SlideShare a Scribd company logo

Yii Framework Security

Ilko Kacharov, profile picture
Ilko Kacharov

The document discusses authentication and authorization in the Yii framework, including its core application components like authentication manager and access control, as well as authorization approaches like role-based access control and access control lists. Yii provides tools for user authentication, defining user roles and permissions, and controlling access to application functions and data.

Technology
1 of 16
Downloaded 257 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Application Security with Yii Framework Authentication and Authorization Ilko Kacharov | kachar136@gmail.com
Advantages of the framework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
Performance RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
Core Application Components Yii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
Authorization Authorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
Access Control Lists An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
Role-Based Access Control When defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
Steps to secure an Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
Authenticate method in Yii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
API, documentation and community The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
References D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
License and requirements Yii is an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source

More Related Content

DOC
Luận văn Thạc sĩ Xây dựng ứng dụng phát hiện khuôn mặt trong ảnh sử dụng opencv
Dịch vụ viết thuê Luận Văn - ZALO 0932091562
 
PDF
Xếp hạng và tính toán song song trên nền tảng Apache Spark, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
PDF
Nghiên cứu các chuẩn OGC (Open Geospatial Consortium) trong hệ thống thông ti...
sunflower_micro
 
PDF
ỨNG DỤNG DEEP LEARNING ĐỂ ĐẾM SỐ LƯỢNG XE ÔTÔ TRONG NỘI THÀNH ĐÀ NẴNG 51920ed2
nataliej4
 
PDF
Code matlab mô phỏng dung lượng kênh truy ền reyleght trong kĩ thuật mimo
PTIT HCM
 
PDF
[123doc] - bai-thuc-hanh-chuyen-sau-ptit.pdf
HoangPhuongThao8
 
DOC
Đề tài: hệ thống phân loại sản phẩm bằng nhận dạng mờ, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
PDF
Dữ liệu không gian trên SQL Server - (Spatial Data in SQL Server)
Truong Ho
 
Luận văn Thạc sĩ Xây dựng ứng dụng phát hiện khuôn mặt trong ảnh sử dụng opencv
Dịch vụ viết thuê Luận Văn - ZALO 0932091562
 
Xếp hạng và tính toán song song trên nền tảng Apache Spark, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Nghiên cứu các chuẩn OGC (Open Geospatial Consortium) trong hệ thống thông ti...
sunflower_micro
 
ỨNG DỤNG DEEP LEARNING ĐỂ ĐẾM SỐ LƯỢNG XE ÔTÔ TRONG NỘI THÀNH ĐÀ NẴNG 51920ed2
nataliej4
 
Code matlab mô phỏng dung lượng kênh truy ền reyleght trong kĩ thuật mimo
PTIT HCM
 
[123doc] - bai-thuc-hanh-chuyen-sau-ptit.pdf
HoangPhuongThao8
 
Đề tài: hệ thống phân loại sản phẩm bằng nhận dạng mờ, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Dữ liệu không gian trên SQL Server - (Spatial Data in SQL Server)
Truong Ho
 

What's hot (20)

DOCX
200 đề tài luận văn thạc sĩ an ninh mạng. HAY
Dịch vụ viết thuê Khóa Luận - ZALO 0932091562
 
PDF
tim-hieu-ky-thuat-ofdm-fbmc-va-mo-phong-fbmc-co-code-ben-duoi
Huynh MVT
 
PDF
Hướng dẫn WebGis cơ bản - Basic Guide WebGis
Thuận Phạm Văn
 
PDF
Chuyen giao trong gsm
Linh Dinh
 
PDF
Chuong 1. cnpm
caolanphuong
 
PPT
I pv4 format
Nitesh Singh
 
DOC
Quan ly khach san cshare
Án Hướng dẫn
 
PPT
[14HCB-Quản Lý QTPM] - Tìm hiểu Jara
Tran Van Cuong
 
PDF
Đề tài: Tổng quan về hệ thống bơm trong công nghiệp, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
PDF
Đề tài: Thiết kế điều khiển tự động hệ thống nhiều bơm lên bể chứa
Dịch vụ viết bài trọn gói ZALO 0917193864
 
PDF
Luận văn: Kiểm thử tự động tương tác giao diện người dùng, 9đ
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
PDF
BA DAY: 5 bước phân tích yêu cầu nghiệp vụ
Le Cuong
 
PDF
20CS2008 Computer Networks
Kathirvel Ayyaswamy
 
PDF
Imunes, isentas, cooperativas e a ECD resposta de consulta cosit1442014
Tania Gurgel
 
PDF
Đề tài: Mô hình điều khiển, giám sát bãi giữ xe ô tô tự động, 9đ
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
PPTX
Artificial Intelligence Imaging - medical imaging
NeeluPari
 
PPT
Quy hoach mang w cdma
mjnhtamhn
 
PPTX
Ứng dụng NLP vào việc xác định ý muốn người dùng (Intent Detection) và sửa lỗ...
GMO-Z.com Vietnam Lab Center
 
PDF
Luận văn: Tìm hiểu chuẩn mật mã dữ liệu (DES) và ứng dụng, HOT
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
PDF
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
200 đề tài luận văn thạc sĩ an ninh mạng. HAY
Dịch vụ viết thuê Khóa Luận - ZALO 0932091562
 
tim-hieu-ky-thuat-ofdm-fbmc-va-mo-phong-fbmc-co-code-ben-duoi
Huynh MVT
 
Hướng dẫn WebGis cơ bản - Basic Guide WebGis
Thuận Phạm Văn
 
Chuyen giao trong gsm
Linh Dinh
 
Chuong 1. cnpm
caolanphuong
 
I pv4 format
Nitesh Singh
 
Quan ly khach san cshare
Án Hướng dẫn
 
[14HCB-Quản Lý QTPM] - Tìm hiểu Jara
Tran Van Cuong
 
Đề tài: Tổng quan về hệ thống bơm trong công nghiệp, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Đề tài: Thiết kế điều khiển tự động hệ thống nhiều bơm lên bể chứa
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Luận văn: Kiểm thử tự động tương tác giao diện người dùng, 9đ
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
BA DAY: 5 bước phân tích yêu cầu nghiệp vụ
Le Cuong
 
20CS2008 Computer Networks
Kathirvel Ayyaswamy
 
Imunes, isentas, cooperativas e a ECD resposta de consulta cosit1442014
Tania Gurgel
 
Đề tài: Mô hình điều khiển, giám sát bãi giữ xe ô tô tự động, 9đ
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
Artificial Intelligence Imaging - medical imaging
NeeluPari
 
Quy hoach mang w cdma
mjnhtamhn
 
Ứng dụng NLP vào việc xác định ý muốn người dùng (Intent Detection) và sửa lỗ...
GMO-Z.com Vietnam Lab Center
 
Luận văn: Tìm hiểu chuẩn mật mã dữ liệu (DES) và ứng dụng, HOT
Dịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
Ad

Viewers also liked (20)

PPT
Introduction to YII framework
Naincy Gupta
 
PPTX
Open Source Software Concepts
JITENDRA LENKA
 
PDF
Collapse of angolan banking system copy
Eduardo Cambinda
 
PPTX
Network Security July 1
Jd Mercado
 
PPTX
Cyberpunk
hidralisko
 
PPTX
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Harsh Mathur
 
PPTX
CyberPunk
Fabio Silva
 
PPTX
Yii framework
Leena Roja
 
PDF
Intrusion in computing
Eduardo Cambinda
 
PPTX
Heliodisplay
Shruti Bhardwaj
 
PPTX
Spoof Text
Magistra Dwinovia Indriani
 
PPTX
AirBar Sensor
Sukhbeer Singh
 
PPTX
heliodisplay
Rashid VM
 
PDF
What's behind facebook
Ajen 陳
 
PPTX
Heliodisplay
Abhay Nigam
 
PPTX
Cybersquatting
lizzielith
 
PPTX
Z force touch screen technology
lokesh naidu
 
PPTX
Computer forensic ppt
Priya Manik
 
PPTX
Neonode's zForce Air Technology
Ashish Kumar
 
PPT
Netbeans IDE & Platform
Aatul Palandurkar
 
Introduction to YII framework
Naincy Gupta
 
Open Source Software Concepts
JITENDRA LENKA
 
Collapse of angolan banking system copy
Eduardo Cambinda
 
Network Security July 1
Jd Mercado
 
Cyberpunk
hidralisko
 
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
Harsh Mathur
 
CyberPunk
Fabio Silva
 
Yii framework
Leena Roja
 
Intrusion in computing
Eduardo Cambinda
 
Heliodisplay
Shruti Bhardwaj
 
Spoof Text
Magistra Dwinovia Indriani
 
AirBar Sensor
Sukhbeer Singh
 
heliodisplay
Rashid VM
 
What's behind facebook
Ajen 陳
 
Heliodisplay
Abhay Nigam
 
Cybersquatting
lizzielith
 
Z force touch screen technology
lokesh naidu
 
Computer forensic ppt
Priya Manik
 
Neonode's zForce Air Technology
Ashish Kumar
 
Netbeans IDE & Platform
Aatul Palandurkar
 
Ad

Similar to Yii Framework Security (20)

PDF
Introduce Yii
zakieh alizadeh
 
PDF
Introduction Yii Framework
Tuan Nguyen
 
PPT
Yii php framework_honey
Honeyson Joseph
 
PPTX
Introduction to Yii & performance comparison with Drupal
cadet018
 
ZIP
Fwdtechseminars
Prânith Kumâr
 
KEY
Yii Introduction
Jason Ragsdale
 
PPTX
yii1
Rajat Gupta
 
PPTX
Yii2
Rajat Gupta
 
PPTX
P H P Framework
Animesh Kumar
 
PPTX
Yii2
Andrii Lagovskiy
 
PPTX
yii framework
Akhil Kumar
 
PPT
10 reasons to choose the yii framework
jananya213
 
ODP
Yii Framework - Do we really need another php framework?
Joachim Eckert
 
PPTX
Yii Development
jananya213
 
PDF
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
yttrdhlsud173
 
KEY
Yii Framework
Jason Ragsdale
 
PPSX
Yii framework
Mohammed Saqib
 
PDF
Get things done with Yii - quickly build webapplications
Giuliano Iacobelli
 
PDF
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
sadijagagean
 
PDF
Yii Framework in the RAD context + Mashup demo built on YII
George-Leonard Chetreanu
 
Introduce Yii
zakieh alizadeh
 
Introduction Yii Framework
Tuan Nguyen
 
Yii php framework_honey
Honeyson Joseph
 
Introduction to Yii & performance comparison with Drupal
cadet018
 
Fwdtechseminars
Prânith Kumâr
 
Yii Introduction
Jason Ragsdale
 
yii1
Rajat Gupta
 
Yii2
Rajat Gupta
 
P H P Framework
Animesh Kumar
 
Yii2
Andrii Lagovskiy
 
yii framework
Akhil Kumar
 
10 reasons to choose the yii framework
jananya213
 
Yii Framework - Do we really need another php framework?
Joachim Eckert
 
Yii Development
jananya213
 
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
yttrdhlsud173
 
Yii Framework
Jason Ragsdale
 
Yii framework
Mohammed Saqib
 
Get things done with Yii - quickly build webapplications
Giuliano Iacobelli
 
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
sadijagagean
 
Yii Framework in the RAD context + Mashup demo built on YII
George-Leonard Chetreanu
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

Yii Framework Security

  • 1. Application Security with Yii Framework Authentication and Authorization Ilko Kacharov | kachar136@gmail.com
  • 2. Advantages of the framework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
  • 3. Performance RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
  • 4. Core Application Components Yii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
  • 5. Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
  • 6. Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
  • 7. Authorization Authorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
  • 8. Access Control Lists An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
  • 9. Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
  • 10. Role-Based Access Control When defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
  • 11. Steps to secure an Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
  • 12. Authenticate method in Yii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
  • 13. API, documentation and community The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
  • 14. Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
  • 15. References D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
  • 16. License and requirements Yii is an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source