PHP 中基于 Casbin 做 RBAC + RESTful 权限控制 · Casbin在PHP中的使用教程

[PHP-Casbin](https://github.com/php-casbin/php-casbin) 是一个强大的、高效的开源访问控制框架，它支持基于各种访问控制模型的权限管理。这里使用官方提供的数据库适配器扩展：[Database adapter](https://github.com/php-casbin/database-adapter). ### 安装通过`composer`安装： ``` composer require casbin/casbin composer require casbin/database-adapter ``` ### 使用 RBAC Model model.conf 如下: ``` [request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act # RBAC角色继承关系的定义 [role_definition] g = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act) ``` ### 初始化一个Casbin enforcer ```php use Casbin\Enforcer; use CasbinAdapter\Database\Adapter; $adapter = Adapter::newAdapter([ 'type' => 'mysql', 'hostname' => '127.0.0.1', 'database' => 'test', 'username' => 'root', ]); $enforcer = new Enforcer('path/to/model.conf', $adapter); ``` ### 添加策略给alice和bob分配角色： ```php // alice has the admin role $enforcer->addRoleForUser('alice', 'admin'); // bob has the member role $enforcer->addRoleForUser('bob', 'member'); ``` 给member角色分配权限，`member` 角色仅对`foo`资源有查看权限: ```php $enforcer->addPermissionForUser('member', '/foo', 'GET'); $enforcer->addPermissionForUser('member', '/foo/:id', 'GET'); ``` `admin`角色对`foo`拥有增删改查权限： ```php // admin inherits all permissions of member $enforcer->addRoleForUser('admin', 'member'); $enforcer->addPermissionForUser('admin', '/foo', 'POST'); $enforcer->addPermissionForUser('admin', '/foo/:id', 'PUT'); $enforcer->addPermissionForUser('admin', '/foo/:id', 'DELETE'); ``` 分配完角色和权限后，数据库中的策略规则大致如下： ``` g, alice, admin g, bob, member p, memeber, /foo, GET p, memeber, /foo/:id, GET g, admin, member p, admin, /foo, POST p, admin, /foo/:id, PUT p, admin, /foo/:id, DELETE ``` ### 验证权限 `alice` 具有`admin`角色，继承`admin`和`member`两个角色的全部权限. ```php $enforcer->enforce('alice', '/foo', 'GET'); // true $enforcer->enforce('alice', '/foo', 'GET'); // true $enforcer->enforce('alice', '/foo', 'POST'); // true $enforcer->enforce('alice', '/foo/1', 'PUT'); // true $enforcer->enforce('alice', '/foo/1', 'DELETE'); // true ``` `bob` 具有`member`角色, 只继承`member`的权限. ```php $enforcer->enforce('bob', '/foo', 'GET'); // true $enforcer->enforce('bob', '/foo', 'GET'); // true $enforcer->enforce('bob', '/foo', 'POST'); // false $enforcer->enforce('bob', '/foo/1', 'PUT'); // false $enforcer->enforce('bob', '/foo/1', 'DELETE'); // false ```