I’m getting a little confused with the accessRules function. For example in the following:
public function accessRules()
array('allow', // allow all users to perform 'index' and 'view' actions
array('allow', // allow authenticated user to perform 'create' and 'update' actions
array('allow', // allow admin user to perform 'admin' and 'delete' actions
array('deny', // deny all users
How does it know which users are ‘admin’ users?
I’ve also set up an RBAC system. Is this separate to the accessRules function or do they need to be linked somehow? If I have an RBAC system do I need accessRules() at all?
Any help will be greatly appreciated!
Admin users could have an ‘admin’ role assigned. If so, you would use the ‘roles’ property instead of ‘users’ to grant them access to specified actions.
Also, some extensions like Auth override the default checkAccess that makes it return true for any auth item if the current user is an admin. Which users is an admin depends on the extension, in Auth you specify that in the main config file.
The accessRules method is used by the accessControl filter. It’s a simple way to avoid making a manual check with checkAccess in every action. I don’t use accessRules in actions like ‘view’ or ‘update’ where I need to pass a specific model to checkAccess to see if the current user owns it.
So the accessControl filter is just an utility, it does not replace RBAC. When using RBAC you should group your auth items in tasks and roles and use them as arguments to checkAccess() method of the ‘user’ component.