YII学习第十天,访问控制filter
在Controller.php
注:filters是yii的CController.php中定义的方法,而Controller.php是继承CController.php的。此处,相当于覆盖父类中的filters方法。而所有的XXController.php又继承自Controller.php,显然都可以定义authlessActions()方法覆盖父类中相应方法。
public function filterAccessAuth($filterChain) {
if(Yii::app()->user->getIsGuest() && !in_array($this->getAction()->getId(), $this->authlessActions())) {
Yii::app()->user->setFlash("info", "请先登录");
Yii::app()->user->loginRequired(); //封装了Yii::app()->user->loginUrl
}
elseif(!in_array($this->getAction()->getId(), $this->authlessActions()) && $this->current_user && $this->current_user->isPasswordExpired()) {
$this->user->setFlash('error', "你的密码已经过期,超过: " . Yii::app()->params['user_pwd_max_expire_day'] . "天没有修改,请修改密码");
$this->redirect($this->createUrl("/account/profile"));
}
if(!in_array($this->getAction()->getId(), $this->authlessActions()) && $this->current_user && $this->current_user->hi_id == NULL) {
$target_url = $this->createUrl('account/profile');
$this->user->setFlash('info', "你还没有设置Hi,请尽快到" . "<a href=\"$target_url\"> 账号设置 </a>" . "添加!");
}
$filterChain->run();
}
public function filters() {
return array(
'accessAuth',
);
}
public function authlessActions() {
return array();
}
批注1:yii中使用filter规则。
For method-based filters, a method named 'filterXYZ($filterChain)' in the controller class will be executed, where 'XYZ' stands for the filter name as specified in filters(). Note, inside the filter method, you must call $filterChain->run() if the action should be executed. Otherwise, the filtering process would stop at this filter.
批注2:另一种用法(隐式用法)
在1.1.7中,public function filters() {
return array(
'accessControl',
);
}
也即accessControl对应下面这个方法
public void filterAccessControl(CFilterChain $filterChain)
The filter method for 'accessControl' filter. The filter method for 'accessControl' filter. This filter is a wrapper of CAccessControlFilter. To use this filter, you must override accessRules method.
class PostController extends CController
{
......
public function accessRules()
{
return array(
rray('deny',
'actions'=>array('create', 'edit'),
'users'=>array('?'),
),
array('allow',
'actions'=>array('delete'),
'roles'=>array('admin'),
),
array('deny',
'actions'=>array('delete'),
'users'=>array('*'),
),
);
}
}
所以不难看出filter至少有两种类型,一种是accessAuth,另一种是accessControl。
批注3:当用户访问index.php?r=site/login
首先,映射到SiteController.php中
而在SiteController.php中,覆盖了Controller.php的public function authlessActions()方法,不再是空数组,
而是return array('login', 'logout', 'error', 'page', 'bashJs');
批注4:在actionLogin方法里
if(isset($_POST['LoginForm']))
{
$model->attributes=$_POST['LoginForm'];
// validate user input and redirect to the previous page if valid
if($model->validate() && $model->login()) {
//初始化前,先初始化父类Controller.php的成员变量和成员函数。
$this->init();
// 检查上次密码修改时间
if($this->current_user->isPasswordExpired()) {
$this->user->setFlash('error', "密码已经" . Yii::app()->params['user_pwd_max_expire_day'] . "天没有修改过了,请修改密码");
$this->redirect($this->createUrl("/account/profile"));
}
// 检查有没有设置Hi
if($this->current_user->hi_id == NULL) {
$target_url = $this->createUrl('account/profile');
$this->user->setFlash('info', "你还没有设置Hi,请尽快到"."<a href=\"$target_url\"> 账号设置 </a>"."添加!");
}
$this->redirect(Yii::app()->user->returnUrl);
}
}
根据最前面的方法in_array($this->getAction()->getId(), $this->authlessActions())可以判断该action是否在不用授权数组中。
注:查看当前controller和action的ID,是Yii::app()->controller->id;和$this->getAction()->getId();
其中,$this->getAction()是一个很大的对象,$this->getAction()->getId()是login。
批注5:关于未登录前,应该走下面这个逻辑
if(Yii::app()->user->getIsGuest() && !in_array($this->getAction()->getId(), $this->authlessActions())) {
Yii::app()->user->setFlash("info", "请先登录");
Yii::app()->user->loginRequired(); //封装了Yii::app()->user->loginUrl
}
根据yii框架实现机制,发现Yii::app()->user->loginRequired()封装了Yii::app()->user->loginUrl。
即注释掉改行后,project/不会自动跳转到project/index.php?r=site/login页面。
最后,如果用户登陆成功后,用户跳转到site/index,而其定义为outsource/index,当OutsourceController.php执行时,又一次执行Controller.php,此时的authlessActions数组为空,则in_array()为false,取反为true。执行检查上次修改密码超过30天和是否已添加Hi。