After a lot of searching and a bit of incorrect guessing, I have turned to my peers for help on this one. For a simplified look at my problem, what I have is Drinks and Ingredients. Each Drink can have many Ingredients and each Ingredient can belong to only one Drink. What I would like is for any user with an ‘owner’ role to be able to create, update, delete any Drink or Ingredient (which I have in place). Next, I would like users with ‘contributor’ role to be able to perform the following operations:
-
Drink: create new Drink and edit/delete any Drinks they have created
-
Ingredient: create/edit/delete Ingredients, only for Drinks they created.
Before I can implement any Ingredient control, I need to be able to control Drink. Here is what I have so far.
Snippets from my console command to create the RBAC hierarchy:
...
$auth->createOperation("createDrink","Create a new Drink");
$auth->createOperation("updateDrink","Update a Drink");
$auth->createOperation("deleteDrink","Delete a Drink");
...
$auth->createOperation("createIngredient","Create a new Ingredient");
$auth->createOperation("updateIngredient","Update an Ingredient");
$auth->createOperation("deleteIngredient","Delete an Ingredient");
$auth->createOperation("createOwnDrinkIngredient","Create a new Ingredient for Own Drink");
$auth->createOperation("updateOwnDrinkIngredient","Update an Ingredient for Own Drink");
$auth->createOperation("deleteOwnDrinkIngredient","Delete an Ingredient for On Drink");
...
$bizRule='return Yii::app()->user->id==$params["drink"]->create_user_id;';
$task=$auth->createTask("updateOwnDrink","Update Own Drink",$bizRule);
$task->addChild("updateDrink");
$task=$auth->createTask("deleteOwnDrink","Delete Own Drink",$bizRule);
$task->addChild("deleteDrink");
...
$role=$auth->createRole("contributor", "Contributor");
$role->addChild("createDrink");
$role->addChild("updateOwnDrink");
$role->addChild("deleteOwnDrink");
$role->addChild("createOwnDrinkIngredient");
$role->addChild("updateOwnDrinkIngredient");
$role->addChild("deleteOwnDrinkIngredient");
...
$role=$auth->createRole("owner", "System Owner");
$role->addChild("createDrink");
$role->addChild("updateDrink");
$role->addChild("deleteDrink");
$role->addChild("createIngredient");
$role->addChild("updateIngredient");
$role->addChild("deleteIngredient");
Then inside of the DrinkController I have:
public function accessRules()
{
return array(
...
array('allow',
'actions'=>array('update'),
'roles'=>array('updateDrink','updateOwnDrink'=>array('Drink'=>$model)),
),
array('allow',
'actions'=>array('delete'),
'roles'=>array('deleteDrink','deleteOwnDrink'=>array('Drink'=>$model)),
),
...
);
}
CAccessControlFilter indicates that parameters can be passed for RBAC bizRules which is what I am trying here. So, I know what I am trying to accomplish can be done, I just don’t know the proper syntax for making it work. The problems must lie in the $bizRule I have defined and the array I am passing to the ‘roles’ for the update/delete actions (since I don’t have $model defined, there is nothing to pass but I don’t know how to get access to what I need). I’m just not sure how to bring the two in line so that they work.
Once I get this one working, I need to determine how to go one step deeper. I need to ensure that a contributor can add/edit/delete ingredients, but only if they are related to a drink that the user created. I don’t have any of that logic started above because I don’t know where to begin. My (incorrect) guess would be something like:
$bizRule='return Yii::app()->user->id==$params["ingredient"]->drink->create_user_id;';
Can someone out there please guide me through this unfortunate mess?