[EXTENSION] Rights

Okay this question is kind of stupid I guess, but:

rights is compatible with Yii’s default “accessControl”, but it’s maybe not perfect, right?

If I want to manage multiple admins via rights, I could use accessControl to determine which actions are allowed for everyone and which are allowed for registered users only, since accessControl’s “admin”-group is something different.

Then, I could use rights +adminAction1 +adminAction2 +adminAction3… as a secondary filter.

Whenever a logged-in standard user tries to access “adminAction1”, first accessControl let’s him through, but then right looks up the user’s permissions and denies him access.

(Meaning that rights automatically follows this ‘deny if I don’t have an explicit permission for you’-approach, which accessControl only gains from the deny-array.)

That said, the in most cases better option would still be to use right as the only filter for all actions, then create the according auth items within rights and use the RBAC-scheme for everything, I guess.

Thanks. It fixed the issue.

Hi, Chris!

Once again I want to say thanks for your work

And then I have a question: How do I enable pagination on /index.php?r=rights/authItem/permissions for example ?

Tried myself - nothing, please any help or tips

Thanks

hi!

I have installed according to documentation. for me it seems nothing really happens when I change an assigment. I’m sure I’m missing something because I’m a beginner. would you be so kind to help me?

sorry for disturbing, now I begin to get the picture. what was missing is changing to RController in Controller.php and put this into projectcontroller:

return array(

//'accessControl', // perform access control for CRUD operations

'rights',

cool ext!

I’ve got a quick question:

Is there any short way of getting ALL users with a specific role. Let’s say I have a role ‘Trainer’ and I want all users with that role, so people can easily see who the trainers are on the site. What’sd the best way to tackle this, since the documentation doesn’t mention anything on it.

Thanks!

Found the solution on the following site:

http://octathorpeweb.com/blog/2012/03/06/yii-rights-extension-rbac-role-based-access-control/

This is a working solution. Perhaps you should incorporate this explanation in your documentation, Chris?

iths nice …but i have problem, I assigned roles to user but its not denying the unauthorised persons.should i comment or change the access rules in all deefault controllers?.

I got a bug i am using forms with javascript for loading text fields with data from controller using if condition .before i install rights extension all worked fine but after installing this fields not loading properly…its damn prob for me fix this ASAP

Another problem,In generate controllers list getting the commented actions also

Please help, i didn’t see menu in column1

i login like admin but didn’t see how to configure

<div id="mainmenu">

		<?php $this->widget('zii.widgets.CMenu',array(

			'items'=>array(

				array('label'=>'Home', 'url'=>array('/site/index')),

				array('label'=>'About', 'url'=>array('/site/page', 'view'=>'about')),

				array('label'=>'Contact', 'url'=>array('/site/contact')),

                                array('url'=>Yii::app()->getModule('user')->loginUrl, 'label'=>Yii::app()->getModule('user')->t("Login"), 'visible'=>Yii::app()->user->isGuest),

                                array('url'=>Yii::app()->getModule('user')->registrationUrl, 'label'=>Yii::app()->getModule('user')->t("Register"), 'visible'=>Yii::app()->user->isGuest),

                                array('url'=>Yii::app()->getModule('user')->profileUrl, 'label'=>Yii::app()->getModule('user')->t("Profile"), 'visible'=>!Yii::app()->user->isGuest),

                                array('url'=>Yii::app()->getModule('user')->logoutUrl, 'label'=>Yii::app()->getModule('user')->t("Logout").' ('.Yii::app()->user->name.')', 'visible'=>!Yii::app()->user->isGuest),

			),

		)); ?>

	</div>

Hi, thanks for you wrok:)

I have a problem, please help me.

CDbCommand failed to execute the SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1452 Cannot add or update a child row: a foreign key constraint fails (demo.authassignment, CONSTRAINT authassignment_ibfk_1 FOREIGN KEY (itemname) REFERENCES AuthItem (name) ON DELETE CASCADE ON UPDATE CASCADE). The SQL statement executed was: INSERT INTO AuthAssignment (itemname, userid, bizrule, data) VALUES (:itemname, :userid, :bizrule, :data)

it’s after adding assign item to roles.

Hi Chris, thanks a million for building the rights extension.

I am totally new in Yii trying to follow the install procedure of rights and the system produced the following error:

Error 403 - There must be at least one superuser!

when entering localhost/demo2/index.php?r=rights

I created a user table with id and username fields, generated the model I followed the step 3 of your guide(config/main.php). Please Help

My config/main.php is:

<?php

// uncomment the following to define a path alias

// Yii::setPathOfAlias(‘local’,‘path/to/local-folder’);

// This is the main Web application configuration. Any writable

// CWebApplication properties can be configured here.

return array(

'basePath'=>dirname(__FILE__).DIRECTORY_SEPARATOR.'..',


'name'=>'My Web Application',





// preloading 'log' component


'preload'=>array('log'),





// autoloading model and component classes


'import'=>array(


	'application.models.*',


	'application.components.*',


	'application.modules.rights.*', 


	'application.modules.rights.components.*', // Correct paths if necessary.		


),





'modules'=>array(


	// uncomment the following to enable the Gii tool


	


	'gii'=>array(


		'class'=>'system.gii.GiiModule',


		'password'=>'vacorp',


	 	// If removed, Gii defaults to localhost only. Edit carefully to taste.


		//'ipFilters'=>array('127.0.0.1','::1'),


	),


	'rights'=>array( 


		'install'=>true, // Enables the installer.


	),	


	


),








// application components


'components'=>array(


	'user'=>array(


		// enable cookie-based authentication


		'allowAutoLogin'=>true,





	    'class'=>'RWebUser', // Allows super users access implicitly.	


	    ),


	'superUsers'=>array(


				1=>'admin',


				2=>'demo',


				


		), // Array of users with super user priviledges. (id=>name)		    


	'defaultRoles'=>array('Guest'), // Only an example, this is the default value.





	'authManager'=>array( 


		'class'=>'RDbAuthManager', // Provides support authorization item sorting.	


		'connectionID'=>'db', // as in your database configuraiton





	),	


	// uncomment the following to enable URLs in path-format


	/*


	'urlManager'=>array(


		'urlFormat'=>'path',


		'rules'=>array(


			'<controller:\w+>/<id:\d+>'=>'<controller>/view',


			'<controller:\w+>/<action:\w+>/<id:\d+>'=>'<controller>/<action>',


			'<controller:\w+>/<action:\w+>'=>'<controller>/<action>',


		),


	),


	*/


	/*


	'db'=>array(


		'connectionString' => 'sqlite:'.dirname(__FILE__).'/../data/testdrive.db',


	),


	*/


	// uncomment the following to use a MySQL database


	/*


	'db'=>array(


		'connectionString' => 'mysql:host=localhost;dbname=testdrive',


		'emulatePrepare' => true,


		'username' => 'root',


		'password' => '',


		'charset' => 'utf8',


	),


	*/


	'db'=>array(


		'connectionString' => 'pgsql:host=localhost;dbname=demo',


		'emulatePrepare' => true,


		'username' => 'postgres',


		'password' => 'vacorp',


		'charset' => 'utf8',


	),		


	'errorHandler'=>array(


		// use 'site/error' action to display errors


        'errorAction'=>'site/error',


    ),


	'log'=>array(


		'class'=>'CLogRouter',


		'routes'=>array(


			array(


				'class'=>'CFileLogRoute',


				'levels'=>'error, warning',


			),


			// uncomment the following to show log messages on web pages


			/*


			array(


				'class'=>'CWebLogRoute',


			),


			*/


		),


	),


),





// application-level parameters that can be accessed


// using Yii::app()->params['paramName']


'params'=>array(


	// this is used in contact page


	'adminEmail'=>'webmaster@example.com',


),

);

The generated user model is:

<?php

/**

• This is the model class for table "user".

• The followings are the available columns in table ‘user’:

• @property integer $id

• @property string $username

*/

class User extends CActiveRecord

{

/**


 * Returns the static model of the specified AR class.


 * @param string $className active record class name.


 * @return User the static model class


 */


public static function model($className=__CLASS__)


{


	return parent::model($className);


}





/**


 * @return string the associated database table name


 */


public function tableName()


{


	return 'user';


}





/**


 * @return array validation rules for model attributes.


 */


public function rules()


{


	// NOTE: you should only define rules for those attributes that


	// will receive user inputs.


	return array(


		array('username', 'length', 'max'=>50),


		// The following rule is used by search().


		// Please remove those attributes that should not be searched.


		array('id, username', 'safe', 'on'=>'search'),


	);


}





/**


 * @return array relational rules.


 */


public function relations()


{


	// NOTE: you may need to adjust the relation name and the related


	// class name for the relations automatically generated below.


	return array(


	);


}





/**


 * @return array customized attribute labels (name=>label)


 */


public function attributeLabels()


{


	return array(


		'id' => 'ID',


		'username' => 'Username',


	);


}





/**


 * Retrieves a list of models based on the current search/filter conditions.


 * @return CActiveDataProvider the data provider that can return the models based on the search/filter conditions.


 */


public function search()


{


	// Warning: Please modify the following code to remove attributes that


	// should not be searched.





	$criteria=new CDbCriteria;





	$criteria->compare('id',$this->id);


	$criteria->compare('username',$this->username,true);





	return new CActiveDataProvider($this, array(


		'criteria'=>$criteria,


	));


}

}

Please help me find out where I made the mistake.

Best regards,

Douglas López

Caracas- Venezuela

Hi There,

Can anyone tell me how to overcome this issue i had. I installed the Rights extension correctly I believe but only the first page of rights displayed correctly and the rest of the pages i got:

Error 404

Unable to resolve the request "rights/authItem/permissions".

In my config in UrlManager i used ‘path’ for ‘urlFormat’ and that’s all I can think of in regards to this issue. Anyone knows how to solve this issue?

Andy

Sorry it was my bad and for anyone who has this issues you need to comment out the

‘caseSensitive’=>false

from the urlManager in your main.php for this to work.

Andy

I installed the Rights extension correctly, but when I try to go to the tab Assignments get the error:

include($data-&gt;getAssignmentsText(CAuthItem.php) [<a href=‘function.include’>function.include</a>]: failed to open stream: No such file or directory

versions: rights 1.3.0, yii 1.1.11

Been at this for hours now. i belive in the new version of the framework there came a difference in the getId() function in CWebUser class that made it return the username and not the user id. In this case your user permissions would work great in the pages controlled by your custom controllers (the ones you extended fromRController), but not in rights. So I made changes in the AssignmentController.php in Rights, namely:

after line 83 I added:

$userName = $this->module->userNameColumn;

after (the now) line 104 I put:

$this->_authorizer->authManager->assign($formModel->itemname, $model->$userName);

and after (the now) line 148 I inserted:

$userClass = $this->module->userClass;

$userName = $this->module->userNameColumn;

$model = CActiveRecord::model($userClass)->findByPk($_GET['id']);

$this->_authorizer->authManager->revoke($itemName, $model->$userName);

It now inserts and deletes entries for both the user id and the username, so it works just fine everywhere. If anyone has the same problem, there it is… this had me going for a while, so I figured I’d help someone out.

I belive this is a new incompatibility, since I had used Rights before and it worked just fine.

Hi!

I’m sure I’m not the first one to ask this, but I can’t find any clear ans simple answer…

I have Yii-user and Rights extensions installed and configured and working fine. Except :

Yii::app()->user->checkAccess('Foo.Bar');

doesn’t seem to be checking access recursively.

Let me explain. I have 2 roles R1 and R2, and I want to perform action A.

Assume R1 is a child of R2.

Assume A is a child of R1.

In the ‘Permissions’ page of the module, in (column R1, row A), I read ‘Revoke’ (wich means that A is assigned to R1). And in (column R2, row A), I read ‘Inherited *’ (wich means that A can be accessed via R1 by R2).

Now I log in with user U1 which has role R1. U1 can indeed perform action A, no problem.

But when I log in with User U2 which has role R2, U2 cannot perform action A. checkAccess(‘A’) returns false…

Now if I set A as a child of R2 too, U2 can perform action A…

Am I missing something ?(and what is it)

Cheers!

Sampa — did you ever get a solution for this? I’m having the same problem, and am baffled as to why it’s behaving this way. Rights has worked perfectly for me in other installations, and I’m wondering if this could be caused by my using the the June 2012 update to Yii User. Although I don’t know how it would affect it.

From what I can tell, none of the requests work except "/rights/assignment/view" and "/rights".

cf my previous post (2 above).

Yii::app()->user->checkAccess() doesn’t seem to be recursively going through all the nodes of the assignment tree…

Please can anyone help?

Okay, I missed this :

from here : http://www.yiiframework.com/wiki/136/getting-to-understand-hierarchical-rbac-scheme/

(stupid me)

Cheers!

Some problem

did you resolved it?

What version of php you are using?

2012/08/13 20:01:39 [error] [php] include($data-&gt;getAssignmentsText(CAuthItem.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory (/home/framework/YiiBase.php:423)

Stack trace:

#0 unknown(0): spl_autoload_call()

#1 /home/framework/base/CComponent.php(604): function_exists()

#2 /home/framework/zii/widgets/grid/CDataColumn.php(132): CDataColumn->evaluateExpression()

#3 /home/framework/zii/widgets/grid/CGridColumn.php(142): CDataColumn->renderDataCellContent()

#4 /home/framework/zii/widgets/grid/CGridView.php(576): CDataColumn->renderDataCell()

#5 /home/framework/zii/widgets/grid/CGridView.php(549): CGridView->renderTableRow()

#6 /home/framework/zii/widgets/grid/CGridView.php(459): CGridView->renderTableBody()

#7 /home/framework/zii/widgets/CBaseListView.php(161): CGridView->renderItems()

#8 unknown(0): CGridView->renderSection()

#9 /home/framework/zii/widgets/CBaseListView.php(144): preg_replace_callback()

#10 /home/framework/zii/widgets/CBaseListView.php(129): CGridView->renderContent()

#11 /home/framework/web/CBaseController.php(174): CGridView->run()

#12 /home//httpdocs/protected/modules/rights/views/assignment/view.php(49): AssignmentController->widget()

#13 /home/framework/web/CBaseController.php(127): require()

#14 /home/framework/web/CBaseController.php(96): AssignmentController->renderInternal()

#15 /home/framework/web/CController.php(870): AssignmentController->renderFile()

#16 /home/framework/web/CController.php(783): AssignmentController->renderPartial()

#17 /home//httpdocs/protected/modules/rights/controllers/AssignmentController.php(74): AssignmentController->render()

#18 /home/framework/web/actions/CInlineAction.php(50): AssignmentController->actionView()

#19 /home/framework/web/CController.php(309): CInlineAction->runWithParams()

#20 /home/framework/web/filters/CFilterChain.php(134): AssignmentController->runAction()

#21 /home/framework/web/filters/CFilter.php(41): CFilterChain->run()

#22 /home/framework/web/CController.php(1146): CAccessControlFilter->filter()

#23 /home/framework/web/filters/CInlineFilter.php(59): AssignmentController->filterAccessControl()

#24 /home/framework/web/filters/CFilterChain.php(131): CInlineFilter->filter()

#25 /home/framework/web/CController.php(292): CFilterChain->run()

#26 /home/framework/web/CController.php(266): AssignmentController->runActionWithFilters()

#27 /home/framework/web/CWebApplication.php(283): AssignmentController->run()

#28 /home/framework/web/CWebApplication.php(142): CWebApplication->runController()

#29 /home/framework/base/CApplication.php(162): CWebApplication->processRequest()

#30 /home//httpdocs/index.php(13): CWebApplication->run()

REQUEST_URI=/rights

in /home//httpdocs/protected/modules/rights/views/assignment/view.php (49)

in /home//httpdocs/protected/modules/rights/controllers/AssignmentController.php (74)

in /home//httpdocs/index.php (13)

Hi there, I want to use Rights ext. I followed the right doc. And I found the

Error 403


There must be at least one superuser!

so I read this topic and I found this solution.

http://www.yiiframework.com/forum/index.php/user/4139-chris83/

I did it (drop the right tbls and I left only my user tbl) that that time there are SQL statement error authassignment tbl did not present. I re-do from 1st step. after that, I left authassignment tbl and authitem tbl, at that time Error 403 “There must be at least one superuser!” error was coming out again. I’m so confuse. How can I use this ext?

Regards

T

I found the answer at here.

http://code.google.com/p/yii-rights/issues/detail?id=60

Thank u

http://code.google.com/u/115596051025689640704/