Authentication Question

I have some doubts about the authentication of my app,im not sure if im doing the right thing.

My app is about users that can manage appliances in a house, so a user can manage a single house and a house has many appliances. 2 different houses can have the same appliance (like microwave)

I have 4 tables















To authenticate im using rbac, in the meantime i only have the admin role with permissions to do everything in a house. The role only checks access to controller actions. To check that a user is capable of managing a house, im getting the id_house from user_house (associated to that particular id_user) and storing it in a session variable then i check it before rendering views.

This works, but is this the right way ? there’s probably something else smarter/efficient to do the same, but i cant figure it out.


edit:Forgot to mention that there’s a 5th table house_appliance for the many to many relation

Do not store any authorization-related data (other than the user id) in the session. Data in your database might change but if you duplicate it in the session, the change won’t affect the permissions of the logged-in user as long as he’s able to keep the session alive - and there’s no theoretical limit on the lifespan of a PHP session.

You might want to take a look at RBAC rules and Filters but there’s nothing wrong with implementing custom authorization logic. Yii provides a general-purpose authorization mechanism that tries to fullfill everyone’s needs (and with a good success rate) but custom authorization can be much easier to manage in simpler use cases.


I also had the impression that this could be handled with rules but i don’t know how to implement it, maybe something like this ?

class HouseRule extends Rule


    public $name = 'isManager';

    public function execute($user, $item, $params)


        return isset($params['id_house']) ? $params['id_house']->managedBy == $user : false;



btw: This is the first time that im using rbac ;)

You have already implemented the authorization logic:

Just move it to HouseRule::execute().