Hi everyone,
I am developing an event application. So people can add, update, list and delete events. Basically it’s just CRUD. However I’m using Rights (/RBAC) for controlling who has access to which features. Until now access looks like that (this is the same structure as it is created by Gii):
Admin
-
Add Event (actionCreate)
-
Delete Event (actionDelete)
-
Update Event (actionUpdate)
-
List Event (actionIndex)
-
Admin Event (actionAdmin)
User
- List Event (actionIndex)
But now I want an additional Role "organizer" which should also be able to do these things:
-
Add Event (actionCreate)
-
Delete own Event
-
Update own Event
-
Admin own events
While deleteOwn and update Own is covered in nearly every guide to RBAC, I’m still struggling with the last one. So basically I have 2 problems:
-
I want organizers to be able to access actionAdmin, but they should only see their own events.
-
Admins should be able to modify all the event infos, organizers only some. How should I do this? Use checkAccess() for every action in my update-View? And if so what should I check? Because just distinguish between admins and organizers might not be sufficient in the future but making an Operation/Task for every little info also seems like a lot of work.
Thank you for any help.