Jump to content
Larry Ullman's Book Forums
IlyaP

Rbac In Yii 1.1

Recommended Posts

Hello!
First of all, I really appreciate the Yii book and I find it just awesome! Thank you!

But, I have a question about rbac.  In your book you are showind how to tie roles to database users. And I lost the thread at the moment when the roles are assigned to the users:

 

# protected/models/User.php
public function afterSave() {
if (!Yii::app()->authManager->isAssigned(
$this->type,$this->id)) {
Yii::app()->authManager->assign($this->type,
$this->id);
}
return parent::afterSave();

When a user is created - the role pointed at "type" attribute is assigned to the actual role in database.
The question is - what if I need to change user's role after she has been created? For example, administartor would want to change any specific user's role to "moderator" or to "author"? This code would not work, right?
How do I implement it? I can guess that I just need to delete "if" condition, so the rest of code would work when user is updated. But I feel that is wrong.... 

Sorry, if this question was already asked, I tried to find it.
And thank you in advance!

Share this post


Link to post
Share on other sites

Hello,

 

There are 2 types of authManager.  PhpAuthManager and DbAuthManager.  

 

Without seeing your config file, I would guess that you are using PhpAuthManager - hence assigning the roles to the users.  DbAuthManager is where you would store the roles and credentials in a database which is what I think you want.

 

Hope that helps,

 

Brent

Share this post


Link to post
Share on other sites

Thank you, Brent Knigge for attention, but unfortunately it is not what looking for. I understood that there are two types of autManager. And in the Larry's Yii book the DbAuthManager is used.

 

I'm speaking about how user's role could be change without deleting all settings of rbac. Because, it can be done by deceloper, but not by administrator who will use site.

 

Here is a long quote from the book:

 

"«The goal is to invoke the assign() method once for each user, as that's what the RBAC system will need in order to confirm permission.

 

The first thing you'll need to do is determine what user identifier counts. In other words: what table column and model attribute differentiates the different roles? Logically, this would be a property such as user.type in the CMS example. The goal, then, is to do this:

 

if ($user->type === 'admin') {

$auth->assign('admin', $user->id);

} elseif ($user->type === 'author') {

$auth->assign('author', $user->id);

} elseif ($user->type === 'public') {

$auth->assign('public', $user->id);

}

That code associates the user's ID with a specific RBAC role. As each $user->type value directly correlates to a role, that code can be condensed to:

 

$auth->assign($user->type, $user->id);

Second, you need to determine when it would make sense to invoke assign(). A logical time would be after the user registers. To do that, you could create an afterSave() method in the model class:

 

# protected/models/User.php

public function afterSave() {

if (!Yii::app()->authManager->isAssigned(

$this->type,$this->id)) {

Yii::app()->authManager->assign($this->type,

$this->id);

}

return parent::afterSave();

}

«That code will be called after a model record is saved. This could be after a new record is created or after it is updated (like when the user changes her password). Because the second possibility exists, this code first checks that the assignment has not already taken place. If not, then the assignment is performed.

 

{TIP} If you have a situation where the user's permissions may be changed, you'd need to remove the existing role assignment and add the new one"

«The Yii Book.» Larry Ullman, 2014-12-20. iBooks.

 

As I understood, assign method must be called only one time for every user. But, what if I need to let administrator change roles to users? It could be a form in admin's area, where the admin could choose a role for any user. But how can I save it?

 

Sorry for such a long quotes and, probably for the stupid question. I'm totally new in Yii and frameworks at all, I developed only in procedural way before.

Share this post


Link to post
Share on other sites

Sorry for the delayed reply; I was on vacation. And thanks for the nice words! I really appreciate it.

 

If I understand your situation correctly, updating a user's authorization would be a matter of first revoking the existing authorization:

 

http://www.yiiframework.com/doc/api/1.1/IAuthManager#revoke-detail

 

And then reauthorizing under the new user type. 

Share this post


Link to post
Share on other sites

Hello - I have a question on RBAC too. I am learning Yii and really began to make progress when I recently discovered and bought the Yii book. It is the best technical training manual I have used!

As I learn, I am porting an application I wrote into Yii and I have a mental block understanding the relationship between the accessControl filter setting in the model and accessRules in the Controller on the one hand, and the RBAC system on the other. I need to get this clear as I am trying to debug my RBAC implementation. On the one hand it looks as if RBAC should do the job of access control without needing accessRules, yet accessRules can include a 'roles' attribute. Can/should I disable accessControl completely and use RBAC as my access control? 

Share this post


Link to post
Share on other sites

Hi,

 

I don't think there are any access controls for a model (otherwise I'm going to be confused myself).  There are 'rules', and scenarios in models and these dictate how an attribute is to be populated.  There are access control (with rules) in the controller that determine how certain actions can be accessed.

 

Access Control has rules. You don't have one with out the other.  (kinda like Access control is a table, and rules are fields).

 

Here is a basic access control that I built to try things out.

 

So the only is for the action methods.  I.e. actionCreate, actionRbac2 etc

Then I have the rules set up.

The first rule is that only authenticated users (@)are allowed create and update action methods.  This is a simple case of access control.

The second rule is using a role (set up as part of RBAC), and oddly enough I have this action method called rbac2 that it is allowed to access.  As part of my learning experience I found it easier to keep track of things when the 'role' matched the method that I wanted RBAC for (i.e. rbac2 role can access rbac2 action method.  Easy to test, look for error messages etc).

 

'access' => [

                'class' => \yii\filters\AccessControl::className(),

                //Access control is only available on the following actions

                'only' => ['create', 'update', 'rbac2],

                'rules' => [

                        // deny all POST requests

                          [

                          'roles' => ['@],

                          //this rule is for these actions

                          'actions' => ['create', 'update'],

                          

                          'allow' => true,

                          //this is to be called if access is denied.  If not set, denyAccess() will be called    

                          'denyCallback' => function ($rule, $action) {

                                                 throw new \Exception('BK You are not allowed to access this page');

                                                        }

                         

                          ],

                          [

                           'allow' => true,

                           'roles' => ['rbac2],

                           'actions' => ['rbac2'],

                          ],       

                        // everything else is denied

                      ],

                   ],

 

Hope this helps,

 

Brent

Share this post


Link to post
Share on other sites

Thanks Brent. I had a mental block/was overtired but I meant 'accessControl filter setting in the controller' and accessRules method in the base Controller. As more of a newbie than you are, I found your code difficult to follow. (I wondered if it is for Yii 2, as the thread title is Rbac in Yii 1.1?)  I am wanting to use RBAC with code like

if(!Yii::app()->user->checkAccess('task', etc)) {  //Where task is an item in RBAC hierarchy

    throw exception...

}

...do task...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...