Using Casbin as permission control middleware in thinkphp

PHP-Casbin is a powerful and efficient open source access control framework that supports permission management based on various access control models.

Think-Casbin is a Casbin extension package specially customized for ThinkPHP5.1, making it easier for developers to use Casbin in thinkphp projects.

Installation

Create thinkphp project (if not available):

composer create-project topthink/think=5.1.* tp5

In the ThinkPHP project, install the Think-Casbin extension:

composer require casbin/think-adapter

Publish resources:

php think casbin:publish

This will automatically create the model configuration file config/casbin-basic-model.conf, and the Casbin configuration file config/casbin.php.

Data migration:

Because Think-Casbin stores Casbin’s policy (Policy) in the database by default, the database table information needs to be initialized.

Before execution, please ensure that the database connection information is configured correctly. If you need to modify Casbin's database connection information or table name separately, you can modify the configuration in config/casbin.php.

php think casbin:migrate

This will automatically create Casbin's policy table casbin_rule.

Middleware

ThinkPHP Starting from version 5.1.6, middleware support is officially introduced.

You can quickly generate middleware through command line instructions

php think make:middleware Authorization

This instruction will generate an Authorization middleware under the application/http/middleware directory.

In the middleware, get the current user name, URI, request method, and verify permissions through Casbin:

<?php

namespace app\http\middleware;

use Casbin;
use think\facade\Session;

class Authorization
{
    public function handle($request, \Closure $next)
    {
        // 当前登录用户名，这里以session为例
        // $user = Session::get(&#39;user_name&#39;) ?: &#39;test_user&#39;;
        $user = Session::get(&#39;user_name&#39;);

        $url = $request->url();
        $action = $request->method();

        if (!$user){
            return response()->data(&#39;Unauthenticated.&#39;)->code(401);
        }

        if (!Casbin::enforce($user, $url, $action)) {
            return response()->data(&#39;Unauthorized.&#39;)->code(403);
        }

        return $next($request);
    }
}

Casbin Model configuration

config\ casbin-basic-model.conf Configuration file:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && keyMatch2(r.obj, p.obj) && r.act == p.act

Verification

Before performing authorization, add some default policies to the database casbin_rule table:

Add routing and its middleware:

Route::group('users', function () {
    
    Route::get('', function () {
        return 'Users data.';
    });

    Route::get('/:id', function ($id) {
        return 'User: '.$id;
    });

})->middleware(\app\http\middleware\Authorization::class);

First log in to the user and save the user name to SESSION. You can visit /users, /users/1 to verify the permissions.

Recommended tutorial: "TP5"

The above is the detailed content of Using Casbin as permission control middleware in thinkphp. For more information, please follow other related articles on the PHP Chinese website!