php rbac实现

PHP RBAC 实现方法

基于数据库的设计

RBAC（基于角色的访问控制）通常涉及用户、角色、权限三个核心表。以下是一个基础数据库结构设计：

用户表（users）：

CREATE TABLE users (
    id INT PRIMARY KEY AUTO_INCREMENT,
    username VARCHAR(50) UNIQUE,
    password VARCHAR(255)
);

角色表（roles）：

CREATE TABLE roles (
    id INT PRIMARY KEY AUTO_INCREMENT,
    name VARCHAR(50) UNIQUE,
    description TEXT
);

权限表（permissions）：

CREATE TABLE permissions (
    id INT PRIMARY KEY AUTO_INCREMENT,
    name VARCHAR(50) UNIQUE,
    description TEXT
);

用户角色关联表（user_roles）：

CREATE TABLE user_roles (
    user_id INT,
    role_id INT,
    PRIMARY KEY (user_id, role_id),
    FOREIGN KEY (user_id) REFERENCES users(id),
    FOREIGN KEY (role_id) REFERENCES roles(id)
);

角色权限关联表（role_permissions）：

CREATE TABLE role_permissions (
    role_id INT,
    permission_id INT,
    PRIMARY KEY (role_id, permission_id),
    FOREIGN KEY (role_id) REFERENCES roles(id),
    FOREIGN KEY (permission_id) REFERENCES permissions(id)
);

核心功能实现

创建RBAC服务类，封装权限检查逻辑：

class RBAC {
    private $db;

    public function __construct(PDO $db) {
        $this->db = $db;
    }

    public function userHasPermission($userId, $permissionName) {
        $stmt = $this->db->prepare("
            SELECT COUNT(*) 
            FROM role_permissions rp
            JOIN permissions p ON rp.permission_id = p.id
            JOIN user_roles ur ON rp.role_id = ur.role_id
            WHERE ur.user_id = :userId AND p.name = :permissionName
        ");
        $stmt->execute([
            ':userId' => $userId,
            ':permissionName' => $permissionName
        ]);
        return $stmt->fetchColumn() > 0;
    }

    public function assignRoleToUser($userId, $roleId) {
        $stmt = $this->db->prepare("
            INSERT INTO user_roles (user_id, role_id) 
            VALUES (:userId, :roleId)
        ");
        return $stmt->execute([
            ':userId' => $userId,
            ':roleId' => $roleId
        ]);
    }
}

中间件实现

创建权限检查中间件，用于保护路由：

class PermissionMiddleware {
    protected $rbac;
    protected $permission;

    public function __construct(RBAC $rbac, $permission) {
        $this->rbac = $rbac;
        $this->permission = $permission;
    }

    public function __invoke($request, $response, $next) {
        $userId = $_SESSION['user_id'] ?? null;
        if (!$userId || !$this->rbac->userHasPermission($userId, $this->permission)) {
            return $response->withStatus(403)->write('Forbidden');
        }
        return $next($request, $response);
    }
}

缓存优化

为提高性能，可以实现权限缓存：

class CachedRBAC extends RBAC {
    private $cache = [];

    public function userHasPermission($userId, $permissionName) {
        $cacheKey = "user_{$userId}_perm_{$permissionName}";
        if (!isset($this->cache[$cacheKey])) {
            $this->cache[$cacheKey] = parent::userHasPermission($userId, $permissionName);
        }
        return $this->cache[$cacheKey];
    }
}

实际应用示例

在控制器中使用RBAC检查：

$app->get('/admin', function ($request, $response) {
    $rbac = new RBAC($this->db);
    if (!$rbac->userHasPermission($_SESSION['user_id'], 'admin_access')) {
        return $response->withStatus(403);
    }
    return $this->view->render($response, 'admin.twig');
});

现有框架集成

对于Laravel等现代框架，可直接使用内置Gate和Policy系统：

// 在AuthServiceProvider中定义权限
Gate::define('edit-post', function ($user, $post) {
    return $user->id === $post->user_id;
});

// 在控制器中使用
if (Gate::denies('edit-post', $post)) {
    abort(403);
}

测试策略

编写单元测试验证RBAC功能：

class RBACTest extends PHPUnit_Framework_TestCase {
    public function testPermissionCheck() {
        $db = new PDO('sqlite::memory:');
        // 初始化测试数据...

        $rbac = new RBAC($db);
        $this->assertTrue($rbac->userHasPermission(1, 'create_post'));
        $this->assertFalse($rbac->userHasPermission(2, 'delete_post'));
    }
}