Creating my own AuthManager - Interface Concerns

For a number of reasons including:

  • My application’s access roles are very logic Dependant and I don’t like having all my business logic in eval’d strings

  • I don’t want to rely on an external file or database that gets reconfigured when a particular script is re-run

  • I’m difficult

I’ve decided to create my own AuthManager which extends CAuthManager.

In doing so I want to do the standard authorization things like using roles in the accessRules() of my controllers or something like:

if(Yii::app()->user->checkAccess(‘deletePost’))

All of these seem to rely on the one method:

public function checkAccess($itemName,$userId,$params=array()){}

Whereas all of the other functions - at least from what I’ve figured out from my initial set of digging - are implementation details. Should the interface that CWebUser calls be simplified so these implementation details aren’t public? If I want to go about an entirely different authorization scheme should I be tied to implementing a “saveAuthAssignment($assignment)” function?

Perhaps there’s a better way to implement a custom authorization manager, and if so please tell me. As it is I’ve got 1 useful function and 18 empty functions just so I don’t violate abstract constraints.

An AuthManager is for managing authorization. This is includes not only checking for access (the only functionality you seem to be interested in), but also changing who has access to what.

So I think it is reasonable that you are required to implement functions like ‘saveAuthAssignment’ when implementing the IAuthManager interface.

It seems you don’t want to split up AuthItems into operations, tasks and roles. I think you should therefore directly implement IAuthManager instead of extending CAuthManager.

I don’t see the problem in having a lot of empty method implementations in you’re AuthManager implementation.

Someday you may want to implement some of those methods (for example after you have created some kind of gui to manage the businesslogic determining user access).

If you just don’t like the empty methods because of they pollute your code, why not create a base class:




/*

 *Base AuthManager that provides empty implementation for all IAuthManager methods except checkAccess

 */

abstract class VolatileAuthManager extends CApplicationComponent implements IAuthManager

{

    

    public void saveAuthAssignment(CAuthAssignment $assignment){

        return;//do nothing

    }

    //etc for all methods except checkAccess

}




and then create your class that does the real work:




public class BusinesslogicAuthManager extends VolatileAuthManager {

    public function checkAccess($itemName,$userId,$params=array()){

        if(/*check business rules */)

            return true;

        return false;

    }


}