我使用访问控制过滤器进行访问管理,但无法完成一件事 – 例如,我如何才能让项目经理更新项目并禁止其他人?我通过matchCallback尝试了它,但在这种情况下,所有项目经理都可以更新任何项目,因为返回了TRUE.
类似的更常用的规则 – 如何允许用户使用ACF更新/删除他是作者的帖子?
- 'access' => [
- 'class' => AccessControl::className(),'only' => ['index','view','create','update','delete'],'rules' => [
- [
- 'actions' => ['update'],'allow' => true,'roles' => ['@'],'matchCallback' => function ($rule,$action) {
- return Yii::$app->user->identity->getProjectParticipants()
- ->one()->isManager(Yii::$app->user->identity->id);
- }
- ],],
它可以实现如下:
- use Yii;
- use yii\web\Controller;
- use yii\filters\AccessControl;
- class MyController extends Controller
- {
- ...
- public function behaviors()
- {
- return [
- 'access' => [
- 'class' => AccessControl::className(),'only' => ['update','rules' => [
- [
- 'actions' => ['update',$action) {
- if (Yii::$app->user->can('admin') || $this->isUserAuthor()) {
- return true;
- }
- return false;
- }
- ],];
- }
- protected function findModel($id)
- {
- if (($model = MyModel::findOne($id)) !== null) {
- return $model;
- } else {
- throw new NotFoundHttpException('The requested page does not exist.');
- }
- }
- protected function isUserAuthor()
- {
- return $this->findModel(Yii::$app->request->get('id'))->author->id == Yii::$app->user->id;
- }
- ...
- }
