admin users in accessRules

GSTAR · July 29, 2010, 2:15pm

How does ‘users’=>array(‘admin’), work in accessRules?

I am creating a user login section and will have different user types. The user type will be stored as an integer value in a ‘type’ field in the user’s table.

So how can I, for example nominate ‘admin’ user status if user type = 1?

GSTAR · July 29, 2010, 4:29pm

And how would I do this in a secure manner, for example the setState method simply stores the information in a cookie.

mdomba · July 30, 2010, 8:08am

This just says that a username "admin" can access whatever you set it to…

Check the documentation… http://www.yiiframework.com/doc/guide/topics.auth#access-control-filter

GSTAR · July 30, 2010, 11:07am

I see. Well that is really designed for very simple scenarios.

Mine is slightly complex - firstly the ‘username’ in my user table is an email address. And secondly the ‘type’ field stores the integer value for the role (1=admin, 2=member).

So let’s suppose I do:


array('allow', // allow admin user to perform 'admin' and 'delete' actions

	'actions'=>array('admin', 'delete'),

	'roles'=>array('admin'),

),

I had a look at the RBAC page, and it suggests that we need to set up / configure the Authorization Manager. Ideally I want to be able to just specify the actions and roles as I have done above and then be able to tell it what defines an ‘admin’ role, for example something like:

‘admin’=>Yii::app()->user->type=1

mdomba · July 30, 2010, 11:15am

Check again the documentation… you can use ‘expression’=>’…’

Sniper · July 30, 2010, 12:09pm

If you setup the “Authorization Manager” and assign the “admin” role to a user you want e.g. userid 1, then you don’t need anything else! The above code should work fine, limiting access to admin users (users who belong to the admin role). I think the authorization manager comes with sample roles, so just play about with it…

GSTAR · July 30, 2010, 3:41pm

What about this expression:


'expression'=>'User::model()->findByPk(Yii::app()->user->id)->type==1',

But I suppose this means that the User table is queried all the time, as I’d need to put this code in every controller.

Yii::app()->user->id is stored in the session isn’t it?

junxiong · July 31, 2010, 7:14am

GSTAR:

What about this expression:
'expression'=>'User::model()->findByPk(Yii::app()->user->id)->type==1',
But I suppose this means that the User table is queried all the time, as I’d need to put this code in every controller.

Yii::app()->user->id is stored in the session isn’t it?

I think this link can help.Larry Ullman’s Blog

It is using




    'expression'=>'isset($user->role) && ($user->role==="editor")'

so I think it won’t need to query all the time.

GSTAR · July 31, 2010, 9:39am

I see. Now it’s a bit more clear. So I should turn off allowAutoLogin so that it does not store the sensitive data in a cookie (which can easily be modified), instead it will be stored in the session. Now how difficult is it to modify session data?

Also from my understanding of the above article, the "remember me" functionality does not work with sessions. Is this definitely the case or can we still make it work with sessions?

eholsinger · October 5, 2011, 2:14pm

The expression technique works very nicely when combined with the article Add information to Yii::app()->user by extending CWebUser




array('allow', // allow admin users to perform 'create' and 'update' actions    

     'actions'=>array('create','update'),

     'expression'=>'Yii::app()->user->isAdmin()',

 ),

andybegin · October 3, 2013, 1:41pm

Thanks . It’s help for me ~

mohsin1 · July 4, 2019, 7:13am

which code work you