[EXTENSION] Rights

netracer · March 6, 2011, 9:38pm

Hi there,

i also like the rights module. Thank you for that. But I still have a problem.

I want to give users the right to access the rights admin interface. Can I create a role to give them access? I dont want to give them the role "Administrator" and of course they should not give the "Administrator" role to somebody.

Thank you

macinville · March 7, 2011, 3:40am

Hi Netracer,

If the user has access to Rights, it is as good as being an administrator because he has an access to everything, and grant everything to himself if not everything has been given yet. And restricting him to other tasks will be useless because he can just re-assign that particular rights to himself.

Maybe you can create a different interface and include your desired roles and tasks and operations that should be only seen there, and then grant it to your users of choice. I have actually done the same: copied the rights module and created right_2, and configured it according to my requirements. I did it because I don’t want my client’s admin to be able to generate,create and edit operations and tasks, 'cause it should only be done by me.

Chris83 · March 7, 2011, 9:28pm

Hello NetRacer,

I actually thought of this but when I implemented it caused a lot of problems so I removed it. However I think this is something to conciser so please submit an issue on GoogleCode for this and I’ll do it when I can find the time. In the meanwhile you need to create operations/tasks for Rights and implement the checking of them manually. Sorry for the inconvenience.

Chris83 · March 7, 2011, 9:44pm

Ocean Wind:

Thanks, macinville.

That’s a very close scenario. But I think mine adds another dimension, in that I’d like to give someone different levels of rights in several departments. In one department, they may be the owner and have total rights; in another they may be able to only view and edit records (but not delete them), and in another, they may be able to only add records.

Here’s where I’m at with this so far.

In my situation, it’s Locations (i.e., this city or that city), instead of departments.

I’ve set up a bridge (MANY::MANY) table between users and locations, and created a view called locationselector which is tied to the Location model/controller. When someone logs in, it sends them to the locationselector screen, and they choose their location (from locations they are authorized to manage) from a pulldown menu. On submission, I use user->setState(‘location_id’ => [the location id]) to permanently log this value into the user session. Then at the top of each model, I include the location_id criteria in the Default Named Scope.

So this works great for limiting the scope of what the person is working with. When they’re dealing with Chicago, only the records related to Chicago show up. When they’re dealing with Tucson, only those records show up.

As for varying the permissions they have in these locations, I think what I’m going to need to do is either work with Business Rules, or create a field in the location_user bridge file that defines the role they have in this location. I’m not yet sure how this will tie in with the Rights module, but I could use the Rights module to define everything except the Role assignment, which I’ll have to overwrite.

If anyone has a better way, I’d love to hear it.

Hello Ocean Wind,

I’m dropping in a bit late on the conversation but you’re scenario is indeed a bit different and also complicated. You could do this with a business rule and I think that’s the cleanest way to do it, however that might give you a problem with performance. It would also leave you with the problem of managing the huge amount of permissions if you have one permission for each location.

I would probably try the business rule solution first because it should be by far the easiest to implement. You could just call a function that returns the location and check that it’s the desired location, e.g.




return Yii::app()->user->getLocation()==='Chicago';

I have to think a bit for an alternative solution. I’ll get back to you but it might be a few days. I’m extremely busy at work right now.

Hope this helps.

OceanWind · March 7, 2011, 10:18pm

Chris83:

Hello Ocean Wind,

I’m dropping in a bit late on the conversation but you’re scenario is indeed a bit different and also complicated. You could do this with a business rule and I think that’s the cleanest way to do it, however that might give you a problem with performance. It would also leave you with the problem of managing the huge amount of permissions if you have one permission for each location.

I would probably try the business rule solution first because it should be by far the easiest to implement. You could just call a function that returns the location and check that it’s the desired location, e.g.
return Yii::app()->user->getLocation()==='Chicago';
I have to think a bit for an alternative solution. I’ll get back to you but it might be a few days. I’m extremely busy at work right now.

Hope this helps.

Hi Chris,

Yes, I think this is the way to go, and I’m sure there is a way to do this efficiently. I’m thinking that what I’ll do is store a link to the role type in the user-location bridge file for the MANY::MANY relationship. Then I can grab this and enter it into the user’s state at the time they choose the location they are working on. The roles will be defined the same for all locations. So this could be pretty efficient.

Let me know if you have any other ideas, and thanks for taking the time to get back to me.

Cheers,

Bill

Chris83 · March 8, 2011, 1:04am

Hey Bill,

Maybe you should also look into overloading web user’s checkAccess method to take into account the location?

Just an idea.

markux · March 9, 2011, 4:30pm

Hello everybody,

I tried to add this business rule to role:


$this->redirect(array('page/role'));

but it doesn’t work.

Is it possible to add redirect in busniess rules?

thanks

OceanWind · March 9, 2011, 7:54pm

Thanks. That’s a good lead. I’ll try that.

Bill

markux · March 10, 2011, 10:48am

I solved problem redirect with RWebUser::afterLogin.

another problem: I’ve this controller structure

controllers/Data/FavoritesDataController.php

controllers/Data/Sample/DataController.php

but under Permissions I’ve:

FavoritesData.*

Data.*

and checkaccess return false, then if I modify manually on db:

Data/FavoritesData.*

Data/Sample/Data.*

it works fine.

is it a bug?

tbender · March 10, 2011, 10:55am

Hmm, I have a strange problem:

I got the Rigths-modul to work (installed the tables manually, because I use MS SQl Server), and the permissionchecking works as it should. Except for one thing. I cant allow members of a role (e.g. the Admin role) to get access to the rights module.

I checked it logged in as superuser:

config:




'rights'=>array( 

        	'superuserName'=>'Admin',

)

In the authitemcontroller->init() method I did some debugging:




print_r($this->_authorizer->getSuperusers()); --> array('myUserName'), as expected

Yii::app()->user->getIsSuperuser(); --> true, as expected

But then: CAccessControlFilter->accessDenied(Object(RWebUser), ‘You are not aut…’)

On the other hand, it "works" when I change the settings:




'rights'=>array( 

        	'superuserName'=>'writingsometrashinhere',

)

Debugging the authitemcontroller->init() method:




print_r($this->_authorizer->getSuperusers()); --> array()

Yii::app()->user->getIsSuperuser(); --> true

But I have access.

Can anyone explain what I am doing wrong?

Chris83 · March 10, 2011, 11:54am

Hey markux,

I’m not entirely sure that I’ve implemented support for that kind of controller structure yet.

It should work with:




Data.Sample.Data.*

If it doesn’t please submit an issue on GoogleCode and I’ll put it into the development pipe.

markux · March 10, 2011, 8:05pm

no, it works only with /.

I’ve create an issue with attached file RGenerator that solve the problem.

truck0321 · March 11, 2011, 6:18am

First off, fantastic extension. It took me a while to get it going but most of it was my bad. There was one thing that was not mentioned in documentation. I don’t see anywhere in the documentation what version of MySQL must be used, but I noticed that Rinstaller.php uses type=InnoDB instead of Engine = InnoDB. I needed to update Rinstaller.php in order for the tables to be created. The schema.sql also uses type instead of engine.

I have some usage questions but I’ll save it for another post. Good job and thank you.

truck0321 · March 11, 2011, 6:27am

Oops, sorry, the Engine issue has been covered.

truck0321 · March 11, 2011, 6:26pm

I’d like to create some functions for hiding and displaying menu options for users with different roles. I was using the below code to hide and show different menu options, but Yii::app()->user->isGuest no longer works. What can I use as an alternative now? I know I can return an array of roles assigned to the logged in user and parse that, but is there an easier way? The below snippet was acceptable code to drop in the menu view, but if I’m doing something more complicated, I want to make it reusable and put it somewhere easy to get. Maybe I could add a function right into Rights but that could make upgrading more difficult. Any suggestions?


$loginMenu = array(

	(!Yii::app()->user->isGuest ?

		array('label'=>'Logout ('.Yii::app()->user->userName.')'

			, 'url'=>array('/site/logout')

			, 'linkOptions'=>array('title'=>'Logout'))

		:

		array('label'=>'Login'

			, 'url'=>array('/site/login')

			, 'linkOptions'=>array('title'=>'Login'))

	)

	, array('label'=>'Register'

		, 'url'=>array('/user/register')

		, 'visible'=>Yii::app()->user->isGuest

		, 'linkOptions'=>array('title'=>'Register'))

	);

wjarka · March 11, 2011, 11:37pm

No problem. Sorry for my late reply, too. I didn’t get notifications from here .

But if the name matches Controller.Action it’s automatically checked for that particular controller and action, right?

I wish I don’t have to do this, but thanks for your reply, anyway .

Yes, I used the installer. I just set installer to true in config/main.php. I use mysql.

Yes, it is. My whole team says it’s great, so… good work!

truck0321 · March 12, 2011, 7:56am

I get the following error when using Yii::app()->user->userName to get the username of the currently logged in user.

Property "RWebUser.userName" is not defined

If I change userName to name, it does not error out but it always returns guest as the user no matter what I login as. I’m happy to furnish more info as necessary. Thanks

Chris83 · March 12, 2011, 5:35pm

@Wiktor: The authorization items associated to controller actions should be named {ControllerId}.{ActionId}. However, if you have some custom authorization items and check for those in your code the code will not work after changing the name, obviously.

I’m actually thinking of writing an ACL module for Yii but right now I have too many projects going on so I’m not going to do it right now at least.

Glad to hear that your team liked my module.

@truck0321: With the core web user (CWebUser) you can get the username by calling Yii::app()->user->name (or getName()). It is set when you log in by CWebUser::changeIdentity(). The same applies for the RWebUser which extends CWebUser.

AndreyGeonya · March 16, 2011, 5:08pm

Hi Chris, this is Russian translation for the Rights module. Thanks for the great extension!

sravani · March 17, 2011, 6:59am

Hello chris,

After installing yii rights am getting following issue…

include(C:\xampp\htdocs\myapp\protected\modules\rights\components\RightsWebUser.php) [<a href=‘function.include’>function.include</a>]: failed to open stream: No such file or directory