Authentication and authorization are required for a Web page that should be limited to certain users. Authentication is about verifying whether someone is who they claim to be. It usually involves a username and a password. Authorization is finding out if the person, once identified (i.e. authenticated), is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources.
Yii
To cater the authentication variation, Yii introduce the class CUserIdentity to do the actual authentication with its method authenticate. Usually, this method will handle maximum password trial, session creation, password fail.
Then the identity object will carry the credentials input by user to front-controller, these info will be persistent (e.g. session), could be used later.
// Login a user with the provided username and password.
$identity=new UserIdentity($username,$password);
if($identity->authenticate())
Yii::app()->user->login($identity);
else
echo $identity->errorMessage;
// Logout the current user
Yii::app()->user->logout();For the authorization, we can use access rules in controller, here’s an example:
public function accessRules() {
return array(
array('deny',
'actions'=>array('create', 'edit'),
'users'=>array('?'),
),
array('allow',
'actions'=>array('delete'),
'roles'=>array('admin'),
),
array('deny',
'actions'=>array('delete'),
'users'=>array('*'),
),
);
}An access rule can match any context parameters as actions, controllers, users, roles, ips, verbs, expression. For detail check this link.
Using role is a very common solution for authorization. Even without installing any extra plugin, the Yii provides the basic role base solution.
When we use roles in access rule, CWebUser::checkAccess will be called to return true or false.
Business rule is the association of roles, operations and tasks. These relationship are stored in table: authassignment, authitem, and authitemchild.
Before we set oof to define an authorization hierachy and permform access checking. We need to configure the authManager application component. Typically, it will be like this:
// The auth manager will try to cache auth informat in authassignment and reuse later.
// If cannot be found in cache, then look for authitem and authitemchild to check operation against roles.
'authManager' => array(
'class' => 'ext.ECachedDbAuthManager',
'cacheID' => 'cache',
'connectionID' => 'db',
'assignmentTable' => 'authassignment',
'itemTable' => 'authitem',
'itemChildTable' => 'authitemchild',
),