Hi,
Still new with Yii and have a realized that I can just create roles, assign to user and user controllers accessRules to limit each role. Then I was wondering why would we need operations? I use mostly Yii generated code and cistomize to my need.
Thanks for help
You ask about purpose of 3 different type of permissions: roles, tasks, operations?
if so - this is only such design and can keep cleener privileges definition. you can assign any type of privilege (role, task, operation) to user and check any of if in accessRules. So looking from the usage side - there is no difference.
Just think of then as: "operation" is atomic operation I can do in my app, for example "create new object", "delete object", etc. "task" refers to more abstract privileges like "manage articles", "manage posts", which generally consist of operations "create new article", "delete article", "update article", and so on.
"Roles" refer to real-life roles of peple in organization, like "editor", "secretary", "board member" and they group tasks performed by such role: Editor manages articles, Editor manages posts, Board member runs reports, etc. Of course there are roles which inherits from other roles, like "editor-in-chief" has every privileges of standard "editor", but also can accept articles to publish.
That add on what I have read but expounds more. Thank you.
I have another question. I’m making a site where there are roles such as reader, editor, author and admin. I also have table “users” that hold my users with a field “role” which holds one of the mentioned. Now I want to assign a role at authentication so that the system will allow him right operations at accessRules.
Also I’m confused how to set rules given two different controllers with same methods (User::create, Post::create). how do I define operations in case like this?
Thanks
there is similiar thread: http://www.yiiframework.com/forum/index.php/topic/30418-role-based-access-management/
however you do not need to update authManager data and save them on login. instead you could rather overload default authManager class and re-implement checkAccess method like this:
private $_rolesLoaded = array();
public function checkAccess( $itemName, $userId, $params = array( ) ) {
if( is_numeric( $userId ) && !isset( $this->_rolesLoaded[ $userId ] ) ) {
$role = User::model()->findByPk( $userId )->role;
$this->assign( $role, $userId );
$this->_rolesLoaded[$userId] = true;
}
return parent::checkAccess( $itemName, $userId, $params );
}
you must only keep roles definition in authManager storage (admin, user, etc).
Just give them unique names like "create user", "create post", etc. they are separate operations so there must be separate privileges in strict model. You can also use othe granularity and have only task "manage users" without any operations and allow every action in controller UserController when users has assigned "manage users" auth item.
It is your choice. If you never need to apply fine-grained authentication on different roles, then creating "operations" for every action can be unnecesary overhead.
Thanks a lot friend.
That was really big boost!
Hi RedGuy,
I’m now actually implementing this, and I would like to know how Inheritance goes.
I have below code saved under components folder
Is something like this correct?
<?php
class MyAuthManager extends CAuthManager{
private $_rolesLoaded = array();
public function checkAccess( $itemName, $userId, $params = array( ) ) {
if( is_numeric( $userId ) && !isset( $this->_rolesLoaded[ $userId ] ) ) {
$role = User::model()->findByPk( $userId )->role;
$this->assign( $role, $userId );
$this->_rolesLoaded[$userId] = true;
}
return parent::checkAccess( $itemName, $userId, $params );
}
}
I found solution here