Doubt about controllers and behaviors

Yii 2.0 General Discussions
1

Hi,

i’m recently working on my own custom yii2 advanced template, the main idea for this project is that it allows me to make my future projects faster than now.

Now i’m working in the controller base structure, specifically on the authorization process, based on Yii RBAC. I made the next code, it basically verifies if the current user have the permission to execute an action.

I would like people to make suggestions about my idea.

Here is the behaviors code:





public function behaviors()

    {

        return [

			'access' => [

				'class' => AccessControl::className(),

				'rules' => [

					[

						'allow' => true,

						'roles' => ['@'],

						'matchCallback' => function ($rule, $action) {

							$actionName = $this->action->id.ucfirst(Yii::$app->controller->id);

							return Yii::$app->user->can($actionName);

						}

					],

				],

			],

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'delete' => ['post'],

                ],

            ],

        ];

    }

Regards!

2

Guys,

i made a small change in the way i get the action name. Here is the code again:




public function behaviors()

    {

        return [

			'access' => [

				'class' => AccessControl::className(),

				'rules' => [

					[

						'allow' => true,

						'roles' => ['@'],

						'matchCallback' => function ($rule, $action) {

							$actionName = $action->id.ucfirst($action->controller->id);

							return Yii::$app->user->can($actionName);

						}

					],

				],

			],

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'delete' => ['post'],

                ],

            ],

        ];

    }
3

So if I understand it right, you want to add roles like “indexSite”, so you can assign it to a user, and that user is now verified for the SiteController’s index action?

4

Barney,

first thanks for your response.As you know ,yii2 rbac system have two types of authorization items (role and permission). In my database i have authorization data (items, item childs, assignments and rules).

So, in this function i just check if the role assigned to the user have the right permission to execute a particular action.

My question: is the best way? Does anybody know another way?

5

Strict 1:1 mapping between controller actions and permissions reduces flexibility of RBAC significantly. A more coarse access control (e.g. a simple "manage users" permission for the whole user administration module) is often sufficient enough. In other cases you might want a much more fine-grained control, to the level of individual database columns and form fields. Sometimes you might want to perform additional checks.

6

The idea of "route permission" has been favored by some (or, almost all) authors of RBAC extensions, as you see in mdmsoft/yii2-admin for example. It enables you to manage Access Control Filter in terms of so-called "route permission" that can be defined in the RBAC hierarchy. With this you can define a permission for a certain route by a name that is the same with its route id, for example "/xxx/yyy" for "yyy" action of "xxx" controller.

Basically I like the idea and I am using mdmsoft/yii2-admin with a little modification. It supports wild card route permissions, and helps me define the route permissions by scanning the current app. It’s very convenient.

7

Hi phtamas and softark,

thanks a lot for your responses, they are very useful. Based on your comments, i guess my main idea is fine, i just need to take in count your suggestions, specifically softark’s one about mdmsoft/yii2-admin, for now i don’t want to use third party extensions, but i’m going to look up this one and take good ideas from there.

My behavior code is running good (which i have included in my own generators templates), i just need to make some perfomance modifications

Thanks a lot.

Regards.