php 实现 rbac
实现 RBAC(基于角色的访问控制)的核心思路
RBAC(Role-Based Access Control)是一种常见的权限管理模型,通过角色关联用户和权限。PHP 实现 RBAC 通常包含以下关键组件:
- 用户表:存储用户信息
- 角色表:定义系统角色
- 权限表:定义具体权限
- 用户角色关联表:建立用户与角色关系
- 角色权限关联表:建立角色与权限关系
数据库结构设计
CREATE TABLE users (
id INT PRIMARY KEY AUTO_INCREMENT,
username VARCHAR(50) NOT NULL,
password VARCHAR(255) NOT NULL
);
CREATE TABLE roles (
id INT PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(50) NOT NULL,
description VARCHAR(255)
);
CREATE TABLE permissions (
id INT PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(50) NOT NULL,
description VARCHAR(255)
);
CREATE TABLE user_role (
user_id INT,
role_id INT,
PRIMARY KEY (user_id, role_id),
FOREIGN KEY (user_id) REFERENCES users(id),
FOREIGN KEY (role_id) REFERENCES roles(id)
);
CREATE TABLE role_permission (
role_id INT,
permission_id INT,
PRIMARY KEY (role_id, permission_id),
FOREIGN KEY (role_id) REFERENCES roles(id),
FOREIGN KEY (permission_id) REFERENCES permissions(id)
);核心权限检查类实现
class RBAC {
private $db;
public function __construct($dbConnection) {
$this->db = $dbConnection;
}
public function checkPermission($userId, $permissionName) {
$query = "SELECT COUNT(*) as count FROM permissions p
JOIN role_permission rp ON p.id = rp.permission_id
JOIN user_role ur ON rp.role_id = ur.role_id
WHERE ur.user_id = :user_id AND p.name = :permission_name";
$stmt = $this->db->prepare($query);
$stmt->bindParam(':user_id', $userId);
$stmt->bindParam(':permission_name', $permissionName);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result['count'] > 0;
}
public function getUserRoles($userId) {
$query = "SELECT r.name FROM roles r
JOIN user_role ur ON r.id = ur.role_id
WHERE ur.user_id = :user_id";
$stmt = $this->db->prepare($query);
$stmt->bindParam(':user_id', $userId);
$stmt->execute();
return $stmt->fetchAll(PDO::FETCH_COLUMN, 0);
}
}中间件实现权限验证
function checkPermission($permission) {
return function($request, $response, $next) use ($permission) {
$userId = $_SESSION['user_id'] ?? null;
if (!$userId) {
return $response->withStatus(403)->withJson(['error' => '未登录']);
}
$rbac = new RBAC($this->db);
if (!$rbac->checkPermission($userId, $permission)) {
return $response->withStatus(403)->withJson(['error' => '权限不足']);
}
return $next($request, $response);
};
}缓存优化策略
为提高性能,可将用户权限缓存起来:
class RBACWithCache extends RBAC {
private $cache = [];
public function checkPermission($userId, $permissionName) {
$cacheKey = "user_{$userId}_permissions";
if (!isset($this->cache[$cacheKey])) {
$query = "SELECT p.name FROM permissions p
JOIN role_permission rp ON p.id = rp.permission_id
JOIN user_role ur ON rp.role_id = ur.role_id
WHERE ur.user_id = :user_id";
$stmt = $this->db->prepare($query);
$stmt->bindParam(':user_id', $userId);
$stmt->execute();
$this->cache[$cacheKey] = $stmt->fetchAll(PDO::FETCH_COLUMN, 0);
}
return in_array($permissionName, $this->cache[$cacheKey]);
}
}实际应用示例
// 初始化RBAC
$db = new PDO('mysql:host=localhost;dbname=rbac', 'username', 'password');
$rbac = new RBAC($db);
// 检查权限
if ($rbac->checkPermission($currentUserId, 'edit_post')) {
// 允许编辑文章
} else {
// 显示权限不足
}
// 获取用户所有角色
$roles = $rbac->getUserRoles($currentUserId);最佳实践建议
- 权限名称采用模块_操作格式,如article_edit、user_delete
- 超级管理员角色可跳过权限检查
- 定期清理无效的权限和角色
- 前端界面根据权限动态显示功能按钮
- 记录重要的权限操作日志
这种实现方式灵活且易于扩展,可根据具体项目需求调整数据库结构和权限检查逻辑。
