Improved verification of user access to controllers and actions

ZakharovAndrew · ZakharovAndrew · commit 76d37fc83d75 · 2024-05-07T17:43:39.000+03:00
diff --git a/migrations/m240112_225911_add_column_to_roles_table.php b/migrations/m240112_225911_add_column_to_roles_table.php
@@ -0,0 +1,19 @@
+<?php
+
+use yii\db\Migration;
+
+/**
+ * Initializing roles
+ */
+class m240112_225911_add_column_to_roles_table extends Migration
+{
+    public function up()
+    {
+        $this->addColumn('roles', 'parameters', 'text');
+    }
+
+    public function down()
+    {
+        $this->dropColumn('roles', 'parameters');
+    }
+}
diff --git a/src/controllers/UserController.php b/src/controllers/UserController.php
@@ -14,7 +14,7 @@
  */
 class UserController extends ParentController
 {
-    public $controller_id = 1;
+    public $controller_id = 1001;
     
     public $full_access_actions = ['login', 'logout'];
 
diff --git a/src/models/Menu.php b/src/models/Menu.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace ZakharovAndrew\user\models;
+
+use Yii;
+use ZakharovAndrew\user\models\User;
+
+/**
+ * Menu
+ */
+class Menu extends \yii\base\Model
+{
+    /**
+     * Get menu for NavBar
+     * @return array
+     */
+    public static function getNavBar()
+    {
+        $controllersAccessList = Yii::$app->getModule('user')->controllersAccessList;
+        
+        $list = User::getAccessList(Yii::$app->user->id);
+        
+        // menu items
+        $items = [];
+        
+        foreach ($controllersAccessList as $controller_id => $params) {
+            if (isset($list[$controller_id])) {
+                $actions = explode(',', $list[$controller_id]);
+                
+                //перебираем
+                foreach ($params as $link => $title) {
+                    
+                    
+                    $arr = explode('/', $link);
+                    if ($list[$controller_id] == '*' || in_array(end($arr), $actions)) {
+                        $items[] = ['label' => $title, 'url' => [$link]];
+                    }
+                }
+            }
+        }
+        
+        return $items;
+    }
+}
diff --git a/src/models/Roles.php b/src/models/Roles.php
@@ -13,6 +13,7 @@
  * @property string $title
  * @property string|null $description
  * @property string|null $created_at
+ * @property string|null $parameters
  */
 class Roles extends \yii\db\ActiveRecord
 {
@@ -32,7 +33,7 @@ public function rules()
         return [
             [['title'], 'required'],
             [['description'], 'string'],
-            [['created_at'], 'safe'],
+            [['parameters', 'created_at'], 'safe'],
             [['title', 'code'], 'string', 'max' => 255],
         ];
     }
@@ -47,6 +48,7 @@ public function attributeLabels()
             'title' => Module::t('Title'),
             'description' => Module::t('Description'),
             'code' => Module::t('Code'),
+            'parameters' => Module::t('Parameters'),
             'created_at' => 'Created At',
         ];
     }
@@ -60,4 +62,26 @@ public static function getRolesList()
         
         return ArrayHelper::map($arr, 'id', 'title');
     }
+    
+    /**
+     * Get all user roles with available controller actions
+     * 
+     * @param integer $user_id User ID
+     * @return mixed
+     */
+    public static function getRolesByUserId($user_id)
+    {
+        return Yii::$app->cache->getOrSet('get_roles_by_user_'.$user_id, function () use ($user_id) {
+            return static::find()
+                ->select('roles.*')
+                ->leftJoin('user_roles', 'user_roles.role_id = roles.id')
+                ->where(['user_roles.user_id' => $user_id])
+                ->all();
+        }, 10);
+    }
+    
+    public function getParametersList()
+    {
+        return json_decode($this->parameters) ?? [];
+    }
 }
diff --git a/src/models/User.php b/src/models/User.php
@@ -113,6 +113,40 @@ public static function getSexList()
             2 => Module::t('Female'),
         ];
     }
+    
+    public static function getAccessList($user_id)
+    {
+        $controllersAccessList = Yii::$app->getModule('user')->controllersAccessList;
+        
+        $roles = Roles::getRolesByUserId($user_id);
+        
+        $list = [];
+        foreach ($roles as $role) {
+            if ($role->code == 'admin') {
+                $list = array_combine(array_keys($controllersAccessList), ['*']);
+                break;
+            }
+            
+            foreach ($role->getParametersList() as $controller_id => $actions) {
+                if ($actions == '*') {
+                    $list[$controller_id] = '*';
+                    break;
+                }
+                
+                $arrAction = explode(',', $actions);
+                
+                if (isset($list[$controller_id]) && $list[$controller_id] != '*') {
+                    $arr = explode(',', $list[$controller_id]);
+                    
+                    $list[$controller_id] = array_merge($arr, $arrAction);
+                } else if (!isset($list[$controller_id])) {
+                    $list[$controller_id] = $actions;
+                }
+            }            
+        }
+        
+        return $list;
+    }
 
     /**
      * Checking the ability to perform the action of the selected controller
@@ -123,27 +157,22 @@ public static function getSexList()
      */
     public static function  isActionAllowed($user_id, $controller_id, $action)
     {
-        $roles_id = \yii\helpers\ArrayHelper::getColumn(
-                UserRoles::find()->select('role_id')->where(['user_id' => $user_id])->asArray()->all(),
-                'role_id'
-            );
-        
-        $roles = \yii\helpers\ArrayHelper::getColumn(
-                    Roles::find()
-                    ->select('code')
-                    ->where(['IN', 'id', $roles_id])
-                    ->asArray()
-                    ->all(),
-                    'code'
-                );
-        
+        // check god mode
+        $roles = \yii\helpers\ArrayHelper::getColumn(UserRoles::getUserRoles($user_id), 'code');
         if (in_array('admin', $roles)) {
             return true;
         }
         
-        //other checking
+        // check access
+        $accessList = static::getAccessList($user_id);
+
+        if (!isset($accessList[$controller_id])) {
+            return false;
+        }
+        
+        $arr = explode(',', $accessList[$controller_id]);
         
-        return false;    
+        return ($accessList[$controller_id] == '*' || in_array($action, $arr));
     }
     
     /**
diff --git a/src/models/UserRoles.php b/src/models/UserRoles.php
@@ -60,13 +60,14 @@ public function attributeLabels()
      */
     public static function getUserRoles($user_id)
     {
-        return Yii::$app->cache->getOrSet('get_users_roles'.$user_id, function () use ($user_id) {
+        return Yii::$app->cache->getOrSet('get_users_roles_'.$user_id, function () use ($user_id) {
             return static::find()
-                ->select('user_roles.*, roles.title')
+                ->select('user_roles.*, roles.title, roles.code')
                 ->leftJoin('roles', 'user_roles.role_id = roles.id')
                 ->where(['user_roles.user_id' => $user_id])
+                ->asArray()
                 ->all();
-        }, 3600);
+        }, 10);
     }
     
     /**
@@ -75,6 +76,7 @@ public static function getUserRoles($user_id)
     public function afterSave($insert, $changedAttributes)
     {
         parent::afterSave($insert, $changedAttributes);
-        Yii::$app->cache->delete('get_users_roles'.$this->user_id);
+        Yii::$app->cache->delete('get_users_roles_'.$this->user_id);
+        Yii::$app->cache->delete('get_roles_by_user_'.$this->user_id);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`*/`
`15`	`15`	`class UserController extends ParentController`
`16`	`16`	`{`
`17`		`- public $controller_id = 1;`
	`17`	`+ public $controller_id = 1001;`
`18`	`18`
`19`	`19`	`public $full_access_actions = ['login', 'logout'];`
`20`	`20`
Original file line number	Diff line number	Diff line change
`@@ -60,13 +60,14 @@ public function attributeLabels()`
`60`	`60`	`*/`
`61`	`61`	`public static function getUserRoles($user_id)`
`62`	`62`	`{`
`63`		`- return Yii::$app->cache->getOrSet('get_users_roles'.$user_id, function () use ($user_id) {`
	`63`	`+ return Yii::$app->cache->getOrSet('get_users_roles_'.$user_id, function () use ($user_id) {`
`64`	`64`	`return static::find()`
`65`		`- ->select('user_roles.*, roles.title')`
	`65`	`+ ->select('user_roles.*, roles.title, roles.code')`
`66`	`66`	`->leftJoin('roles', 'user_roles.role_id = roles.id')`
`67`	`67`	`->where(['user_roles.user_id' => $user_id])`
	`68`	`+ ->asArray()`
`68`	`69`	`->all();`
`69`		`- }, 3600);`
	`70`	`+ }, 10);`
`70`	`71`	`}`
`71`	`72`
`72`	`73`	`/**`
`@@ -75,6 +76,7 @@ public static function getUserRoles($user_id)`
`75`	`76`	`public function afterSave($insert, $changedAttributes)`
`76`	`77`	`{`
`77`	`78`	`parent::afterSave($insert, $changedAttributes);`
`78`		`- Yii::$app->cache->delete('get_users_roles'.$this->user_id);`
	`79`	`+ Yii::$app->cache->delete('get_users_roles_'.$this->user_id);`
	`80`	`+ Yii::$app->cache->delete('get_roles_by_user_'.$this->user_id);`
`79`	`81`	`}`
`80`	`82`	`}`