[EXTENSION] Rights

Yii 1.1 Extensions
281

Hi! Chris83, nice extension! ;)

If it is possible … Could you do a data dictionary for the tables of squema.sql?? plz … I’m confusing with some columns’ definitions ::)

Regards

282

I’m not exactly sure what you mean… What did you find confusing?

283

Hello Chris,

first of all - great extension! Especially, great and simple user interface.

Anyway, I have some questions. I haven’t had a chance to fully test it yet and couldn’t find this in the docs. I hope you will be able to answer those (that’s for sure) just like that :-).

  1. Do all permissions have to be tied to the specific Controller and Action? Or could I just create a task / operation that could be checked accross many actions / views via checkAccess? There is a name parameter for each permission and it’s said not to change it unless you know what you are doing, but in the docs - there is nothing about that. What kind of changes I can make there?

  2. I probably know the answer for the second question, but… it’s no harm to ask. Let’s assume I’ve created a role called “Customer” with a set of 10 permissions, but then… for only one user I would like to revoke one of the permissions. Can I do this easily? Or I have to revoke “Customer” role from the user and manually grant this user with those 9 permissions I still want him to have?

I would be very grateful for answer, because… basing on it, I will decide if I am going to use this extension with my new project.

Thank you very much and… great work! :)

284

Hi Chris,

I am a newbie, and I am struggle to install rights into the newly fresh created yii project. My steps are

  1. create yii project

  2. download and extract rights into ‘modules’ folder

  3. install db manually from schema.sql

  4. modify config/main.php

But, I always got error


include(User.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory

Can you help me on this? I read somewhere that you point to "Before you start" but I do not quite understand this.

Thanks a lot

PS: here is my main.php




<?php


// uncomment the following to define a path alias

// Yii::setPathOfAlias('local','path/to/local-folder');


// This is the main Web application configuration. Any writable

// CWebApplication properties can be configured here.

return array(

	'basePath'=>dirname(__FILE__).DIRECTORY_SEPARATOR.'..',

	'name'=>'My System',


	// preloading 'log' component

	'preload'=>array('log'),


	// autoloading model and component classes

	'import'=>array(

		'application.models.*',

		'application.components.*',

                'application.modules.rights.*',

                'application.modules.rights.components.*',

	),


	'modules'=>array(

		// uncomment the following to enable the Gii tool

		/*

		'gii'=>array(

			'class'=>'system.gii.GiiModule',

			'password'=>'Enter Your Password Here',

		 	// If removed, Gii defaults to localhost only. Edit carefully to taste.

			'ipFilters'=>array('127.0.0.1','::1'),

		),

		*/

                'rights'=>array(

                    'install'=>true, // Enables the installer.

                ),

	),


	// application components

	'components'=>array(

		'user'=>array(

                        'class'=>'RWebUser',

			// enable cookie-based authentication

			'allowAutoLogin'=>true,

		),

                'authManager'=>array(

                    'class'=>'RDbAuthManager', // Provides support authorization item sorting.

                ),

		// uncomment the following to enable URLs in path-format

		/*

		'urlManager'=>array(

			'urlFormat'=>'path',

			'rules'=>array(

				'<controller:\w+>/<id:\d+>'=>'<controller>/view',

				'<controller:\w+>/<action:\w+>/<id:\d+>'=>'<controller>/<action>',

				'<controller:\w+>/<action:\w+>'=>'<controller>/<action>',

			),

		),

		*/

		'db'=>array(

			'connectionString' => 'mysql:host=localhost;dbname=my_system',

			'emulatePrepare' => true,

			'username' => 'root',

			'password' => '',

			'charset' => 'utf8',

		),

		'errorHandler'=>array(

			// use 'site/error' action to display errors

            'errorAction'=>'site/error',

        ),

		'log'=>array(

			'class'=>'CLogRouter',

			'routes'=>array(

				array(

					'class'=>'CFileLogRoute',

					'levels'=>'error, warning',

				),

				// uncomment the following to show log messages on web pages

				/*

				array(

					'class'=>'CWebLogRoute',

				),

				*/

			),

		),

	),


	// application-level parameters that can be accessed

	// using Yii::app()->params['paramName']

	'params'=>array(

		// this is used in contact page

	),

);
285

Have you created an User model?

286

Also Chris, I think it would be nice to have a check if the AuthAssignment, AuthItem and AuthItemChild tables doesn’t exist and then ask for confirmation, because I just… accidentally dropped all the previously defined permissions (I know I should’ve made a backup, but still a warning would be nice ;>).

287

Hello Wiktor,

Sorry for the late answer.

To answer you first question you don’t have to bind permissions to Controllers or Actions, you can just create any permission, assign/revoke that and check it with checkAccess. The reason you shouldn’t change the name is that your permission checks in the code will obviously not work after that.

Rights is built upon Yii’s authorization manager which only supports allowing and revoking permissions. It’s not provide functionality for denying certain permissions. So yes, unfortunately you need to revoke the “Customer” permission and assign the permissions to him separately.

About you loosing your data, there should be an overwrite-warning… How did you manage to drop the data? Did you use the installer or did you run the schema directly? Also what database are you using?

Hopefully Rights is sufficient for your project. :)

288

Hi,

little question: I have added a few fields to User table (like last_login_time), but thru Yii::app()->user->last_login_time can’t access the property value.

Is the propper way modifying or extending RWebUser?

Thank you,

cbi

289

A simple way could be:




User::model()->findByPk( (int) Yii::app()->user->getId() )->[i]added_field_name[/i]

Feedback welcome!

cbi

290

Hi folks. Is there a way to revoke all user assignments at once?

291

Chris,

I really like how well-built this extension is. I’d like your advice on a scenario I’m implementing.

I need to establish rights that are tied to data contained in a table, and I’m curious whether I’ve just missed a way to do this using Rights, or how you would recommend doing this to work well with what you’ve built.

Here’s the scenario I’m trying to work with. I’m building an app that allows users to manage a resource directory that is localized to their city. So I need to be able to give someone rights to do things like edit a table or add a user but only within their city. Cities are all assigned IDs in a city table, and I was envisioning a MANY::MANY relationship between the city table and the user table, since some users will need permissions to perform operations on multiple cities.

Any advice?

Thanks in advance!

Bill

292

Replying to my own post, I’m thinking this should be a business rule, no?

293

Hello ShootNik.

You can use


Rights::getAssignedRoles()

it will return an array, where key will be name of role i.e. Autor, Editor, Admin etc.

294

Hi!

I’ve tried to understand the squema.sql file and I have some doubts :huh: :

*[authitem] in this table, What means the ‘type’ field?? it can be rol, task or operation?? (2->rol,1->task,0->operation). What is the function of the ‘data’ field??

*[rights] in this table, What means the ‘weight’ field??. the ‘type’ field is the same of [authitem]??

*[authassignment]. ‘itemname’ field = only a rol name??. ‘data’ field??

*[authitemchild]. ‘parent’ and ‘child’ field can be rol, task or operation??

Why [user] table hasn’t a relation with any other 4 tables??

Has [user] a relation with [authassignment]?? (user.id=authassignmet.userid)??

How Can I assign some roles to access for some pages??

Regards :)

295

Actually, what I need is at a higher level. To anyone’s knowledge is there a way of making the entire Rights module a child of a location identifier? I need to be able to say that if someone has logged in to edit things at location X, he has rights to edit the records; but if he’s logged into location Y, he only has rights to view the records.

What would be the best way to go about this?

296

Let’s re-word this. I’m using a default named scope for the entire app based on the user identifying what location they want to look at. Is there a way to assign different rights based on the scope?

Ideally I’d like this to work like WordPress MU, where you can give a user one set of rights on one subsite, and a different set of rights on another.

Thanks, hope this is clearer.

297

Hi Ocean,

I think I have also encountered your situation, wherein I want a department head to access everything that is related to his department, but can not mess with other departments.

Originally I thought of creating a business rule for this, since the department wherein the user belongs to is in the database table. I will allow the department head to access a department only if the department id he is trying to access is the same with the department he belongs to. But sadly, I’m not good at writing business rule and I’m out of time, so I decided to do the workaround.But if you are good at it and there’s something in your table that can be used as an identifier, maybe you can try this out.

I ended up creating a function ‘isDepartment’, which will return true or false depending on the department id being opened if it is equal with the department the user belongs to, and used it like this:




public function actionView($id)

{

    //check if the user owns the deparment he is trying to view

    if(isDepartment(Yii::app()->user-id) 

    {

        //codes for viewing the file

    }

    else

    {

        //open the user's department instead

    }

}

Everything went well just what my client wanted to have, but as the programmer of it, I am not satisfied.

Anyway, that’s my idea of going away with your situation.

298

Thanks, macinville.

That’s a very close scenario. But I think mine adds another dimension, in that I’d like to give someone different levels of rights in several departments. In one department, they may be the owner and have total rights; in another they may be able to only view and edit records (but not delete them), and in another, they may be able to only add records.

Here’s where I’m at with this so far.

In my situation, it’s Locations (i.e., this city or that city), instead of departments.

I’ve set up a bridge (MANY::MANY) table between users and locations, and created a view called locationselector which is tied to the Location model/controller. When someone logs in, it sends them to the locationselector screen, and they choose their location (from locations they are authorized to manage) from a pulldown menu. On submission, I use user->setState(‘location_id’ => [the location id]) to permanently log this value into the user session. Then at the top of each model, I include the location_id criteria in the Default Named Scope.

So this works great for limiting the scope of what the person is working with. When they’re dealing with Chicago, only the records related to Chicago show up. When they’re dealing with Tucson, only those records show up.

As for varying the permissions they have in these locations, I think what I’m going to need to do is either work with Business Rules, or create a field in the location_user bridge file that defines the role they have in this location. I’m not yet sure how this will tie in with the Rights module, but I could use the Rights module to define everything except the Role assignment, which I’ll have to overwrite.

If anyone has a better way, I’d love to hear it.

299

Just download from extension page.

I found a problem with the installation.

In RInstaller.php

type=InnoDB

should it be engine=InnoDB?

I’m using:

Server version: 5.5.8 MySQL Community Server (GPL)

on Windows 7

(XAMPP bundle)

300

Yes it should be ENGINE not TYPE, as what was pointed out here.