Role-based authentication is a common requirement in web applications, and Yii provides built-in support for implementing it. Here’s an example of role-based authentication in Yii:
Define Roles:
First, you need to define the roles in your application. This can be done by creating a Role model and populating it with the available roles. For example:
class Role extends \yii\db\ActiveRecord
{
const ROLE_ADMIN = 'admin';
const ROLE_USER = 'user';
// Other roles...
public static function tableName()
{
return 'roles';
}
}
In this example, the Role model extends yii\db\ActiveRecord and defines two constants for the available roles: ROLE_ADMIN and ROLE_USER. You can add more roles as needed.
Assign Roles to Users:
Next, you need to associate roles with the users in your system. This can be done using a junction table that maps users to roles. For example:
class User extends \yii\db\ActiveRecord implements \yii\web\IdentityInterface
{
// ...
public function getRoles()
{
return $this->hasMany(Role::class, ['id' => 'role_id'])
->viaTable('user_roles', ['user_id' => 'id']);
}
// ...
}
In this example, the User model implements the yii\web\IdentityInterface interface and defines a getRoles() method to retrieve the roles associated with a user. The roles are obtained via the junction table user_roles.
Implement Access Control:
Now, you can implement access control based on roles using Yii’s RBAC (Role-Based Access Control) system. You need to define permissions, roles, and assignments. Here’s an example:
return [
'components' => [
// ...
'authManager' => [
'class' => 'yii\rbac\DbManager',
],
],
'params' => [
// ...
'rbac' => [
'permissions' => [
'adminPanel' => 'Access the admin panel',
// Other permissions...
],
'roles' => [
Role::ROLE_ADMIN => 'Administrator',
Role::ROLE_USER => 'User',
// Other roles...
],
'assignments' => [
Role::ROLE_ADMIN => ['adminPanel'],
// Assign other permissions to roles...
],
],
],
];
In this example, the RBAC configuration is defined in the application configuration file. It specifies the available permissions (adminPanel) and roles (Administrator, User), as well as the assignments (adminPanel is assigned to the Administrator role).
Applying Access Control:
To enforce role-based access control, you can use Yii’s AccessControl behavior in your controllers. Here’s an example:
class SiteController extends \yii\web\Controller
{
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::class,
'rules' => [
[
'allow' => true,
'actions' => ['index'],
'roles' => [Role::ROLE_USER],
],
[
'allow' => true,
'actions' => ['admin'],
'roles' => [Role::ROLE_ADMIN],
],
],
],
];
}
public function actionIndex()
{
// ...
}
public function actionAdmin()
{
// ...
}
}
In this example, the SiteController specifies access control rules using the AccessControl behavior. The index action is accessible to users with the User role, while the admin action is accessible only to users with the Administrator role.
These examples showcase the implementation of role-based authentication in Yii. Remember to configure the RBAC components and set up the necessary database tables for RBAC to work properly. For a detailed understanding of Yii’s RBAC system, refer to the Yii documentation on RBAC (https://www.yiiframework.com/doc/guide/2.0/en/security-authorization#rbac).
