Please disregard this message. When I was testing something I forgot to remove this line from my UserIdentity.php component:
$this->setState('isAdmin', $record->admin);
I think I just discovered a major security hole. I followed the README and installed the latest version of yii-auth from git. Permissions work as they should except within the Auth module itself. Every user is able to access the ?r=auth page and assign himself any permissions he wants.
My config: …
'components' => array(
'authManager' => array(
'class' => 'CDbAuthManager',
'defaultRoles' => array('guest'),
'behaviors' => array(
'auth' => array(
'class' => 'auth.components.AuthBehavior',
),
),
),
'user' => array(
'class' => 'auth.components.AuthWebUser',
'allowAutoLogin' => true, // cookie-based authentication
'admins' => array('admin'), // only this user should be able to access the Auth administration
),