Explain the auth authentication of ThinkPHP in detail


RBAC is authenticated by node. It is a little difficult to control permissions finer than nodes, such as the operation button on the page. I want to judge the user permission to display this button. If there is no permission, this button will not be displayed; For another example, I want to conduct authority authentication according to points. What can I do with points between 0-100 and 101-200. It is difficult to use RABC for these authority authentication.

The auth authority authentication is introduced below. It is almost omnipotent. In addition to node authentication, it can be implemented in both cases where RABC is difficult to authenticate.
Auth authority authentication is based on rules. Let me talk about its principle first. In the database, we have a rule table (think_auth_rule), a user group table (think_auth_group), and a user group obvious table (think_auth_group_access)

We define permission rules in the rule table, define which permission rules each user group has in the user group table, and define the user group to which the user belongs in the user group obvious table. The following is an example.

To determine whether the user has permission to display an action button, first define a rule and add a rule named show to the rule table_ Button rules. Then add a user group in the user group table, and define that the user group has show_ Button’s permission rules (the rule ID when the rules field in the think_auth_group table is saved, multiple of which are separated by commas), and then define in the user group details that the user with uid 1 belongs to the user group just this one.
OK, after the table data is defined, it is easy to judge the permission

import('ORG.Util.Auth');// Load class library
    $auth=new Auth();
    If ($auth->check ('show_button', 1)) {// the first parameter is the rule name, and the second parameter is the user uid
     //Permission to display operation buttons
     //No permission to display operation buttons

Auth class can also authenticate nodes like RBAC. We just need to define the rule name as the node name.
It is defined in the common controller commonaction like RABC_ Initialize method,

class CommonAction extends Action{
    public function _initialize(){
        import('ORG.Util.Auth');// Load class library
        $auth=new Auth();
        $this->error ('you have no permission ');

At this time, we can add node rules in the database in the form of “controller name method name”

Auth class can also authenticate with multiple rules, such as:


It means that as long as the authenticated user has the permission of Rule1 or Rule2, and as long as he has the permission of a rule, the authentication return result is true, that is, the authentication passes. By default, the relationship between multiple permissions is “or”, that is, among multiple permissions, as long as one permission passes, it passes. We can also define it as “and” relationship


The third parameter is specified as “and”, which means that multiple rules are authenticated by the and relationship. At this time, multiple rules can only have permission if they pass the authentication at the same time. As long as a rule has no permission, it will return false.

Auth authentication, a user can belong to multiple user groups. For example, we talk about show_ Button is used for authentication. User a belongs to both user group 1 and user group 2. User group 1 does not show_ Button rule permission, but if user group 2 has show_ Button rule permission will also pass the permission authentication.


Through the above code, you can get all the user groups that the user belongs to, which is convenient for us to display on the website.

Auth class can also judge permissions according to user attributes, such as user points. Suppose our user table (think_members) has a field score that records user points.

When I add rules to the rule table, I define the condition field of the rule table. The condition field is the rule condition. If it is empty by default, it means there is no additional condition. Only rules in the user group can pass the authentication. If the condition field is defined, the rules in the user group may not pass the authentication, and the program will also determine whether the additional conditions are met.

For example, we add several rules:

Name field: Grade1, condition field: {score}<100

Name field: Grade2, condition field: {score}>100 and {score}<200

Name field: Grade3, condition field: {score}>200 and {score}<300

Here {score} means think_ The value of the field score in the members table.

So at this time

$auth->check (‘grade1’, uid) is to judge whether the user’s score is 0-100
$auth->check (‘grade2’, uid) judge whether the user’s points are 100-200
$auth->check (‘grade3’, uid) judge whether the user’s points are between 200-300

The use of auth authentication is roughly the same as above. Is it a little too late to meet?

Config needs to be configured before using auth class php

    'AUTH_ On'= > true, // authentication switch
    'AUTH_ Type'= > 1, // authentication method, 1 is instant authentication; 2 is login authentication.
    'AUTH_ GROUP' => 'think_ auth_ Group', // user group data table name
    'AUTH_ GROUP_ ACCESS' => 'think_ auth_ group_ Access', // user group details
    'AUTH_ RULE' => 'think_ auth_ Rule', // permission rule table
    'AUTH_ USER' => 'think_ Members' // user information table

Need to import database

-- ----------------------------
-- think_ auth_ Rule, rule table,
--Id: primary key, name: unique identifier of the rule, Title: Chinese name of the rule status: 1 normal, 0 disabled, condition: rule expression, empty means to verify if it exists, and not empty means to verify according to conditions
-- ----------------------------
DROP TABLE IF EXISTS `think_auth_rule`;
CREATE TABLE `think_auth_rule` (  
    `id` mediumint(8) unsigned NOT NULL AUTO_INCREMENT,  
    `name` char(80) NOT NULL DEFAULT '',  
    `title` char(20) NOT NULL DEFAULT '',  
    `status` tinyint(1) NOT NULL DEFAULT '1',  
    `condition` char(100) NOT NULL DEFAULT '',  
    PRIMARY KEY (`id`),  
    UNIQUE KEY `name` (`name`)
-- ----------------------------
-- think_ auth_ Group user group table, 
--ID: primary key, Title: Chinese name of user group, rules: rule ID owned by user group, multiple rules "," separated, status status: 1 normal, 0 disabled
-- ----------------------------
DROP TABLE IF EXISTS `think_auth_group`;
CREATE TABLE `think_auth_group` ( 
    `id` mediumint(8) unsigned NOT NULL AUTO_INCREMENT, 
    `title` char(100) NOT NULL DEFAULT '', 
    `status` tinyint(1) NOT NULL DEFAULT '1', 
    `rules` char(80) NOT NULL DEFAULT '', 
    PRIMARY KEY (`id`)
-- ----------------------------
-- think_ auth_ group_ Access user group schedule
--Uid: user ID, group_ ID: user group ID
-- ----------------------------
DROP TABLE IF EXISTS `think_auth_group_access`;
CREATE TABLE `think_auth_group_access` (  
    `uid` mediumint(8) unsigned NOT NULL,  
    `group_id` mediumint(8) unsigned NOT NULL, 
    UNIQUE KEY `uid_group_id` (`uid`,`group_id`),  
    KEY `uid` (`uid`), 
    KEY `group_id` (`group_id`)

The above is the detailed explanation of ThinkPHP’s auth class authentication. For more information about ThinkPHP’s auth class authentication, please pay attention to other relevant articles of developeppaer!

Recommended Today

Hyperledger Fabric 2.x environment setup

1. Description The core of the blockchain network is the distributed ledger, in which all transaction information that occurs in the network is recorded. Hyperledger Fabric is an open source, enterprise-grade, permissioned distributed ledger solution platform. Hyperledger Fabric is underpinned by a modular architecture with excellent confidentiality, scalability, flexibility and extensibility. Hyperledger Fabric is designed […]