best rbac

i’m new to yii, and i’m about to start my first project .I started digging the RBAC and user auth trench .and found lots of solutions.

One of the usergroups on your forum pages were folowing link:

But its history was related to the past. To you now is the best rbac ext for a medium project ? Sorry about my bad English

Best one is the one in Yii core. It’s not as easy to master but it’s reliable and it can handle everything any other variant can.

Thanks for your answer. I’m very confused and I had a few basic questions.

  1. It is essential for to use an extension?

summary of my project:

I have five user level as follows:






There are about 14 models in the project.

3 the following operations for each model:




So there are 42 athitem’ operations.

(Most users have little interaction.)

(Most changes are done by the administrator.)

(Other users, each only a small area of project management are responsible for)

2.With regard to the above description I can manage without the use of extension users. And such books Agile Web Application Development with Yii1.1 and PHP5 . First, the command to create a hierarchy between the athitem.(rbac in yiic shell) then used to manage the users by class authManager.

3.I’ve search the internet in some cases, the controller was used to initialize the following tables. If this solution is better than using yiic shell (rbac command). The controller must be placed in each project area?

Please help me if there is a good source because it was very confusing. :-[ :blink: :blink: :blink:

  1. Can be handled w/o any extensions by core RBAC.

  2. Yes, first create hierarchy then use it in your code.

  3. Not sure what this one is about.

tanks for your answer.

Finally I tried using the following Yii Core:

1-modify athentication function in userIdentify class(protected/componnent/UserIdentity.php)

 public function authenticate()


      $user = User::model()->findByAttributes(array('username'=>$this->username));

      if($user === null)


         $this->errorCode = self::ERROR_USERNAME_INVALID;




          //I use salt for dont store plain text password in db

         if($user->password !== $user->encryptPassword($this->password, $user->salt))


            $this->errorCode = self::ERROR_PASSWORD_INVALID;





           The following initialization code :

           $this->_id = $user->id;

           by this code can get userId anywhere on the project:


           and can check access of user by following code:




            $this->_id = $user->id;

            $user->saveAttributes(array('last_login_time'=>date('Y-m-d H:i:s')));

            $this->setState('lastLoginTime', $lastLogin);$this->errorCode = self::ERROR_NONE;



      return  ! $this->errorCode;



2-Before we can establish an authorization hierarchy, assign users to roles, and perform access permission checking, we need to configure the authorization manager application component, authManager. This component is responsible for storing the permission data and managing the relationships between permissions as well as providing the methods to check whether or not a user does have access to perform a particular operation.






Now we can access this anywhere in

our application using Yii::app()->authManager

3-As mentioned, the CDbAuthManager class uses database tables to store the permission data. It expects a specific schema. That schema is identified in the framework file

YiiRoot/framework/web/auth/schema.sql.import this file on your db.

4-create hierarchy in yiic shell such books Agile Web Application Development with Yii1.1 and PHP5 (chapter 8 )

use following code in (protected/command/shell/RbacCommand.php)


class RbacCommand extends CConsoleCommand


private $_authManager;

public function getHelp()


return <<<EOD




This command generates an initial RBAC authorization hierarchy.




* Execute the action.

* @param array command line parameters specific for this command


public function run($args)


//ensure that an authManager is defined as this is mandatory

for creating an auth heirarchy



Iteration 5: User Access Control

[ 184 ]

echo "Error: an authorization manager, named 'authManager'

must be configured to use this command.\n";

echo "If you already added 'authManager' component in

application configuration,\n";

echo "please quit and re-enter the yiic shell.\n";



//provide the oportunity for the use to abort the request

echo "This command will create three roles: Owner, Member, and

Reader and the following premissions:\n";

echo "create, read, update and delete user\n";

echo "create, read, update and delete project\n";

echo "create, read, update and delete issue\n";

echo "Would you like to continue? [Yes|No] ";

//check the input from the user and continue if they indicated yes to

the above question



//first we need to remove all operations, roles, child relationship

and assignments


//create the lowest level operations for users


a new user");


user profile information");


a users information");


a user from a project");

//create the lowest level operations for projects


ate a new project");


project information");


date project information");


ete a project");

//create the lowest level operations for issues

Chapter 8

[ 185 ]


te a new issue");


issue information");


te issue information");


te an issue from a project");

//create the reader role and add the appropriate permissions as

children to this role





//create the member role, and add the appropriate permissions, as well

as the reader role itself, as children






//create the owner role, and add the appropriate permissions, as well

as both the reader and member roles as children










//provide a message indicating success

echo "Authorization hierarchy successfully generated.";




4-Let’s try out this new command. Navigate to the root of your application and execute

the shell command:

1.Navigate to the root of your application(for example):

--cd c:\xamp\YiiRoot

2.execute the shell command:

--YiiRoot/framework/yiic shell yii shell command inviroment type help for get list of comands


4. you can see commands .Rbac is one of the following commands. That the command is created in the previous step:


by execute Rbac command create RBAC authorization hierarchy in following tables that created in step 2.

5-We can now control access for the user to use the following code:





6-Now we can control user access to controller actions to create changes in the accessRules function:

accessRules in testController

class testController extends Controller



 public function accessRules()


      return array(

                   array('allow', // allow all users to perform 'index','download' and 'view' actions

                         'actions'=>array('index', 'view', 'download'),



                         array('allow', // allow authenticated user to perform 'index', 'view', 'download' actions

                               'actions'=>array('index', 'view', 'download'),




			array('allow', // allow testusername user to perform 'admin' and 'delete' actions




	               array('allow', // allow owner role to perform 'admin' and 'delete' actions


				'role'=>array('owner '),


                                     array('deny', // deny all users







As we saw manage Rbac one operation to give access to the owner role in accessRules function :

array('allow', // allow owner role to perform 'admin' and 'delete' actions


				'role'=>array('owner '),


It was a summary of Chapter 8 Book (Agile Web Application Development with Yii1.1 and PHP5) .I hope this is useful.