Chapter 8: RBAC implementation


I’m new to Yii, so I’m reading this great book. I have a question though.

Currently I’m finishing the 8th chapter (RBAC) and in the end of the chapter, the author shows how to make use of the RBAC in the adduser action, which is this:

$project = $this->loadModel();

if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))


	throw new CHttpException(403,'You are not authorized to per-form this action.');


Then the author says that the similar checks should be done before every action. Is this really the best way to implement the access filter? Shouldn’t we combine this with the accessRules() method? I have written the following accessRule:


	'actions' => array('admin', 'delete', 'adduser'),

	'expression' => array($this, 'isOwner'),


and it’s expression:

public function isOwner($user, $rule) {

	$project = $this->loadModel(isset($_GET['id']) ? $_GET['id'] : null);

	return $project->isUserInRole('owner');


which I think is more efficient than writing the same IFs in 3 different methods (actionAdmin, actionDelete and actionAdduser). Also, in the author’s approach, we are having two separate access filters and only the second is actually doing the actual work.

Please share your thoughts with me.

Kind regards,


Darwell, in my humble opinion, it is way better to create your baseController class and implement the security check in the beforeAction method, thus, all your controllers which extend from baseController will inherit the permission checking and you won’t have to write lots of “ifs”

hope this be usefull


I think you have to be a little careful here, because the access check you are proposing is making an implicit assumption about the mapping of authorization permissions to specific roles, and this is really the responsibility of the RBAC hierarchy definitions themselves.

So, for example, your code is basically defining that a user in the role of "owner" has permission to perform the operation "createUser" (assuming that the actionAddUser is the same as what we mean by the operation "createUser"). Although you are using the RBAC structure when calling


[font="Arial"]this is only to see if a user is assigned to the role owner (for this project), it does not take into account tasks, operations

or other roles that may also be authorized to perform the operation "createUser".

There are certainly many ways to implement your use of the AuthManager::checkAccess() method, but side-stepping it altogether

starts to lead you away from full RBAC in Yii.[/font]

Okay, I get your point - we should check actions and not roles. But still, the question is, should the access check code be written inside the action methods or inside the accessRules() method?