Hi folks. I just started to work with rbac and I’m still learning. So sorry the dumb questions.
Scenario:
I have a portlet with a lot of links to controllers actions. I can toggle the visibility of links by checking the access to that controller action like
It’s working fine. But some users won’t have access to the portlet. I know i can create a new task or operation to define whatever the user will see the portlet. (I know my client wont be able to do this.) I dealing with a lot o portlets and I need to check if the user has access to some controller/action and if yes render the portlet otherwise no.
So how can I check if the user has access to one permission?
There is nothing special, because checking for access is very simple (name must be the same). Sample from RDbAuthManager:
public function getAuthItem($name, $allowCaching=true)
{
// Get all items if necessary and cache them.
if( $allowCaching && $this->_items===array() )
$this->_items = $this->getAuthItems();
// Get the items from cache if possible.
if( $allowCaching && isset($this->_items[ $name ]) )
{
return $this->_items[ $name ];
}
// Attempt to get the item.
else if( ($item = parent::getAuthItem($name))!==null )
{
return $item;
}
// Item does not exist.
return null;
}
Is there any easy way to solve my problem without creating new operations?
Also I think this feature should be implemented in following Rights releases, because now there is no consistency between RightsFilter and checkAccess checking . First one supports ‘*’, second not.
I’m not sure if I understand what you mean but if you add the other operations under Admin.Default as children to your Admin.Default.* operation it will work.
Yes, it will. But if I don’t create and add these child operations it won’t, however RightsFilter will work correctly. So this is what I am trying to tell, that behaviour of these two is not the same. Shouldn’t it be identical?
The thing with that is that Rights doesn’t alter the implementation of the web user checkAccess except that it returns true implicitly if the user is a super user. Of course I could add the functionality your requested but it would affect the performance of checkAccess which I’d be very careful with.
I have a role named "Developer." If I edit "Developer" in the Rules system under Rights, Developer has rights to "User.Admin".
User "TestDev" is assigned the role "Developer."
If I log in as TestDev and attempt to load /user/admin I’m given a 403.
In UserController.php, I have:
public function filters()
{
return array(
'rights',
);
}
My understanding is: If I’m logged in as a user (TestDev) who has been given a role (Developer) which has a task assigned to it (User.Admin), and I go to a controller’s method (/user/admin) which is tied with the task assigned, I’ll have permission to do that task, OTHERWISE I get a 403.
I’m so toasted on this code, been working on it all day and simply can’t look anymore. Highly possible I skimmed right over my solution in this thread as well trying to track it down. Am I just misunderstanding how roles go together, or have I broken something listed above, or is there somewhere else I should be looking where I might have introduced the bug?
The superuser role always lies on the top of the authorization hierarchy and cannot be assigned as a child to another authorization item. The correct approach is to give your developers the superuser role if they absolutely need to access Rights.
I still think it would be better if a predefined role (who cannot be deleted) with permissions to access Rights could be attributed to other roles. And I think it should not be named Admin, as this is too generic (Admin for Rights, Admin for Users, Admin for the developed system) - maybe AdminRights, or something.
Just my 2 cents.
On another note, about translation:
Could you allow ‘Rights’ to be translated in views? I mean, instead:
First of all Chris, this is really great. I tried lot of other extensions and I shortlisted this in one of my SaaS projects. I am relatively new to Yii, so I really need a help on my proposed implementation.
How about I keep track/set context for my user? So, if I belong to “Admin_1”, my checkAccess method should check only for permissions only for “Admin_1” hierarchy.
