{ Hello Magento 2 }

解决 Magento 2 应用问题,更注重深度挖掘。(ง •̀_•́)ง

0%

Magento 2 Admin ACL Access Control Lists

Magento 2 Admin ACL 用来创建访问权限列表(Access Controller List Rules)。管理员可以创建不同的角色,给角色分配权限,给后台用户赋予角色,从而控制后台用户的访问权限。本文将介绍 ACL 是如何工作的以及如何给自己的模块添加 ACL。 acl.xml is used for backend actions protection and web Api. 后台访问 System > Permissions > User Roles 我们点击 Add New Role 或者点击某个角色,就会看到类似下图的界面: Role Resources 对于某个后台用户来讲,他只能访问他的角色所拥有的 resources ,没有的看都看不到。

创建 ACL rule

以之前的 ThankIT_HelloWorld 模块为基础。 File:app/code/ThankIT/HelloWorld/etc/acl.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
<acl>
<resources>
<resource id="Magento_Backend::admin">
<resource id="ThankIT_HelloWorld::helloworld" title="Hello World" sortOrder="51">
<resource id="ThankIT_HelloWorld::post" title="Posts" sortOrder="10"/>
<resource id="ThankIT_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99" />
</resource>
<resource id="Magento_Backend::stores">
<resource id="Magento_Backend::stores_settings">
<resource id="Magento_Config::config">
<resource id="ThankIT_HelloWorld::hello_configuration" title="Hello World"/>
</resource>
</resource>
</resource>
</resource>
</resources>
</acl>
</config>

Our resource will be placed as child of Magento_Backend::admin. Each resource will have an Id, title and sortOrder attribute:

  • Id attribute is the identify of this resource. You can use this when define resource in Admin menu, configuration and limit access to your module controller. This is a unique string and should be in this format: Vendor_ModuleName::resource_name.
  • Title attribute is the label of this resource when showing in resource tree.
  • sortOrder attribute define the position of this resource in tree.

刷新缓存,我们可以看到原来的 ACL 添加了一些东西: acl

验证

之前文章中我们的 system.xml 中有相关的 resource 引用: File:app/code/ThankIT/HelloWorld/etc/adminhtml/system.xml

1
2
3
4
5
<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">
….
<resource>ThankIT_HelloWorld::hello_configuration</resource>
….
</section>

我们新建一个 test 后台用户,一个 test 角色,角色权限仅勾选上图中的 stores 下的 Hello Wolrd (第二个,不是第一个)。然后我们以 test 用户登录,发现我们可以访问 configuration 中 Hello World Section ,如果不够选的话,看也看不到。

Admin Controller 中检查权限

Admin Controller 中通过覆写 _isAllowed() 来检查权限。 比如 File: vendor/magento/module-customer/Controller/Adminhtml/Index.php

1
2
3
4
protected function _isAllowed()
{
return $this->_authorization->isAllowed('Magento_Customer::manage');
}

因为 Admin Controller 继承自 \Magento\Backend\App\Action 它又继承自 \Magento\Backend\App\AbstractAction 这样可以追查到 $this->_authorizationMagento\Framework\AuthorizationInterface File:Magento\Backend\App\AbstractAction.php

1
2
3
4
5
6
7
8
const ADMIN_RESOURCE = 'Magento_Backend::admin';
/**
* @return bool
*/
protected function _isAllowed()
{
return $this->_authorization->isAllowed(static::ADMIN_RESOURCE);
}

static

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
class A
{
const ADMIN_RESOURCE = 'Magento_Backend::admin';
public function getResource()
{
echo static::ADMIN_RESOURCE;
echo self::ADMIN_RESOURCE;
}
}

class B extends A
{
const ADMIN_RESOURCE = 'B';
}

$b = new B();
$b->getResource();

// 输出 B
// 输出 Magento_Backend::admin

参考文档

Magento 2 Admin ACL Access Control Lists How does Magento2 Access Control List work? Magento 2: Understanding Access Control List Rules