admin users in accessRules


(Omzy83) #1

How does ‘users’=>array(‘admin’), work in accessRules?

I am creating a user login section and will have different user types. The user type will be stored as an integer value in a ‘type’ field in the user’s table.

So how can I, for example nominate ‘admin’ user status if user type = 1?


(Omzy83) #2

And how would I do this in a secure manner, for example the setState method simply stores the information in a cookie.


(Maurizio Domba Cerin) #3

This just says that a username "admin" can access whatever you set it to…

Check the documentation… http://www.yiiframework.com/doc/guide/topics.auth#access-control-filter


(Omzy83) #4

I see. Well that is really designed for very simple scenarios.

Mine is slightly complex - firstly the ‘username’ in my user table is an email address. And secondly the ‘type’ field stores the integer value for the role (1=admin, 2=member).

So let’s suppose I do:


array('allow', // allow admin user to perform 'admin' and 'delete' actions

	'actions'=>array('admin', 'delete'),

	'roles'=>array('admin'),

),

I had a look at the RBAC page, and it suggests that we need to set up / configure the Authorization Manager. Ideally I want to be able to just specify the actions and roles as I have done above and then be able to tell it what defines an ‘admin’ role, for example something like:

‘admin’=>Yii::app()->user->type=1


(Maurizio Domba Cerin) #5

Check again the documentation… you can use ‘expression’=>’…’


(Luqman Forums) #6

If you setup the “Authorization Manager” and assign the “admin” role to a user you want e.g. userid 1, then you don’t need anything else! The above code should work fine, limiting access to admin users (users who belong to the admin role). I think the authorization manager comes with sample roles, so just play about with it…


(Omzy83) #7

What about this expression:


'expression'=>'User::model()->findByPk(Yii::app()->user->id)->type==1',

But I suppose this means that the User table is queried all the time, as I’d need to put this code in every controller.

Yii::app()->user->id is stored in the session isn’t it?


(Garry3peace) #8

I think this link can help.Larry Ullman’s Blog

It is using




    'expression'=>'isset($user->role) && ($user->role==="editor")'



so I think it won’t need to query all the time.


(Omzy83) #9

I see. Now it’s a bit more clear. So I should turn off allowAutoLogin so that it does not store the sensitive data in a cookie (which can easily be modified), instead it will be stored in the session. Now how difficult is it to modify session data?

Also from my understanding of the above article, the "remember me" functionality does not work with sessions. Is this definitely the case or can we still make it work with sessions?


(Eric Holsinger) #10

The expression technique works very nicely when combined with the article Add information to Yii::app()->user by extending CWebUser




array('allow', // allow admin users to perform 'create' and 'update' actions    

     'actions'=>array('create','update'),

     'expression'=>'Yii::app()->user->isAdmin()',

 ),




(Zhexiao) #11

Thanks . It’s help for me ~


(mohsin1) #12

which code work you