I understand the problems (struggling with the same at the moment). I’m not yet sure how I’ll solve them, but one idea was:
In module’s base-controller (derived from CControler), check for a certain app param (maybe “baseAccessRules”), then merge the module specific access rules with those. If the param is not set, use a fallack - in general, I use
class MyModBaseController extends CController {
public function accessRules() {
$appBaseRules = isset(Yii::app()->params['baseAccessRules']) ? Yii::app()->params['baseAccessRules'] : array(
array( 'deny', 'users' => array('?') ),
array( 'deny' ),
);
$modBaseRules = array(
);
return array_merge( $appBaseRules, $modBaseRules );
}
This will redirect guests to the login form and will forbid access to already authenticated users. Every concrete controller of the module extends those rules with a whitellist:
class MyModModelController extends MyModBaseController {
public function accessRules() {
return array_merge(array(
array( 'allow', 'roles' => 'MyModModelManager' ),
), parent::accessRules());
}
So now with this, the module makes no assumptions about classes that must be provided by the hosting application. The only assumption is an appParam. But this can be declared in config without changing the app’s actual code and even if it is not defined, the module will work with a reasonable fallback solution.
To modify this behavior, and to grant admins access to all actions, the app could define in it’s config:
'params' => array(
'baseAccessRules' => array(
array( 'allow', 'roles' => 'admin' ),
array( 'deny', 'users' => array('?') ),
array( 'deny' ),
),
),