Magento 2 Admin ACL 用来创建访问权限列表(Access Controller List Rules)。管理员可以创建不同的角色,给角色分配权限,给后台用户赋予角色,从而控制后台用户的访问权限。本文将介绍 ACL 是如何工作的以及如何给自己的模块添加 ACL。
acl.xml is used for backend actions protection and web Api.
后台访问 System > Permissions > User Roles
我们点击 Add New Role 或者点击某个角色,就会看到类似下图的界面:
对于某个后台用户来讲,他只能访问他的角色所拥有的 resources ,没有的看都看不到。
创建 ACL rule
以之前的 ThankIT_HelloWorld 模块为基础。
File:app/code/ThankIT/HelloWorld/etc/acl.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
<acl>
<resources>
<resource id="Magento_Backend::admin">
<resource id="ThankIT_HelloWorld::helloworld" title="Hello World" sortOrder="51">
<resource id="ThankIT_HelloWorld::post" title="Posts" sortOrder="10"/>
<resource id="ThankIT_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99" />
</resource>
<resource id="Magento_Backend::stores">
<resource id="Magento_Backend::stores_settings">
<resource id="Magento_Config::config">
<resource id="ThankIT_HelloWorld::hello_configuration" title="Hello World"/>
</resource>
</resource>
</resource>
</resource>
</resources>
</acl>
</config>
Our resource will be placed as child of Magento_Backend::admin. Each resource will have an Id, title and sortOrder attribute:
- Id attribute is the identify of this resource. You can use this when define resource in Admin menu, configuration and limit access to your module controller. This is a unique string and should be in this format: Vendor_ModuleName::resource_name.
- Title attribute is the label of this resource when showing in resource tree.
- sortOrder attribute define the position of this resource in tree.
刷新缓存,我们可以看到原来的 ACL 添加了一些东西:
验证
之前文章中我们的 system.xml 中有相关的 resource 引用:
File:app/code/ThankIT/HelloWorld/etc/adminhtml/system.xml
<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">
….
<resource>ThankIT_HelloWorld::hello_configuration</resource>
….
</section>
我们新建一个 test 后台用户,一个 test 角色,角色权限仅勾选上图中的 stores 下的 Hello Wolrd (第二个,不是第一个)。然后我们以 test 用户登录,发现我们可以访问 configuration 中 Hello World Section ,如果不够选的话,看也看不到。
Admin Controller 中检查权限
Admin Controller 中通过覆写 _isAllowed() 来检查权限。
比如 File: vendor/magento/module-customer/Controller/Adminhtml/Index.php
protected function _isAllowed()
{
return $this->_authorization->isAllowed('Magento_Customer::manage');
}
因为 Admin Controller 继承自 \Magento\Backend\App\Action 它又继承自 \Magento\Backend\App\AbstractAction 这样可以追查到 $this->_authorization 是 Magento\Framework\AuthorizationInterface
File:Magento\Backend\App\AbstractAction.php
const ADMIN_RESOURCE = 'Magento_Backend::admin';
/**
* @return bool
*/
protected function _isAllowed()
{
return $this->_authorization->isAllowed(static::ADMIN_RESOURCE);
}
static
<?php
class A
{
const ADMIN_RESOURCE = 'Magento_Backend::admin';
public function getResource()
{
echo static::ADMIN_RESOURCE;
echo self::ADMIN_RESOURCE;
}
}
class B extends A
{
const ADMIN_RESOURCE = 'B';
}
$b = new B();
$b->getResource();
// 输出 B
// 输出 Magento_Backend::admin
参考文档
Magento 2 Admin ACL Access Control Lists
How does Magento2 Access Control List work?
Magento 2: Understanding Access Control List Rules
