I'm creating an application using the Yii2 framework. The application contains role & permission kind of logic so I moved the session to the database level. My basic configuration is as below.
'session' => [
'class' => 'yii\web\DbSession',
'sessionTable' => 'user_session',
'writeCallback' => function($session){
return [
'user_id' => Yii::$app->user->id,
'last_write' => (new \yii\db\Expression('NOW()'))
];
}
]
In the user_session table, each user's session is saved. My question is how can I modify/update particular user's session. I have a user id and from that, I can retrieve its session data. But can't modify it (I don't know how can I).
I tried readSession() method, but the data is in serialized form (I guess).
__flash|a:0:{}id|s:26:"ajmj0p5r5gjub1d7cajf42n7v1";expire|s:10:"1508852343";data|s:1932....
How can I modify these data so the user may have new permission data if updated by the Admin user?
Related
Hi I want to ask how can I make login function that if I login in frontend the user also login in the backend in Yii2
I have tried to make session from frontend but at the backend, the session can't get.
In backend/config/main add :
'components' => [
'session' => [
// this is the name of the session cookie used for login on the backend
'name' => 'test',
],
]
name must be same with session name in the frontend
We are working on a project where are 4 roles. But in cakephp 3.x Auth component holds authenticate user data in session with Auth.User indexing using
$this->Auth->setUser($user);
Due to this we are not able to access front-end user account from admin panel for some purpose, because of when we login to front-end user from admin panel, front-end login action performs and over write of session value.
So if there is any process to handle this please suggest us.
Thank you in advance.
As well I have understood that you are not using prefix to manage back-end and front-end user then may be you worked with separate folder structure for back-end, May I right?
You are right that $this->Auth->setUser($user); always holds session with Auth.User indexing. So you need to write different session indexing for back-end, and you can do it as follow :
For back-end user authentication :
**
$this->loadComponent('Auth', [
'authorize' => ['Controller'], // Added this line
'loginRedirect' => [
'controller' => 'Users',
'action' => 'dashboard',
'prefix' => 'admin_panel'
],
'logoutRedirect' => [
'controller' => 'Users',
'action' => 'login',
'prefix' => 'admin_panel'
],
'storage' => [
'className' => 'Session',
'key' => 'Auth.Admin',
]
]);
**
Here you can pass your desired index in 'storage' array key value.
I think it'll works for you.
Check out the section Authentication and Authorization in this curated list of CakePHP Plugins.
You could, for example, use dereuromarks TinyAuth Plugin to authorize your users and configure what they are able to see.
This way you can use the same authentication (be aware of the differences between Authentication and Authorization) and the same users table, which will prevent the Session conflict you mentioned.
The Auth component overwrite the previous session because it store the session in Auth.users all the time so we have to change the session key for different role.
If you are using URL prefix for the different roles to access then you can do like this.
AppController.php
public function beforeFilter(Event $event)
{
if($this->request->params['prefix']){
$this->Auth->config('storage', [
'key'=>'Auth.'.$this->request->params['prefix'],
'className'=>'Session'
]);
}
return parent::beforeFilter($event); // TODO: Change the autogenerated stub
}
This will create different roles in Auth as you required.
The session will be like this
[
'Auth'=>[
'User'=>['id'=>''],
'Admin'=>['id'=>''],
]
]
Tested it, working great for me.
How can I get currently online user data with all the parameters from the database? Right now I get it's ID by using this:
echo Yii::$app->user->getId();
Can I reach other data somehow or do I have to create a function which gets all the information by the user ID?
You can access to all the identity values in this way
this for username
Yii::$app->user->identity->username
check for your User models for others attributes
http://www.yiiframework.com/doc-2.0/guide-security-authentication.html
http://www.yiiframework.com/doc-2.0/yii-web-identityinterface.html
http://www.yiiframework.com/doc-2.0/yii-web-user.html
(and your User model of course)
You can access the model of the currently logged in user with:
$user = Yii::$app->user->identity;
This will return either null (if the user is not logged in) or an instance of the identityClass you defined for the user component in your config. Ex:
'user' => [
'identityClass' => 'app\models\User',
'enableAutoLogin' => true,
],
So you can use it like any other model class and access it's attributes and/or methods. Just make sure you configure correctly the user component and the identityClass exists and can be accessed.
current user is:
Yii::$app->user->identity
it can be null, so check it before accessing fields
I've been developing web apps using Yii 1.1.14 so far, but now it's time for an upgrade.
The company where I work has developed its own Access Control system, and I was really OK with it until I saw what it was really like... A combination of 8 tables in the database (not counting the users table), with a bunch of foreign keys.
1 table for controllers
1 table for the actions
1 table for the menu categories
1 table for types of users
And the other tables basically just connect 2 or 3 of those tables at a time.
It works well, but in my point of view it's highly time consuming to maintain all those tables, and at some point, when your application goes online, if it hits a certain amount of users it could get really slow. specially because 2 of those tables have the user's table primary key as foreign key.
So I've decided that, when I start developing on Yii 2, I'm going to start using RBAC, so I started looking for tutorials online... Only finding many different versions of the same code with author's role, and permissions for create or update posts.
I found a combination of 5 videos on Youtube, but they are about Yii 1 RBAC. They were helpful because I managed to understand most of RBAC's functionality, but I still have some doubts that I'll
enumerate below. And keep in mind that for this Access Control system I'm using the DBManager class.
My Doubts
Yii 1's RBAC used to have 3 tables: auth_assignment, auth_item and auth_item_child. Now in Yii 2 RBAC, a new table appears that is called auth_rule and I still don't understand what that specific table is doing there, how to use it or how to populate it.
I see that it's possible to restrict the user's access to some actions by using the controller's behavior method, and assigning access to some actions depending on the user's role, but when it comes to this I have to split my question into 2:
2.1. First: If you can just restrict the access to actions by setting it up in the behaviors method, then what's the use of saving permissions to the auth_item table?
2.2. Second: If you DO decide to control access according to permissions, then how exactly do you do it, because I find myself writing the following type of code inside of every function and I don't think using RBAC is supposed to be this tedious. There has to be another way.
public function actionView($id)
{
if(Yii::$app->user->can('view-users')){
return $this->render('view', [
'model' => $this->findModel($id),
]);
}else{
#Redirect to a custom made action that will show a view
#with a custom error message
$this->redirect(['//site/notauthorized']);
}
}
Because of the Access Control System that we use right now, when a user logs in, a complex query is executed that will end up returning an array that will be saved as a session variable, and will be used to create a menu with as many dropdownlists as menu categories, that the controllers that the user has access to belong to. How can this be done with RBAC?
I can only really answer 2.2 of your question, as 3 doesn't sound at all like something an RBAC should do. You could, however, get the information you needed from the rules table most likely, provided you followed a naming convention that matched your controllers or actions.
On to answering 2.2 though:
You can simply set the behavior like such:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'actions' => ['view'],
'roles' => ['view-users'], //<-- Note, rule instead of role
],
]
]
}
This doesn't solve a different problem of 'view-own-users' style permissions, as this needs to inspect the ActiveRecord model (well, at least it does in my application). If You want to achieve this, take a look at my post in the Yii forums here:
http://www.yiiframework.com/forum/index.php/topic/60439-yii2-rbac-permissions-in-controller-behaviors/#entry269913
I use it in one of the simplest method,I use them in the behaviours of my controller.
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['sysadmin'],
'actions' => ['index','view','update'],
],
[
'allow' => true,
'roles' => ['staff'],
'actions' => ['index','create','update','view'],
],
],
],
];
}
Here roles are the one created in the auth-item table in the database and they have been assigned for users in auth-assignment table. In the behaviours we just use it as above. In the above code sysadmin can have access to index, view and update action, whereas staff can have access to index,create, update and view action.
Yii2 needs a little setup when it comes to using RBAC under your controllers AccessControl. I got around it by making my own AccessRule file.
namespace app\components;
use Yii;
class AccessRule extends \yii\filters\AccessRule
{
protected function matchRole($user)
{
if (empty($this->roles)) {
return true;
}
foreach ($this->roles as $role) {
if(Yii::$app->authManager->checkAccess($user->identity->code, $role))
return true;
}
return false;
}
then in your controller u can use something like this:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'ruleConfig' => [
'class' => 'app\components\AccessRule'
],
'rules' => [
[
'actions' => ['index', 'resource-type'],
'allow'=> true,
'roles' => ['admin'],
],
],
],
];
}
Where admin is defined as a auth_item and the user is in the auth_item_assignments.
As I have created a new Rbac system for yii2. you can direct permission for a action and action will show you are not authorisez for this action.
By this you find that you will only provide access for action that need to identify.
I uploaded my detail here you can find lot of solution here.
This is the best solution i could come up with when facing the need to filter access by permissions, it's bothersome but can be useful if you're trying to create roles in a productive enviroment and want to use rbac.
use yii\web\ForbiddenHttpException;
if(Yii::$app->user->can('view-users')){
return $this->render('view', [
'model' => $this->findModel($id),
]);
}else{
throw new ForbiddenHttpException('You dont have access to this site');
}
Currently after login Lithium stores in session and cookies all rows from users table like password, hash etc. How to remove (don't allow to store) some of the information like password and hash?
The Session class stores what you tell it to! After Auth::check is done, you should only store the session identifier and/or absolutely necessary data in the cookie. Also make sure to use the Encryption provided by lithium (AES) out of the box.
For more detailed help, please post your login controller and all appropriate model/filters.
Passing options to Auth::check will get passed down to the adapter as well (plus some extras) -- for this I'm assuming you're using the Form adapter for the Auth class.
Try doing this when you perform your check: Auth::check('config', $data, array('fields' => array('fields', 'you', 'want'))
The key here is that array we tacked on the end with the fields key in it, this will be passed down to the Form adapter which takes in those options and uses them to query your model for a matching user. By telling it explicitly which fields to return, it will only pass those back to the Auth class for storing away.
Since this commit you can pass an option 'persist' => array('field1','..') to Auth::check, or set them as default in your bootstrap session config, to store only specified fields.
So either you set this in your bootstrap/session.php
Auth::config(array(
'user' => array(
'adapter' => 'Form',
'session' => array(
'persist' => array('_id','username')
),
'model' => 'Users'
)
));
or you define the fields, when calling Auth::check() - this will override everything from the config above!
Auth::check('user', $this->request, array(
'persist' => array('username','email')
))
Note: If not defined explicitly the password is never stored by default.