Creating Abstract Rbac Permissions

Suppose I have the following (example) RBAC tasks, which can be added to a user role:


$task = $auth ->createTask('pageView_secret', '', 'isset($params["page"] && $params["page"] -> isSecret();');

$task -> addChild('pageView');

$task = $auth ->createTask('pageView_topsecret', '', 'isset($params["page"] && $params["page"] -> isTopSecret()<img src='' class='bbc_emoticon' alt=';)' />;

$task -> addChild('pageView');

This allows me to use:

Yii::app()->user->checkAccess('pageView', array('page' => $model)

Fairly straightforward. Now suppose instead of evaluating whether an already loaded model can be viewed, I wish to use this permission to define a scope on a findAll() call, so that only pages viewable by the user are queried - To use it before the fact, rather than after the fact, so-to-speak. For example:

if(!Yii::app()->user->checkAccess('pageView_topsecret')) {

   // set scope to exclude topsecret pages

} else {

   // something else


As the initial task expects $params["page"], i cannot use it as it is to accomplish this. Therefore, how should this be approached? Is it considered acceptable to use optional parameters, such as:

$task = $auth ->createTask('pageView_topsecret', '', 'return isset($params["page"]) ? $params["page"] -> isTopSecret() : true');

Or am I just going about this wrong, given that my bizrule pertains to an attribute in the Page and is irrespective of the user identity - is my bizrule inappropriately placed within RBAC? Perhaps something along the lines of calling a method such as $model -> checkViewAccess(‘private’), which then validates the user element and the page visibility separately and returns true/false, is preferrable?

Any advice welcome!