Custom access

hello,

i modified my UserIdentity controller in order to retrieve users from database… it kind of works. Then i have this scenario: i have two kind of users, admins and normal users. I need the admins to do everything on my data, and normal users to only access their data. To explain better, let’s say i have Users and Addresses tables. I’d like admin users to perform crud actions on both tables, and normal users to only modify their address.

If i understood well how YII works, i should modify UsersController.php’s accessRules function… but how? :D thanks a lot,

joey

well… i was reading http://www.yiiframework.com/doc/guide/topics.auth that deals with my doubts. the answer is: looks like i should use a CDbAuthManager object… but where?

in models/Address.php, controllers/UserController.php, or i don’t know why?

thanks a lot :)

Hi,

If you only have two user levels [admin & all others] than accessRules should be fine for you. Copy paste your accessRules function here and explain which actions should be adminwise and which should be userwise only.

cheers,

bettor

hi, thanks for the reply! :)

actually i have many models, not only users and addresses… anyhow, here’s the “almost default” accessRules function on one of my controllers:




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index','view'),

				'users'=>array('*'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('@'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('myemail@mydomain.com'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

Actually on my DB i store infos about user level, so i thought it would have been useful CDbAuthManager class… i “just” can’t get how to use it. Actually, YII is great, but a little bit hard to get to know by a newbie.

thanks a lot! :)

i’m going nuts and can’t find a way to do this…

i was thinking about doing things like this:

1: since in my Users table i have infos about the level of the user, i added a private $_level to UserIdentity component and initialize it to the user’s value i get from the DB. OK.

2: then, my idea would be to filter the lists of addresses in order to get only addresses whose user_id = logged user id for normal users and all addresses for admin users.

how should i do this? i saw there’s a filters function on controllers/AddressController.php… the name sounds great :D

please, help me out :)

A nice solution for authorization is to use Yii’s RBAC.

Instead of using your custom user-level, you can use rbac (refer to Yii documentation) and create the role ‘admin’.

You can create an interface for assign-revoke permissions to user ad easily ad manage your custom user-level.

If you will use Yii instriments, then you can do something like that




public function accessRules()

        {

                return array(

                        array('allow',  // allow all users to perform 'index' and 'view' actions

                                'actions'=>array('index','view'),

                                'users'=>array('*'),

                        ),

                        array('allow', // allow authenticated user to perform 'create' and 'update' actions

                                'actions'=>array('create','update'),

                                'users'=>array('@'),

                        ),

                        array('allow', // allow admin user to perform 'admin' and 'delete' actions

                                'actions'=>array('admin','delete'),

                                'roles'=>array('admin'),

                        ),

                        array('deny',  // deny all users

                                'users'=>array('*'),

                        ),

                );

        }



That allows you to authorize all admin user (and not only one) to perform the action.

hei, thanks a lot, sounds great… actually i saw documentation about RBAC, but couldn’t find a way to istall that.

i think creating roles would be enough for me, but how can i create those?

I know my questions are quite stupid… i find it quite hard to find the right places where to make things in Yii. In this situation i should put a filter in my list of Address in order to get only the one connected to the user who is logged in (if he’s not an admin). If i get it well, this should be done in loadModel function in AddressController, right?

thanks

WOAH!

i’ve done something like this:

in config/main.php i set


'user'=>array(

			// enable cookie-based authentication

			'allowAutoLogin'=>true,

                        'class'=>'MyWebUser',

		),

then created components/MyWebUser.php:




class MyWebUser extends CWebUser

{

        public function getLevel($name){

            $user=BoUsers::model()->find('LOWER(emailAddress)=?',array($name));

            return $user->powerUser;

        }


}



then in AddressController i filter addresses in actonIndex:


	public function actionIndex()

	{

                $userlevel = Yii::app()->user->getLevel(Yii::app()->user->name);

                if($userlevel==0){

                    $userid = Yii::app()->user->getId(Yii::app()->user->name);

                    $dataProvider=new CActiveDataProvider('BoUsers', array(

                            'criteria'=>array(

                                'condition'=>'idBOUSers='.$userid,

                            ),

                            'pagination'=>array(

                                    'pageSize'=>self::PAGE_SIZE,

                            ),

                    ));

                }

                else{

                    $dataProvider=new CActiveDataProvider('BoUsers', array(

                            'pagination'=>array(

                                    'pageSize'=>self::PAGE_SIZE,

                            ),

                    ));

                }


		$this->render('index',array(

			'dataProvider'=>$dataProvider,

		));

	}

and it sounds quite correct… is it?

thanks a lot

oh my goodnes…

now i realized that of course users who are not admins shouldn’t be able to update their powerUser value… how can i hide that from the update view?

thanks