I'm making a website with multiple roles which users can have. These roles are 'guest','user' and 'admin'. With the possibility of adding more roles as the website grows, like 'moderator' and 'news poster'.
Now I understand how to make these roles and bind them with Operations etc, like explained in http://www.yiiframew…-access-control and using the accessControl filter inside the controllers in combination with these roles.
What I don't understand is how I can assign these roles to my current userTable in the database.
In the AuthAssignment table these roles are assigned, that bind them to a userID.
What I can do is, for each user that registers I do:
//standard action when registering
$auth->assign('user', $userid);
//manual operations: elevated rights for some users
$auth->assign('moderator', $userid);
$auth->assign('news poster', $userid);
But what I want is that, everyone who logged in, has the role 'user' by default. But also checked the authManager to see if the id has "elevated" rights, like 'moderator', 'news poster', 'admin' or a combination of those.
This way the authManager table isn't filled with thousands "userid = 'user'" and maybe 10 admins/moderators.
Can someone explain to me what I have to do to make this work? Or maybe punch me in the face and tell me that what I'm doing, could be done much easier…
Maybe you can use the accessRules for logged in users to assign everybody logged in the base rules and set another level of access rules for admins.
Like this:
<?php
array('allow', // allow all users to perform 'list' and 'show' actions
'actions'=>array('list','show'),
'users'=>array('@'),
),
array('allow',
'actions'=>array('delete'),
'roles'=>array('moderator'),
),
?>
I think this will give everybody logged in the right to show and list but only moderators can delete. The moderators would still be able to perform show and list since they are logged in.
I was working on the same subject and I was thinking to introduce "user groups". I have no idea how it can be done (didn't thought about it yet) but the principle is simply to assign role(s) to groups of users, instead of single users. For example at a registration time a new user would be added to a default group, with already assigned roles. … Of course there's a lot more like, gettings roles for a user who belongs to more than one group, etc…
That's called group-based RBAC. However, I think you may treat group is just another kind of role. So it is not really necessary with our hierarchical RBAC.
The only missing part is the case RuudBurger described, i.e., we need some shortcut to represent roles that nearly every user is in. Otherwise, it is a big waste and maintenance headache to maintain these special roles.