Chapter 8 confusion

Hi all. I have finished chapter 8 but I expected that at the end of the process, that I would be able to add and delete projects at will. This wasn’t the case (not a criticism of the book, can’t cover absolutely everything).

I found I could create projects but that they had no owner, so couldn’t be deleted by anyone using the app. I have gotten this to work now by adding code similar to that found in the verification function of the ProjectUserForm class to the actionCreate action of the ProjectController.

Here’s my new actionCreate() method:

public function actionCreate()


		$model=new Project;

		// Uncomment the following line if AJAX validation is needed

		// $this->performAjaxValidation($model);






				//automatically assign the current user as the owner of newly created projects...

				$user = Yii::app()->user;


				$model->associateUserToRole('owner', $user->id);

				$auth = Yii::app()->authManager;

				//check if this user is already in the auth hierarchy in this role, if so, we don't need to add them again as the bizrule will take care of validating the access within the project context

				if(!$auth->isAssigned('owner', $user->id))


					$bizRule='return isset($params["project"]) && $params["project"]->isUserInRole("owner");';  

				    $auth->assign('owner', $user->id, $bizRule);









It works, but is it the “right” (MVC) way to do it? Is there a more elegant solution that I’m missing?

Also: I want to be able to restrict deletions to authenticated users with a role of "owner" (for the current project). I see I can add a roles rule to the accessRules() method, but I am not sure how to ensure the proper project context here (ie, that the user is actually owner of THIS project). Has anyone got any ideas on this?

If I were you I would not misuse the RBAC to implement a owner relation between a user and an object.

I would add a biz rule to "deleteProject" checking if the current user is the owner.

Then when you create a project you assign the owner_id as a property of the project. This way you can be sure that there is an owner assigned and when you run "deleteProject" the bizRule will check if owner_id is identical to Yii::app()->user->id.

This is how I would do it.

Thanks for your thoughts Ben.

I shall give your way a try when I have a little time.