CDbAuthManager and actions, how to make them working together?

Hi,

I've configured AuthManager



    'authManager'=>array(


      'class'=>'CDbAuthManager',


      'connectionID'=>'db',


    ),


and following data stored in DB

  • role: redactor. assigned with adminNews task

  • task adminNews allows to use following operation createNews, deleteNews, updateNews.

In NewsController I'm able to say in accessRules that redactor can use create



array('allow', // allow access to admin operation for admin user


  'actions'=>array('create'),


  'roles'=>array('redactor'),


  'users'=>array('*'),


),


This seems to be redundant to me.

I was imaging me that if I'll define operations, those operations will be equal to actions. Do I need to create those access rules or may I use already defined operations somehow?

any ideas?

Operation and action are two different concepts. The former is used by RBAC while the latter by controller. You can, however, declare an operation for every controller action.

How can I do this? Could you give me example?

Does anyone know how to declare operation for an action?

An operation is nothing special. It's just a name in the RBAC hierarchy.

If you have an update action in PostController, you may declare an updatePost operation in RBAC. There's no automatic mapping here.

So if you create an operation called updatePost and assign it to a role using RBAC and after that assign the editor role to user editorA like this.



$auth->createOperation('updatePost','update a post');


$role=$auth->createRole('editor');


$role->addChild('updatePost');


$auth->assign('editor','editorA');


Is the only way to check if the logged in user with the role editor can access the update function to put the following code in the update post method?



if(Yii::app()->user->checkAccess('updatePost'))


{


    // update post


}


Or can I use the role in the access rules in any other way?

/John

Yes, you can use it in access rules. Check the 'roles' option.

But you still need to specify the different actions methods the role has access to right? Like this:



array('allow',


        'actions'=>array('update'),


        'roles'=>array('editor'),


       ),





As you said there is no automatic way for the operations added using RBAC to map to the action methods of the controller?

Does this mean that the operations created with RBAC will probably only ever be used by calling the check access method something like this Yii::app()->user->checkAccess('updatePost') or am I missing something here?

Like in the example taken from the documentation:



$task=$this->auth->createTask('updateOwnPost','update a post by author himself','return $params["authorID"]==$params["userID"];');


$task->addChild('updatePost');


I guess in order to use this task you will need to use the checkaccess method inside of the updatePost action method in the post controller, right?

/John

accessRules() is a simplified way of using RBAC. It was originally designed to be used with access control without RBAC. In its 'roles' option, you can put in roles, tasks and operations, in fact. And yes, you may also call checkAccess() inside actions to do finer access control.

Brilliant, thanks for the clarification.

/John