PHP-Casbin是一个强大高效的开源访问控制框架,支持基于各种访问控制模型(RBACABACACL)的权限管理。这里使用官方的数据库适配器扩展:DBALAdapter。通过composer安装:composerrequirecasbin/casbincomposerrequirecasbin/dbal-adapter使用RBACModelmodel.conf如下:[request_definition]r=sub,obj,act[policy_definition]p=sub,obj,act#定义RBAC角色继承关系[role_definition]g=_,_[policy_effect]e=some(where(p.eft==allow))[matchers]m=g(r.sub,p.sub)&&keyMatch2(r.obj,p.obj)&®exMatch(r.act,p.act)初始化一个Casbin执行器使用Casbin\Enforcer;useCasbinAdapter\DBAL\Adapter;$adapter=Adapter::newAdapter(['driver'=>'pdo_mysql','host'=>'127.0.0.1','dbname'=>'test','user'=>'root','password'=>'','port'=>'3306',]);$enforcer=newEnforcer('path/to/model.conf',$adapter);添加分配角色给alice和bob的策略://alice拥有管理员角色$enforcer->addRoleForUser('alice','admin');//bob拥有成员角色$enforcer->addRoleForUser('bob','member');成员角色分配权限,成员角色只有foo资源的查看权限:$enforcer->addPermissionForUser('member','/foo','GET');$enforcer->addPermissionForUser('member','/foo/:id','得到');admin角色拥有增删改查的权限foo://admin继承member的所有权限$enforcer->addRoleForUser('admin','member');$enforcer->addPermissionForUser('admin','/foo','POST');$enforcer->addPermissionForUser('admin','/foo/:id','PUT');$enforcer->addPermissionForUser('admin','/foo/:id','删除');分配角色和权限后,数据库中的policy规则大致如下:g,alice,adming,bob,memberp,memeber,/foo,GETp,memeber,/foo/:id,GETg,admin,memberp,admin,/foo,POSTp,admin,/foo/:id,PUTp,admin,/foo/:id,DELETE认证权限alice拥有admin角色,继承admin和member两个角色的所有权限。$enforcer->enforce('爱丽丝','/foo','GET');//true$enforcer->enforce('alice','/foo','GET');//true$enforcer->enforce('alice','/foo','POST');//true$enforcer->enforce('alice','/foo/1','PUT');//true$enforcer->enforce('alice','/foo/1','DELETE');//真鲍勃拥有成员角色,只继承成员权限。$enforcer->enforce('bob','/foo','GET');//true$enforcer->enforce('bob','/foo','GET')');//true$enforcer->enforce('bob','/foo','POST');//false$enforcer->enforce('bob','/foo/1','PUT');//false$enforcer->enforce('bob','/foo/1','DELETE');//虚假文章转发原文链接:PHP中基于Casbin的RBAC+RESTful权限控制
