read');
// to role
Enforcer::addPermissionForUser('writer', 'articles','edit');

删除用户的角色:

Enforcer::deleteRoleForUser('eve', 'writer');

删除某个用户的所有角色:

Enforcer::deleteRolesForUser('eve');

删除单个角色:

Enforcer::deleteRole('writer');

删除某个权限:

Enforcer::deletePermission('articles', 'read'); // returns false if the permission does not exist (aka not affected).

删除某个用户或角色的权限:

Enforcer::deletePermissionForUser('eve', 'articles', 'read');

删除某个用户或角色的所有权限:

// to user
Enforcer::deletePermissionsForUser('eve');
// to role
Enforcer::deletePermissionsForUser('writer');

获取用户或角色的所有权限:

Enforcer::getPermissionsForUser('eve'); // return array

决定某个用户是否拥有某个权限

Enforcer::hasPermissionForUser('eve', 'articles', 'read');  // true or false

更多 API 参考 Casbin API

使用中间件

该扩展包带有一个 \tauthz\middleware\Basic::class 中间件:

Route::get('news/:id','News/Show')
	->middleware(\tauthz\middleware\Basic::class, ['news', 'read']);

感谢

Casbin,你可以查看全部文档在其 官网 上。

License

This project is licensed under the Apache 2.0 license.

think-authz's People

Contributors

basakest avatar leeqvip avatar qeq66 avatar tinywan avatar zhanghangt avatar zhangyue0503 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

zq557 tongxin3267 xifat iamxiaoma ckbabby semoons supermfc mn-s masteryself diycp friendship-cell jeffreyshou7 zhiwei1987 leepapa chinasz kuustudio agentptx nowanys caoygx easycnn chenvle voidmain866 zds-s uukule twosimple guobaxiong qeq66 gorgeno liujiawm youjianhuiyi xianuo edenleung jhz-code fizechan d8q8 jingmian zhao336ok basakest zhongyushi tinywan yinux lgy-color davidtall netsan brandon-reed1 3xdev

think-authz's Issues

README.md中,举例疑有误

项目的 readme.md 文件中

赋予权限给某个用户或角色:

// to user
Enforcer::addPermissionForUser('eve', 'articles', 'read');
// to role
Enforcer::addPermissionForUser('writer', 'articles','edit');

删除某个用户或角色的所有权限:

// to user
Enforcer::deletePermissionsForUser('eve');
// to role
Enforcer::deletePermissionsForUser('writer');

两处 均各举 to user 与 to role 的例子
但 注释为 to role 的例子,均为 xxxForUser( )

RBAC 继承无效问题

【不继承】直接给用户定义策略,能通过

打印日志

[2020-09-25T13:11:24+08:00][info] Model:
[2020-09-25T13:11:24+08:00][info] r.r: sub, obj, act
[2020-09-25T13:11:24+08:00][info] p.p: sub, obj, act
[2020-09-25T13:11:24+08:00][info] e.e: some(where (p_eft == allow))
[2020-09-25T13:11:24+08:00][info] m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && regexMatch(r_act, p_act)
[2020-09-25T13:11:24+08:00][info] g.g: _, _
[2020-09-25T13:11:24+08:00][info] Policy:
[2020-09-25T13:11:24+08:00][info] p: sub, obj, act: [["teacher_role","\/api\/groups","POST"],["student_role","\/api\/books\/:id","GET"],["110","\/api\/groups","POST"]]
[2020-09-25T13:11:24+08:00][info] g: _, _: [["teacher_student_group","teacher_role"],["56","teacher_student_group"]]
[2020-09-25T13:11:24+08:00][info] Role links for: g
[2020-09-25T13:11:24+08:00][info] teacher_student_group < teacher_role, 56 < teacher_student_group
[2020-09-25T13:11:24+08:00][info] Request: 110, /api/groups, POST ---> 1

验证权限:Enforcer::enforce(strval($uid), $url, $action) === true

【继承角色策略】不通过

打印日志

[2020-09-25T13:12:49+08:00][info] Model:
[2020-09-25T13:12:49+08:00][info] r.r: sub, obj, act
[2020-09-25T13:12:49+08:00][info] p.p: sub, obj, act
[2020-09-25T13:12:49+08:00][info] e.e: some(where (p_eft == allow))
[2020-09-25T13:12:49+08:00][info] m.m: g(r_sub, p_sub) && keyMatch2(r_obj, p_obj) && regexMatch(r_act, p_act)
[2020-09-25T13:12:49+08:00][info] g.g: _, _
[2020-09-25T13:12:49+08:00][info] Policy:
[2020-09-25T13:12:49+08:00][info] p: sub, obj, act: [["teacher_role","\/api\/groups","POST"],["student_role","\/api\/books\/:id","GET"],["1111","\/api\/groups","POST"]]
[2020-09-25T13:12:49+08:00][info] g: _, _: [["teacher_student_group","teacher_role"],["110","student_role"]]
[2020-09-25T13:12:49+08:00][info] Role links for: g
[2020-09-25T13:12:49+08:00][info] teacher_student_group < teacher_role, 110 < student_role
[2020-09-25T13:12:49+08:00][info] Request: 110, /api/groups, POST --->

验证权限:Enforcer::enforce(strval($uid), $url, $action) === false

1.5.2=>1.5.3升级后的小问题

file: src/adapter/DatabaseAdapter.php
Use loadPolicyArray instead of loadPolicyLine

传递给loadPolicyArray的第一个数组参数变更了。
1.5.2 ["p", "writer","articles","edit"]
1.5.3 [1, "p", "writer","articles","edit"]

运行报错

升级 topthink/think-migration 3.1 运行 php think tauthz:publish 报错

发现bug

安装了这个扩展 影响了 本地上传的 \think\Facade\Filesystem::getDiskConfig ('public', 'url') 这个方法

使用自己的验证模型一直无法通过验证

使用自己的验证模型,一直无法通过验证,但是数据库中记录是存在的。
image
使用

Enforcer::getPolicy();

也能打印出内容。

代码中执行:

    public function index(){
        print_r(Enforcer::getPolicy());
        $haspermission = Enforcer::enforce('backend', '31', '32', '/auth/login', '*');
        var_dump($haspermission);
        //返回了bool(false)
    }

手动添加一条规则再执行enforce,则能够返回true,但下一次请求又会变成false。

Enforcer::addPolicy('backend', '31', '32', '/auth/login', '*');

模型conf文件:

[request_definition]
r = end, school_id, user_id, path, method

[policy_definition]
p = end, school_id, user_id, path, method

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.end == p.end && r.school_id == p.school_id && r.user_id == p.user_id && keyMatch(r.path, p.path) && keyMatch(r.method, p.method)

UpdatableAdapter::updateFilteredPolicies has not implemented

Trace Error:

Class tauthz\adapter\DatabaseAdapter contains 1 abstract method and must therefore be declared abstract or implement the remaining methods 
(Casbin\Persist\UpdatableAdapter::updateFilteredPolicies) in
vendor/casbin/think-authz/src/adapter/DatabaseAdapter.php on line 17

I'm using addRoleForUser methods to add some role.

This is my model file (RBAC):

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Class 'tauthz\middleware\Enforcer' not found

使用中间件 出现一个错误

config/middleware.php
<?php // 中间件配置 return [ // 别名或分组 'alias' => [ 'authz' => tauthz\middleware\Basic::class, ], // 优先级设置,此数组中的中间件会按照数组中的顺序优先执行 'priority' => [], ];

ABAC怎么配置?

我把代码全翻了一遍,没有相关的代码,甚至在tauthz.php改了model也不太行

TP 6.0 安装问题

使用composer安装出现以下错误:

[InvalidArgumentException]
Could not find a version of package casbin/think-authz matching your minimum-stability (stable). Require it with an
explicit version constraint allowing its desired stability.

为什么获取域内的角色都是空数组?

Enforcer::AddRoleForUserInDomain('alice', 'writer', 'admin')
Enforcer::addPolicy('writer', 'admin', 'articles','edit')
Enforcer::GetUsersForRoleInDomain("alice", "admin")
请问这几步哪里出错了?

【域内RBAC】 多租户 domain1 修改不通过

rbac_with_domains_model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

rbac_with_domains_policy.csv

p, admin, www.tinywan.com, data1, read
p, admin, www.tinywan.com, data1, write
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, www.tinywan.com
g, bob, admin, domain2

use php-casbin check

$e = new Enforcer(public_path()."rbac_with_domains_model.conf", public_path()."rbac_with_domains_policy.csv");
$sub = "alice"; 
$dom = "www.tinywan.com"; 
$obj = "data1"; 
$act = "read";
if ($e->enforce($sub, $dom,$obj, $act) === true) {
    dd('true');
} else {
    dd('false');
}

result true

use think-authz check

$sub = "alice"; 
$dom = "www.tinywan.com"; 
$obj = "data1"; 
$act = "read"; 
if (Enforcer::enforce($sub, $dom, $obj, $act) === true) {
    dd('true');
} else {
    dd('false');
}

result false

eg:rules table
Snipaste_2020-09-27_14-36-57

Argument 1 passed to Casbin\\Rbac\\DefaultRoleManager\\RoleManager::hasLink() must be of the type string,

model

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)

policy

p	25	articles	GET

request

uid=23 url=/api/projects/10086 action=PUT

error

"error_message": "Argument 1 passed to Casbin\\Rbac\\DefaultRoleManager\\RoleManager::hasLink() must be of the type string, int given, called in /var/www/apitest.zhipeizaixian.com/vendor/casbin/casbin/src/Util/BuiltinOperations.php on line 279",

可否增加 cache 过期配置

发现代码有数据库查询缓存,并且还是永久的,能否可以提供过期选项。

还是需要开发者 手动清缓存?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.