Docs: RBAC sample code improvement

Under Authentication and Authorization there is this example:

In my opinion the example could be the following:


// First the updatePost role is checked,

// then the updateOwnPost role



    // update post


Which better demonstrates how the child-parent relationship for the updateOwnPost works.

But updateOwnPost is a less restrictive role. This way people with updateOwnPost role, but without permission to updatePost would be also denied.

And that’s what I thought as well, but it doesn’t work that way.

Say User A is an administrator who can updatePost;

User B is an writer who can updateOwnPost;

$params = array(..);

getUser('User A')->checkAccess('updatePost', $params) // == true

getUser('User A')->checkAccess('updateOwnPost', $params) // == false

getUser('User B')->checkAccess('updatePost', $params) // == whatever updateOwnPost bizRule returns

getUser('User B')->checkAccess('updateOwnPost', $params) // == whatever updateOwnPost bizRule returns

so when checking the updateOwnPost you really have to check for updatePost as well, which is redundant and misses the point of permission inheritance. When checking for updatePost the underlying system checks also the updateOwnPost and if the user has it, it means the user can updatePost.

Hope it clarified it a bit more.