Access Rules Not Working For Role

dataskills · August 6, 2013, 9:04pm

I am really stumped here. I have the following simple access rules for a controller:

public function accessRules()


{


    return array(


        array('allow', 


            'actions' =&gt; array('index', 'view', 'home', 'detail', 'filter'),


            'users' =&gt; array('*'),


        ),


        array('allow', 


            'actions' =&gt; array('create', 'update'),


            'users' =&gt; array('@'),


        ),


        array('allow', 


            'actions' =&gt; array('admin', 'delete'),


            'roles' =&gt; array('superadmin'),


        ),


        array('deny', // deny all users


            'users' =&gt; array('*'),


        ),


    );


}

And even though my user has the ‘superadmin’ role I get a 403 when trying to access the admin view and it says: “You are not authorized to perform this action.”

If I use the username in the rule instead of the role it works:

‘users’ => array(‘myuser@mysite.com’), instead of ‘roles’ => array(‘superadmin’),

I know the user has the correct role because I have output the roles on the view to check them, like this:

$user_ssignments = Yii::app()->authManager->getAuthAssignments(Yii::app()->user->name);

foreach ($user_ssignments as $role_name=>$oCAuthItem)

{

 echo &quot;- '{&#036;role_name}'&lt;br /&gt;&quot;;

}

Th above outputs ‘superadmin’ as expected.

I am going mad. Please help me solve this if you can. Thanks!

qianggan · August 6, 2013, 10:08pm

Most log-in issue can be found the answer at http://www.yiiframework.com/doc/guide/1.1/en/topics.auth

roles: specifies which roles that this rule matches. This makes use of the role-based access control feature to be described in the next subsection. In particular, the rule is applied if CWebUser::checkAccess returns true for one of the roles. Note, you should mainly use roles in an allow rule because by definition, a role represents a permission to do something. Also note, although we use the term roles here, its value can actually be any auth item, including roles, tasks and operations.

If you defined your own role for the log-in user, you can try to use below code, once you assigned the correct role for Yii:app()->user during the log-in form.




array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete','create','update'),

				'users'=>array('@'),

				'expression'=>'Yii::app()->user->role == "admin" || Yii::app()->user->role == "superadmin"',

			),

dataskills · August 7, 2013, 5:50pm

I figured it out.

I was assigning roles to the user email instead of user id. All I had to do was define the email as the user id in the UserIdentity class in the authenticate method like this:

$this->_id = $record->email;

Instead of this:

$this->_id = $record->id;

It would have worked as is if I had assigned roles to user (integer) ids.

So this explains how I had the roles in place and yet was not gaining access.