Authorization - sth more than Yii RBAC ?

windman · March 16, 2009, 9:01am

Hi,

I have to make an Authorization system basen on Yii.

I need groups:

one group 'gA' have access to 'News' and 'Users' modules, other one 'gB' only to 'News'. (sth like TASK?)
one group 'gA' can create news and delete them, other one 'gB' can only create. (sth like OPERATION?)

I need users:

one user 'uA' belongs to 'gA' group and can do what the 'gA' group can do, but I can say that user 'uA' can do sth more or less than 'gA' group.

For example:

Group 'B' has access to 'News' module.

Group 'B' can only create News.

User 'B1' belongs to 'B' group and can do what group 'B' - this User can not delete news.

User 'B2' balongs to 'B' group and can do what group 'B' and can delete news.

I thing it is sth more than Yii Role-Based Access Control, or maybe I am wrong?

Have You already made sth like this?

I have no idea how I should do this!

qiang · March 16, 2009, 11:12am

Yii RBAC is perfectly fit for this kind of work.

The group concept here is the role in RBAC terms. So you have 'gA' and 'gB' roles.

Access to 'News' can be treated as a task, which consists of reading news, creating news operations, etc.

You then assign roles to users.

windman · March 16, 2009, 11:43am

Quote

Yii RBAC is perfectly fit for this kind of work.

The group concept here is the role in RBAC terms. So you have 'gA' and 'gB' roles.

Access to 'News' can be treated as a task, which consists of reading news, creating news operations, etc.

You then assign roles to users.

That sounds nice, what about this part:

“User ‘B2’ balongs to ‘B’ group and can do what group ‘B’ and can delete news.”

User 'B2' can sth more than only that what group 'B' can.

pfth · March 16, 2009, 12:13pm

Quote

That sounds nice, what about this part:

"User 'B2' balongs to 'B' group and can do what group 'B' and can delete news."

User 'B2' can sth more than only that what group 'B' can.

Try something like this:

$auth=Yii::app()->authManager;





// create operations


$auth->createOperation('viewNews','view news');


$auth->createOperation('createNews','create news');


$auth->createOperation('deleteNews','delete news');





// create role B and assign operations


$role=$auth->createRole('B');


$role->addChild('viewNews');


$role->addChild('createNews');





// assign role B to users B1 and B2


$auth->assign('B','B1');


$auth->assign('B','B2');





// add additional operation to user B2


$auth->assign('deleteNews','B2');

For more information please take a look at chapter 7.2.4 of the YII Guide.

Greets

Thomas

megabr · April 5, 2009, 2:55pm

Quote

That sounds nice, what about this part:

"User 'B2' balongs to 'B' group and can do what group 'B' and can delete news."

User 'B2' can sth more than only that what group 'B' can.

Try something like this:

$auth=Yii::app()->authManager;





// create operations


$auth->createOperation('viewNews','view news');


$auth->createOperation('createNews','create news');


$auth->createOperation('deleteNews','delete news');





// create role B and assign operations


$role=$auth->createRole('B');


$role->addChild('viewNews');


$role->addChild('createNews');





// assign role B to users B1 and B2


$auth->assign('B','B1');


$auth->assign('B','B2');





// add additional operation to user B2


$auth->assign('deleteNews','B2');

For more information please take a look at chapter 7.2.4 of the YII Guide.

Greets

Thomas

in what file/modules/component/axtention?