Best practice for simple use of roles in user management

Yii 1.1 General Discussion
1

Hi,

I am using an external user management system for my application.

It already features a user_tbl, a group_tbl and a user_group_tbl for managing MANY:MANY relations.

My question:

Is there a simple way of just assigning the groups as roles to a UserIdentity upon login, best without using the CAuthManager component?

It seems to be so much overload.

I have seen many RBAC tutorials here, but I simply do not need most of the stuff that is used in this paradigm, so I would best avoid it.

What I want to do:

Assign multiple groups as roles to a user.

Use the "AccessRules" in Controllers to restrict access, with e.g.




public function accessRules()

            {

                return array(

                    array('allow', 

                        'actions'=>array('view'),

                        'roles'=>array('admin','usermanager'),

                    ),

                );

            }

Thanks for your help!

Simon

2

If your groups are already assigned to users in your external tables, then you only need to check group access in the controllers (unless your login determines what site the person is redirected to).

You don’t need a lot of overhead… just a quick access check in the controller. You could maybe override accessRules() (I’ve never looked at doing it that way but might be an option)… or you can just check in the controller’s beforeAction($action), just add it to your controller and cut out all the accessRules part, you can do the same thing like so:


protected function beforeAction($action)

{

    // Check your custom role database (user_group_table).. best if in a custom model or component

    // Yii::app()->customRbacComponent->isInRoles(...)

    if($action->id === "view" && myCustomRbac::isInRoles(array("admin", "usermanager")))

        return true;

    else

        return false;

}

You could still do something similar to accessRules if you wanted, then just loop through the arrays and do the same calls.

3

Thanks a lot for the input.

I have now found it easier to just do the following in the the UserIdentity class:


 

public function authenticate()

    {

        $record=UserMember::model()->findByAttributes(array('members_username'=>$this->username));

        if($record===null)

            $this->errorCode=self::ERROR_USERNAME_INVALID;

        else if($record->members_password!==$this->password)

            $this->errorCode=self::ERROR_PASSWORD_INVALID;

        else

        {

            $this->_id=$record->members_username;

            

           /* New stuff starting here: */

            $auth=Yii::app()->authManager; // Initialize Auth Manager

            

            // Clear all previously set roles (from previous logins w/o logout)

            foreach ($auth->getAuthItems(2,$this->_id) as $authItem) {

              $auth->revoke($authItem->name, $this->_id);

            }


            // Now set new roles (loaded from databse via user model)

            foreach ($record->Groups as $role) {

              $auth->assign($role->groups_groupname,$this->_id);

            }

           

          // Save new roles to auth manager

           Yii::app()->authManager->save();

            

            $this->errorCode=self::ERROR_NONE;

        }

        return !$this->errorCode;

    }

I initialized the auth manager in main.php:




	'components'=>array(

		'user'=>array(

			// enable cookie-based authentication

			'allowAutoLogin'=>true,

		),

		'authManager'=>array(

      'class'=>'CPhpAuthManager',

    ),

...

This now writes the roles of each logged in user to the data/auth.php file.

The downside is that I have to replicate each role from the User DB to the Auth-file but as they are static and wont change, it does not matter.