AccessRules: roles without RBAC

Hi all

I have three user roles in my app: client/member/admin. During login process, I set the respective role with

$this->setState('role', $user->role);

Although I don’t need the RBAC features (operations, tasks, roles), I would like to use something like this in my controller:

public function accessRules()


		return array(


				'roles' => array('client', 'member'),


Obviously the roles property only works with RBAC. But can I use the value in setState somehow?

I think such use isn’t planned and I need the work with the expression property, right?



I think so.

Btw, storing user’s roles in the session can become a security hole. After a successful login, roles can’t be revoked from the user until the session ends, and a session - technically - can be kept alive for years.

Thanks for the tip, appreciate it. So I should rather retrieve the role on every request based on the user id?

Yes, that would be the only safe way, but it depends on the security requirements of application. For very simple websites with one or two admin users I do store user’s role in the session :) For anything with more complex acces control I wouldn’t do it.