best way to implement access level

hi there

i have 3 layer access level like this

admins

sellers

customers

each of theme can have different type of access like customers who logged in or whom are guest, etc

what is best way to implement this authentication manager

thanks

Hi

A. All my tables have a column called security_level.

This column can have a value of 1, 2 or 3.

1 = Records created by the user.

2 = System records that the user may read, but not write.

3 = System records that the user may not CRUD at all.

B. Then I create roles with permissions:

Admins may:

  • read records with security_level >= 1 and <= 3

etc.

Sellers may:

  • read records with security_level >= 1 and <= 2

  • create records with security_level = 1

etc.

Customers may:

  • read records with security_level = 1

etc.

C. Users are placed in groups that are linked to certain roles. So a user may have many roles.

D. My controller action sets a flag to state what CRUD action should be performed on the record.

E. Then I use default scope, beforeValidate()/beforeSave() and beforeDelete() to check if the user has any role that gives him permission to perform the requested CRUD action on that record.

It works great, because default scope also checks records read via Relational Query.

Here is a link to a default scope example.

Hope this helps.

This should guide U and help:

http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control