task adminNews allows to use following operation createNews, deleteNews, updateNews.
In NewsController I'm able to say in accessRules that redactor can use create
array('allow', // allow access to admin operation for admin user
'actions'=>array('create'),
'roles'=>array('redactor'),
'users'=>array('*'),
),
This seems to be redundant to me.
I was imaging me that if I'll define operations, those operations will be equal to actions. Do I need to create those access rules or may I use already defined operations somehow?
Operation and action are two different concepts. The former is used by RBAC while the latter by controller. You can, however, declare an operation for every controller action.
So if you create an operation called updatePost and assign it to a role using RBAC and after that assign the editor role to user editorA like this.
$auth->createOperation('updatePost','update a post');
$role=$auth->createRole('editor');
$role->addChild('updatePost');
$auth->assign('editor','editorA');
Is the only way to check if the logged in user with the role editor can access the update function to put the following code in the update post method?
if(Yii::app()->user->checkAccess('updatePost'))
{
// update post
}
Or can I use the role in the access rules in any other way?
As you said there is no automatic way for the operations added using RBAC to map to the action methods of the controller?
Does this mean that the operations created with RBAC will probably only ever be used by calling the check access method something like this Yii::app()->user->checkAccess('updatePost') or am I missing something here?
Like in the example taken from the documentation:
$task=$this->auth->createTask('updateOwnPost','update a post by author himself','return $params["authorID"]==$params["userID"];');
$task->addChild('updatePost');
I guess in order to use this task you will need to use the checkaccess method inside of the updatePost action method in the post controller, right?
accessRules() is a simplified way of using RBAC. It was originally designed to be used with access control without RBAC. In its 'roles' option, you can put in roles, tasks and operations, in fact. And yes, you may also call checkAccess() inside actions to do finer access control.