当前位置 : 主页 > 网络编程 > PHP >

YII学习第十天,访问控制filter

来源:互联网 收集:自由互联 发布时间:2023-10-08
在Controller.php 注:filters是yii的CController.php中定义的方法,而Controller.php是继承CController.php的。此处,相当于覆盖父类中的filters方法。而所有的XXController.php又继承自Controller.php,显然都可


在Controller.php 

注:filters是yii的CController.php中定义的方法,而Controller.php是继承CController.php的。此处,相当于覆盖父类中的filters方法。而所有的XXController.php又继承自Controller.php,显然都可以定义authlessActions()方法覆盖父类中相应方法。 

public function filterAccessAuth($filterChain) {
if(Yii::app()->user->getIsGuest() && !in_array($this->getAction()->getId(), $this->authlessActions())) {
Yii::app()->user->setFlash("info", "请先登录");
Yii::app()->user->loginRequired(); //封装了Yii::app()->user->loginUrl
}
elseif(!in_array($this->getAction()->getId(), $this->authlessActions()) && $this->current_user && $this->current_user->isPasswordExpired()) {
$this->user->setFlash('error', "你的密码已经过期,超过: " . Yii::app()->params['user_pwd_max_expire_day'] . "天没有修改,请修改密码");
$this->redirect($this->createUrl("/account/profile"));
}

if(!in_array($this->getAction()->getId(), $this->authlessActions()) && $this->current_user && $this->current_user->hi_id == NULL) {
$target_url = $this->createUrl('account/profile');
$this->user->setFlash('info', "你还没有设置Hi,请尽快到" . "<a href=\"$target_url\"> 账号设置 </a>" . "添加!");
}

$filterChain->run();
}

public function filters() {
return array(
'accessAuth',
);
}

public function authlessActions() {
return array();
}

 批注1:yii中使用filter规则。 

For method-based filters, a method named 'filterXYZ($filterChain)' in the controller class will be executed, where 'XYZ' stands for the filter name as specified in filters(). Note, inside the filter method, you must call $filterChain->run() if the action should be executed. Otherwise, the filtering process would stop at this filter. 





批注2:另一种用法(隐式用法) 
在1.1.7中,

public function filters() { 
return array(
'accessControl',
);
}


也即accessControl对应下面这个方法 
public void filterAccessControl(CFilterChain $filterChain) 

The filter method for 'accessControl' filter. The filter method for 'accessControl' filter. This filter is a wrapper of CAccessControlFilter. To use this filter, you must override accessRules method. 

class PostController extends CController
{
......
public function accessRules()
{
return array(
rray('deny',
'actions'=>array('create', 'edit'),
'users'=>array('?'),
),
array('allow',
'actions'=>array('delete'),
'roles'=>array('admin'),
),
array('deny',
'actions'=>array('delete'),
'users'=>array('*'),
),
);
}
}

 所以不难看出filter至少有两种类型,一种是accessAuth,另一种是accessControl。 


批注3:当用户访问index.php?r=site/login 

首先,映射到SiteController.php中 
而在SiteController.php中,覆盖了Controller.php的public function authlessActions()方法,不再是空数组, 
而是return array('login', 'logout', 'error', 'page', 'bashJs'); 



批注4:在actionLogin方法里 

if(isset($_POST['LoginForm']))
{
$model->attributes=$_POST['LoginForm'];
// validate user input and redirect to the previous page if valid
if($model->validate() && $model->login()) {
//初始化前,先初始化父类Controller.php的成员变量和成员函数。
$this->init();

// 检查上次密码修改时间
if($this->current_user->isPasswordExpired()) {
$this->user->setFlash('error', "密码已经" . Yii::app()->params['user_pwd_max_expire_day'] . "天没有修改过了,请修改密码");
$this->redirect($this->createUrl("/account/profile"));
}

// 检查有没有设置Hi
if($this->current_user->hi_id == NULL) {
$target_url = $this->createUrl('account/profile');
$this->user->setFlash('info', "你还没有设置Hi,请尽快到"."<a href=\"$target_url\"> 账号设置 </a>"."添加!");
}

$this->redirect(Yii::app()->user->returnUrl);
}
}

 根据最前面的方法in_array($this->getAction()->getId(), $this->authlessActions())可以判断该action是否在不用授权数组中。 

注:查看当前controller和action的ID,是Yii::app()->controller->id;和$this->getAction()->getId(); 
其中,$this->getAction()是一个很大的对象,$this->getAction()->getId()是login。 

 

批注5:关于未登录前,应该走下面这个逻辑 

if(Yii::app()->user->getIsGuest() && !in_array($this->getAction()->getId(), $this->authlessActions())) {
Yii::app()->user->setFlash("info", "请先登录");
Yii::app()->user->loginRequired(); //封装了Yii::app()->user->loginUrl
}

 

根据yii框架实现机制,发现Yii::app()->user->loginRequired()封装了Yii::app()->user->loginUrl。 
即注释掉改行后,project/不会自动跳转到project/index.php?r=site/login页面。 



最后,如果用户登陆成功后,用户跳转到site/index,而其定义为outsource/index,当OutsourceController.php执行时,又一次执行Controller.php,此时的authlessActions数组为空,则in_array()为false,取反为true。执行检查上次修改密码超过30天和是否已添加Hi。 

上一篇:PHP防止表单重复提交以及表单过期处理
下一篇:没有了
网友评论