如何隐藏其他用户的管理员帐户

时间:2018-03-07 05:27:27

标签: yii2 yii2-advanced-app access-control yii2-user yii2-user-roles

我正在研究yii2。我有一些user roles。管理员拥有所有级别的访问权限。其他用户访问权限较低。有一个用户列表,其他用户可以看到。在此列表中,可以使用系统中用户的所有详细信息。现在,我想隐藏其他用户的一些用户信息。我要隐藏的角色是1,6,7,8,我要隐藏的角色是5。除了提到的用户角色之外,5应该可以看到。为此,我更新了索引控制器。 

 $searchModel = new UserSearch();

    $queryParams=Yii::$app->request->queryParams;
    //check if user or one of the managers
    $isAdmin=in_array(Yii::$app->user->identity->user_role,[1]);

    //set params if normal user
    if(!$isAdmin){
        $queryParams['UserSearch']['user_role']=in_array(Yii::$app->user->identity->user_role,[2,3,4,5]);
    }

    $dataProvider = $searchModel->search($queryParams);

    return $this->render('index', [
        'searchModel' => $searchModel,
        'dataProvider' => $dataProvider
    ]);

现在,在运行我的项目时,我只看到了管理员用户。在$queryParams['UserSearch']['user_role']=中,我尝试传递用户角色5的单个值,但它确实只显示5个角色用户。但我想向用户显示角色2,3,4,5

更新1

我的搜索模型

class UserSearch extends User
{
/**
 * @inheritdoc
 */
public function rules()
{
    return [
        [['id','group_id'], 'integer'],
        [['email','username', 'name','contact_number','group_id','user_role'], 'safe'],
    ];
}

/**
 * @inheritdoc
 */
public function scenarios()
{
    // bypass scenarios() implementation in the parent class
    return Model::scenarios();
}

/**
 * Creates data provider instance with search query applied
 *
 * @param array $params
 *
 * @return ActiveDataProvider
 */
public function search($params)
{
    $query = User::find();

    // add conditions that should always apply here

    $dataProvider = new ActiveDataProvider([
        'query' => $query,
    ]);

    $this->load($params);

    if (!$this->validate()) {
        // uncomment the following line if you do not want to return any records when validation fails
        // $query->where('0=1');
        return $dataProvider;
    }

    // grid filtering conditions
    $query->andFilterWhere([
        'id' => $this->id,
        'status' => $this->status,
    ]);

    $query->andFilterWhere(['like', 'id', $this->id])
        ->andFilterWhere(['like', 'name', $this->name])
        ->andFilterWhere(['like', 'username', $this->username])
        ->andFilterWhere(['like', 'email', $this->email])
        ->andFilterWhere(['like', 'contact_number', $this->contact_number])
        ->andFilterWhere(['=', 'user_role', $this->user_role])
        ->andFilterWhere(['=', 'group_id', $this->group_id]);


   // $query->andFilterWhere(['=','user_type','user']);
    if(Yii::$app->user->identity->user_role == Roles::ROLE_TEAM_LEAD && Yii::$app->user->identity->group_id != ''){
        $query->andFilterWhere(['=','group_id', Yii::$app->user->identity->group_id])->andWhere('user_role=4');
    }
    //$query->andFilterWhere(['!=', 'id', Yii::$app->user->id]);

    return $dataProvider;
}
 }

任何帮助都将受到高度赞赏。

3 个答案:

答案 0 :(得分:2)

更改行

$queryParams['UserSearch']['user_role']=in_array(Yii::$app->user->identity->user_role,[2,3,4,5]);


$queryParams['UserSearch']['user_role']=in_array(Yii::$app->user->identity->user_role,[2,3,4,5])?[1,6,7,8]:'';

并在搜索模型中更改条件

->andFilterWhere(['=', 'user_role', $this->user_role])


->andFilterWhere(['NOT IN', 'user_role', $this->user_role])

所以您的search()方法看起来像

public function search( $params ) {
    $query = User::find ();

    // add conditions that should always apply here

    $dataProvider = new ActiveDataProvider ( [
        'query' => $query ,
    ] );

    $this->load ( $params );

    if ( !$this->validate () ) {
        // uncomment the following line if you do not want to return any records when validation fails
        // $query->where('0=1');
        return $dataProvider;
    }

    // grid filtering conditions
    $query->andFilterWhere ( [
        'id' => $this->id ,
        'status' => $this->status ,
    ] );

    $query->andFilterWhere ( [ 'like' , 'id' , $this->id ] )
            ->andFilterWhere ( [ 'like' , 'name' , $this->name ] )
            ->andFilterWhere ( [ 'like' , 'username' , $this->username ] )
            ->andFilterWhere ( [ 'like' , 'email' , $this->email ] )
            ->andFilterWhere ( [ 'like' , 'contact_number' , $this->contact_number ] )
            ->andFilterWhere ( [ 'NOT IN' , 'user_role' , $this->user_role ] )
            ->andFilterWhere ( [ '=' , 'group_id' , $this->group_id ] );


    // $query->andFilterWhere(['=','user_type','user']);
    if ( Yii::$app->user->identity->user_role == Roles::ROLE_TEAM_LEAD && Yii::$app->user->identity->group_id != '' ) {
        $query->andFilterWhere ( [ '=' , 'group_id' , Yii::$app->user->identity->group_id ] )->andWhere ( 'user_role=4' );
    }
    //$query->andFilterWhere(['!=', 'id', Yii::$app->user->id]);

    return $dataProvider;
}

答案 1 :(得分:1)

如果所有搜索过的模型项都应该隐藏/显示安全信息,您可以向search()函数添加第二个选项,该选项将显示查询构建中的隐藏安全信息。例如:

    $searchModel = new UserSearch();
    $dataProvider = $searchModel->search(Yii::$app->request->queryParams,
        Yii::$app->user->identity->user_role === User::ADMIN_ROLE);

    return $this->render('index', [
        'searchModel' => $searchModel,
        'dataProvider' => $dataProvider,
    ]);

或者您可以在控制器中添加查询条件:

    $searchModel = new UserSearch();
    $dataProvider = $searchModel->search(Yii::$app->request->queryParams);

    if(Yii::$app->user->identity->user_role === User::ADMIN_ROLE) {
        $dataProvider->query->andWhere(/* come condition*/);
    }

    return $this->render('index', [
        'searchModel' => $searchModel,
        'dataProvider' => $dataProvider,
    ]);

如果您的项目将在其他代码位置使用访问控制,强烈建议您使用默认Yii2配置中包含的Role Based Access Control (RBAC)。使用此未来,您只需检查用户权限,而无需在user表中添加其他列。它可能看起来像这样:

    $searchModel = new UserSearch();
    $dataProvider = $searchModel->search(Yii::$app->request->queryParams);

    if(Yii::$app->user->can(Roles::USER_VIEW_PRIVATE_INFO)) {
        $dataProvider->query->andWhere(/* come condition*/);
    }

    return $this->render('index', [
        'searchModel' => $searchModel,
        'dataProvider' => $dataProvider,
    ]);

答案 2 :(得分:1)

为什么要使用控制器更改index视图?我可以看到,在您的搜索课程中已经检查了user role

 if(Yii::$app->user->identity->user_role == Roles::ROLE_TEAM_LEAD && Yii::$app->user->identity->group_id != ''){
        $query->andFilterWhere(['=','group_id', Yii::$app->user->identity->group_id])->andWhere('user_role=4');
    }

之后你可以添加

if(Yii::$app->user->identity->user_role == Roles::ROLE_INVENTORY_MANAGEMENT && Yii::$app->user->identity->group_id =='')
    {
        $query->andFilterWhere(['=','group_id', Yii::$app->user->identity->group_id])->andWhere('user_role IN (2,3,4,5)');
    }

所以你的最终代码就像这样

if(Yii::$app->user->identity->user_role == Roles::ROLE_TEAM_LEAD && Yii::$app->user->identity->group_id != ''){
        $query->andFilterWhere(['=','group_id', Yii::$app->user->identity->group_id])->andWhere('user_role=4');
    }
    else if(Yii::$app->user->identity->user_role == Roles::ROLE_INVENTORY_MANAGEMENT && Yii::$app->user->identity->group_id =='')
    {
        $query->andFilterWhere(['=','group_id', Yii::$app->user->identity->group_id])->andWhere('user_role IN (2,3,4,5)');
    }

我希望这也适用于您的过滤器:)

相关问题
最新问题