here is what official guide suggests:
$auth = Yii::$app->authManager;
$createPost = $auth->createPermission('createPost');
$createPost->description = 'Create a post';
$auth->add($createPost);
$author = $auth->createRole('author');
$auth->add($author);
$auth->addChild($author, $createPost);
$auth->assign($author, 2);
permissions are children of roles and roles are assigned to users. this quote from guide also promotes this:
A role represents a collection of permissions (e.g. creating posts, updating posts). A role may be assigned to one or multiple users. To check if a user has a specified permission, we may check if the user is assigned with a role that contains that permission.
but does that mean it is wrong to assign permissions directly to users?
$auth = Yii::$app->authManager;
$createPost = $auth->createPermission('createPost');
$createPost->description = 'Create a post';
$auth->add($createPost);
$auth->assign($createPost, 2);
the above code will execute with no errors and also checkAccess() method will work fine. my question is are we supposed to avoid this or is it okay to use RBAC in this way?
Hi,
I would say if it is “allowed” depends on you.
If you want to assign them directly to a user - or not.
A role is nothing else than a COLLECTION of permissions.
And in the end we usually do what?
We check for permissions.
So from my point of view:
Yes - you can assign permissions directly to users.
BUT you have to keep in mind that things can get messy quickly…
And you surely don’t want to assign a dozen permissions to each and every user.
Regards
Thanks for response, I agree with you.
actually I asked this question because of this issue. there is a bug in getPermissionByUser() method when a permission is directly assigned to a user, and I wanted to know if framework tends to support this or not. It seems that framework has no problem with directly assigning permissions to a user, so that’s a valid issue.
Ohhh!
I was not aware of the problem described in #9314 .
Thanks for the hint!
For my opinion definitely a valid issue…
Seems that I just had just luck because I never assigned permissions directly users so far…
Regards
