Authentication / Access Control

Yii 1.1 General Discussion
1

Hey there. Im stuck in the authentication part, i need to give different access to different users, and I thought use rbac would be a good idea, but it’s poorly documentated, and it also seems to be complicated. I have a field in my user’s table, named usr_tipo (that stands for user type). I wanna give access for them depending on this (0, 1 and 2 are different kinds of normal users, while 3 should stand for admin). I also wanna check if the user is owner of something (checkin author’s id and logged user’s id).

So how could I do this?

About the AuthManager, i don’t even know where to start. There’s a piece of code here: http://www.yiiframework.com/doc/guide/topics.auth but i dont even know where to put this. Also, my tasks/operations aren’t defined, im just creating my website and I still dunno everything I’ll need.

Please can anybody help me on this ?

2

Well, beside i had no answer, i got this problem solved. There’s how i did it:

As AuthManager seemed to be too complicated, I decided to create a more simple thing, based on Larry Ulman’s solution. So here is it:

First, i have a field in my table called usr_tipo, that has numeric values for each user type:

1 = musician

2 = band

3 = other

4 = admin

In UserIdentity.php, inside the authenticate() method, I set a state on user’s session to identify it’s role. I also set a getter to get the user’s id from the table:


	private $_id;


	public function authenticate()

	{

		$record = Usuarios::model()->findByAttributes(array('login'=>$this->username));

		if (is_null($record))

			$this->errorCode=self::ERROR_USERNAME_INVALID;

		else if ($record->senha !== md5($this->password))

			$this->errorCode=self::ERROR_PASSWORD_INVALID;

		else

		{

			$this->_id = $record->id;


			/** Define o role de acordo com o usr_tipo **/

			switch ($record->usr_tipo) {

				case 0: $role = 'musico'; break;

				case 1: $role = 'banda'; break;

				case 2: $role = 'outro'; break;

				case 3: $role = 'admin'; break;

				default:

					$role = '';

			}

			$this->setState('role', $role);


			$this->setState('nome', $record->nome);

			$this->errorCode=self::ERROR_NONE;

		}

		return !$this->errorCode;

	}


	public function getId()

	{

		return $this->_id;

	}

Then, in my controller, i set some variables with expressions that validates using that value set in user’s session:


	public function accessRules()

	{

		/** regras **/

		$isMusico = "isset(Yii::app()->user->role) && (Yii::app()->user->role==='musico')";

		$isBanda = "isset(Yii::app()->user->role) && (Yii::app()->user->role==='banda')";

		$isOutro = "isset(Yii::app()->user->role) && (Yii::app()->user->role==='outro')";

		$isAdmin = "isset(Yii::app()->user->role) && (Yii::app()->user->role==='admin')";


		return array(

			array('allow',  // allow all users to perform 'list' and 'show' actions

				'actions'=>array('list','show','listaCidades','captcha','create'),

				'users'=>array('*'),

			),

			array('allow', // allow authenticated user to perform 'update' and 'delete' actions

				'actions'=>array('update', 'delete'),

				'users'=>array('@'),

				'expression'=>$this->isOwnerOrAdmin(),//$isOwnerOrAdmin,

			),

			array('allow', // allow admin user to perform 'admin' action

				'actions'=>array('admin'),

				'users'=>array('@'),

				'expression'=>$isAdmin,

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

Finally, you can see there’s a method in one of those blocks. $this->isOwnerOrAdmin() is a method I created to allow access either if the user is owner of that page, or if he’s admin. There’s the function:


	private function isOwnerOrAdmin()

	{

		return ( isset(Yii::app()->user->role) && (Yii::app()->user->role==='admin') ) || ( isset($_GET['id']) && (Yii::app()->user->id==$_GET['id']) );

	}

That’s it. I hope to help people with the same problem.

Cheers

3

I just read this post.

I had also this problem and I solved it with a simiral method-it is also at the comments of Authentication and Authorization.

4

Thanks! That’s so useful to me, I was stucked in the auth stuff too.

The rbac systems seems to be very flexible, but is badly documented and I didn’t understood how to implement it, so, your solution was better to me.

5

I too found this helpful

Thanks for the hint…

Did you ever get srbacs to work?

Cheers

6

Thank you so much bogus. I had searched for such a long time and your post has ended my search.

Cheers.

7

Awsome post man. Really saved my day. :)

8

thx bogus, this post really helped me a lot.

9

try it and got luck with it thx man save my time

10

oh, very good.

that was helpful.

TNX.