控制器

在创建资源类并指定应该如何格式化资源数据之后，接下来要做的是创建控制器动作，并通过 RESTful API 将资源公开给最终用户。

Yii 提供了两个基本控制器类来简化创建 RESTful 动作的工作，即 yii\rest\Controller 和 yii\rest\ActiveController。这两个控制器之间的区别是，后者提供了一个默认的动作集（actions），专门设计来处理表示为活动记录（Active Record）的资源。因此，如果你正在使用活动记录，并对提供的内置动作感到舒适，你可以考虑从 yii\rest\ActiveController 扩展你的控制器类，它将允许你用最少的代码创建强大的 RESTful API。

yii\rest\Controller 和 yii\rest\ActiveController 都提供了以下特性，其中一些特性将在接下来的几节中详细描述：

• HTTP method 验证；
• 内容协商和数据格式化；
• 认证；
• 速率限制。

yii\rest\ActiveController 另外还提供了以下功能：

• 一组常用的操作：index, view, create, update, delete, options；
• 关于所请求的动作和资源的用户授权。

创建控制器类

When creating a new controller class, a convention in naming the controller class is to use the type name of the resource and use singular form. For example, to serve user information, the controller may be named as UserController.

Creating a new action is similar to creating an action for a Web application. The only difference is that instead of rendering the result using a view by calling the render() method, for RESTful actions you directly return the data. The [[yii\rest\Controller::serializer|serializer]] and the [[yii\web\Response|response object]] will handle the conversion from the original data to the requested format. For example,

public function actionView($id)
{
    return User::findOne($id);
}

过滤器

Most RESTful API features provided by [[yii\rest\Controller]] are implemented in terms of filters. In particular, the following filters will be executed in the order they are listed:

• [[yii\filters\ContentNegotiator|contentNegotiator]]: supports content negotiation, to be explained in the Response Formatting section;
• [[yii\filters\VerbFilter|verbFilter]]: supports HTTP method validation;
• [[yii\filters\auth\AuthMethod|authenticator]]: supports user authentication, to be explained in the Authentication section;
• [[yii\filters\RateLimiter|rateLimiter]]: supports rate limiting, to be explained in the Rate Limiting section.

These named filters are declared in the [[yii\rest\Controller::behaviors()|behaviors()]] method. You may override this method to configure individual filters, disable some of them, or add your own filters. For example, if you only want to use HTTP basic authentication, you may write the following code:

use yii\filters\auth\HttpBasicAuth;

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['authenticator'] = [
        'class' => HttpBasicAuth::class,
    ];
    return $behaviors;
}

CORS

Adding the Cross-Origin Resource Sharing filter to a controller is a bit more complicated than adding other filters described above, because the CORS filter has to be applied before authentication methods and thus needs a slightly different approach compared to other filters. Also authentication has to be disabled for the CORS Preflight requests so that a browser can safely determine whether a request can be made beforehand without the need for sending authentication credentials. The following shows the code that is needed to add the [[yii\filters\Cors]] filter to an existing controller that extends from [[yii\rest\ActiveController]]:

use yii\filters\auth\HttpBasicAuth;

public function behaviors()
{
    $behaviors = parent::behaviors();

    // remove authentication filter
    $auth = $behaviors['authenticator'];
    unset($behaviors['authenticator']);

    // add CORS filter
    $behaviors['corsFilter'] = [
        'class' => \yii\filters\Cors::class,
    ];

    // re-add authentication filter
    $behaviors['authenticator'] = $auth;
    // avoid authentication on CORS-pre-flight requests (HTTP OPTIONS method)
    $behaviors['authenticator']['except'] = ['options'];

    return $behaviors;
}

扩展 ActiveController

If your controller class extends from [[yii\rest\ActiveController]], you should set its [[yii\rest\ActiveController::modelClass|modelClass]] property to be the name of the resource class that you plan to serve through this controller. The class must extend from [[yii\db\ActiveRecord]].

自定义 Action

By default, [[yii\rest\ActiveController]] provides the following actions:

• [[yii\rest\IndexAction|index]]: list resources page by page;
• [[yii\rest\ViewAction|view]]: return the details of a specified resource;
• [[yii\rest\CreateAction|create]]: create a new resource;
• [[yii\rest\UpdateAction|update]]: update an existing resource;
• [[yii\rest\DeleteAction|delete]]: delete the specified resource;
• [[yii\rest\OptionsAction|options]]: return the supported HTTP methods.

All these actions are declared through the [[yii\rest\ActiveController::actions()|actions()]] method. You may configure these actions or disable some of them by overriding the actions() method, like shown the following,

public function actions()
{
    $actions = parent::actions();

    // disable the "delete" and "create" actions
    unset($actions['delete'], $actions['create']);

    // customize the data provider preparation with the "prepareDataProvider()" method
    $actions['index']['prepareDataProvider'] = [$this, 'prepareDataProvider'];

    return $actions;
}

public function prepareDataProvider()
{
    // prepare and return a data provider for the "index" action
}

Please refer to the class references for individual action classes to learn what configuration options are available.

执行访问检查

When exposing resources through RESTful APIs, you often need to check if the current user has the permission to access and manipulate the requested resource(s). With [[yii\rest\ActiveController]], this can be done by overriding the [[yii\rest\ActiveController::checkAccess()|checkAccess()]] method like the following,

/**
 * Checks the privilege of the current user.
 *
 * This method should be overridden to check whether the current user has the privilege
 * to run the specified action against the specified data model.
 * If the user does not have access, a [[ForbiddenHttpException]] should be thrown.
 *
 * @param string $action the ID of the action to be executed
 * @param \yii\base\Model $model the model to be accessed. If `null`, it means no specific model is being accessed.
 * @param array $params additional parameters
 * @throws ForbiddenHttpException if the user does not have access
 */
public function checkAccess($action, $model = null, $params = [])
{
    // check if the user can access $action and $model
    // throw ForbiddenHttpException if access should be denied
    if ($action === 'update' || $action === 'delete') {
        if ($model->author_id !== \Yii::$app->user->id)
            throw new \yii\web\ForbiddenHttpException(sprintf('You can only %s articles that you\'ve created.', $action));
    }
}

The checkAccess() method will be called by the default actions of [[yii\rest\ActiveController]]. If you create new actions and also want to perform access check, you should call this method explicitly in the new actions.

Tip: You may implement checkAccess() by using the Role-Based Access Control (RBAC) component.

💖喜欢本文档的，欢迎点赞、收藏、留言或转发，谢谢支持！
作者邮箱：zhuzixian520@126.com，github地址：github.com/zhuzixian520