Do Yii Checkaccess Relies On A Global Variable?


Some days ago I’ve answered a question in StackOverflow where a user asks how usually do frameworks work in general referring to authentication for certain areas.

Usually, in my projects I apply a kind of checkAccess (or the RBAM extension) and I’ve suggested that.

What was my surprise when everybody jumped over me saying it is not a good choice because it relies a global variable. But as from what I can see, it is really based in a global variable.

Or am I mistaken?

Here is the shortlink for the question:


I think you are right, but I cannot quite understand what they mean by ‘global scope’ or ‘global value’… looks like a total bullshit. I guess they totally do not know Yii. First of all: Yii::app() is just “singleton pattern” which is widely used in many languages and frameworks, next Yii::app()->user and Yii::app()->getUser() are really same thing in Yii (because of magic attributes implemented with __get and __set methods)

They also omit the fact that checking privileges always involves another global state - logged in user in which context every privileges are resolved and you can also say that you do not know who set up this user context… but then you cannot trust anything in your own application :) even if you use “static class” or any other solution - you still need to fetch currently logged user id to check his privileges.

Roles combined with business rules are most powerful, flexible and reliable way to grant privileges :)

Exactly what I thought. However, when people don’t understand the way the framework works, they just fire in all the directions.

I’ve came here to ask, as for moments I’ve doubt the way Yii worked, and maybe you could catch up something on what those people said that I didn’t.

If anyone would like to go there and answer the comment to clarify the way Yii works, I would be very thankful. If you do not, I would like to hear more opinions or facts on how do Yii handles this.

Anymore opinions?