IlyaP Posted August 4, 2015 Share Posted August 4, 2015 Hello!First of all, I really appreciate the Yii book and I find it just awesome! Thank you!But, I have a question about rbac. In your book you are showind how to tie roles to database users. And I lost the thread at the moment when the roles are assigned to the users: # protected/models/User.php public function afterSave() { if (!Yii::app()->authManager->isAssigned( $this->type,$this->id)) { Yii::app()->authManager->assign($this->type, $this->id); } return parent::afterSave(); When a user is created - the role pointed at "type" attribute is assigned to the actual role in database.The question is - what if I need to change user's role after she has been created? For example, administartor would want to change any specific user's role to "moderator" or to "author"? This code would not work, right?How do I implement it? I can guess that I just need to delete "if" condition, so the rest of code would work when user is updated. But I feel that is wrong.... Sorry, if this question was already asked, I tried to find it.And thank you in advance! Link to comment Share on other sites More sharing options...
Brent Knigge Posted August 7, 2015 Share Posted August 7, 2015 Hello, There are 2 types of authManager. PhpAuthManager and DbAuthManager. Without seeing your config file, I would guess that you are using PhpAuthManager - hence assigning the roles to the users. DbAuthManager is where you would store the roles and credentials in a database which is what I think you want. Hope that helps, Brent Link to comment Share on other sites More sharing options...
IlyaP Posted August 7, 2015 Author Share Posted August 7, 2015 Thank you, Brent Knigge for attention, but unfortunately it is not what looking for. I understood that there are two types of autManager. And in the Larry's Yii book the DbAuthManager is used. I'm speaking about how user's role could be change without deleting all settings of rbac. Because, it can be done by deceloper, but not by administrator who will use site. Here is a long quote from the book: "«The goal is to invoke the assign() method once for each user, as that's what the RBAC system will need in order to confirm permission. The first thing you'll need to do is determine what user identifier counts. In other words: what table column and model attribute differentiates the different roles? Logically, this would be a property such as user.type in the CMS example. The goal, then, is to do this: if ($user->type === 'admin') { $auth->assign('admin', $user->id); } elseif ($user->type === 'author') { $auth->assign('author', $user->id); } elseif ($user->type === 'public') { $auth->assign('public', $user->id); } That code associates the user's ID with a specific RBAC role. As each $user->type value directly correlates to a role, that code can be condensed to: $auth->assign($user->type, $user->id); Second, you need to determine when it would make sense to invoke assign(). A logical time would be after the user registers. To do that, you could create an afterSave() method in the model class: # protected/models/User.php public function afterSave() { if (!Yii::app()->authManager->isAssigned( $this->type,$this->id)) { Yii::app()->authManager->assign($this->type, $this->id); } return parent::afterSave(); } «That code will be called after a model record is saved. This could be after a new record is created or after it is updated (like when the user changes her password). Because the second possibility exists, this code first checks that the assignment has not already taken place. If not, then the assignment is performed. {TIP} If you have a situation where the user's permissions may be changed, you'd need to remove the existing role assignment and add the new one" «The Yii Book.» Larry Ullman, 2014-12-20. iBooks. As I understood, assign method must be called only one time for every user. But, what if I need to let administrator change roles to users? It could be a form in admin's area, where the admin could choose a role for any user. But how can I save it? Sorry for such a long quotes and, probably for the stupid question. I'm totally new in Yii and frameworks at all, I developed only in procedural way before. Link to comment Share on other sites More sharing options...
Larry Posted August 10, 2015 Share Posted August 10, 2015 Sorry for the delayed reply; I was on vacation. And thanks for the nice words! I really appreciate it. If I understand your situation correctly, updating a user's authorization would be a matter of first revoking the existing authorization: http://www.yiiframework.com/doc/api/1.1/IAuthManager#revoke-detail And then reauthorizing under the new user type. Link to comment Share on other sites More sharing options...
festsoft Posted April 19, 2016 Share Posted April 19, 2016 Hello - I have a question on RBAC too. I am learning Yii and really began to make progress when I recently discovered and bought the Yii book. It is the best technical training manual I have used! As I learn, I am porting an application I wrote into Yii and I have a mental block understanding the relationship between the accessControl filter setting in the model and accessRules in the Controller on the one hand, and the RBAC system on the other. I need to get this clear as I am trying to debug my RBAC implementation. On the one hand it looks as if RBAC should do the job of access control without needing accessRules, yet accessRules can include a 'roles' attribute. Can/should I disable accessControl completely and use RBAC as my access control? Link to comment Share on other sites More sharing options...
Brent Knigge Posted April 21, 2016 Share Posted April 21, 2016 Hi, I don't think there are any access controls for a model (otherwise I'm going to be confused myself). There are 'rules', and scenarios in models and these dictate how an attribute is to be populated. There are access control (with rules) in the controller that determine how certain actions can be accessed. Access Control has rules. You don't have one with out the other. (kinda like Access control is a table, and rules are fields). Here is a basic access control that I built to try things out. So the only is for the action methods. I.e. actionCreate, actionRbac2 etc Then I have the rules set up. The first rule is that only authenticated users (@)are allowed create and update action methods. This is a simple case of access control. The second rule is using a role (set up as part of RBAC), and oddly enough I have this action method called rbac2 that it is allowed to access. As part of my learning experience I found it easier to keep track of things when the 'role' matched the method that I wanted RBAC for (i.e. rbac2 role can access rbac2 action method. Easy to test, look for error messages etc). 'access' => [ 'class' => \yii\filters\AccessControl::className(), //Access control is only available on the following actions 'only' => ['create', 'update', 'rbac2], 'rules' => [ // deny all POST requests [ 'roles' => ['@], //this rule is for these actions 'actions' => ['create', 'update'], 'allow' => true, //this is to be called if access is denied. If not set, denyAccess() will be called 'denyCallback' => function ($rule, $action) { throw new \Exception('BK You are not allowed to access this page'); } ], [ 'allow' => true, 'roles' => ['rbac2], 'actions' => ['rbac2'], ], // everything else is denied ], ], Hope this helps, Brent Link to comment Share on other sites More sharing options...
festsoft Posted April 25, 2016 Share Posted April 25, 2016 Thanks Brent. I had a mental block/was overtired but I meant 'accessControl filter setting in the controller' and accessRules method in the base Controller. As more of a newbie than you are, I found your code difficult to follow. (I wondered if it is for Yii 2, as the thread title is Rbac in Yii 1.1?) I am wanting to use RBAC with code like if(!Yii::app()->user->checkAccess('task', etc)) { //Where task is an item in RBAC hierarchy throw exception... } ...do task... Link to comment Share on other sites More sharing options...
Brent Knigge Posted April 27, 2016 Share Posted April 27, 2016 Hi, The code sample I have is for Yii2. thanks, Brent Link to comment Share on other sites More sharing options...
Recommended Posts