I just thought about revoking inherited operations. To make things more clear, I will give you an example:
Role "Authenticated" contains the operation "submit comment", now a users behaves bad and therefore should lose the right to "submit comments". Since this right is inherited through the "Authenticated"-role, you cant just revoke the right for the specfific user.
Thats the point where I would ask you to help me out. What I want are some more (or less) specific tips where to start/how to implement such a functionality best.
Since I am on the point of smashing my head against the wall, I am gonna get some sleep.
I really hope someone has an idea.
Thanks in advance.
PS: If its actually possible to do such things, I will just kill my self.
PPS: I dont need an already working code, though I wouldnt bother taking yours ;-).
Using 1.3.0.r147 I ran into a bug that took me a couple hours to figure out so I’m posting my solution here for others.
Installing Rights and trying to visit its page I would get “Error 403 You are not authorized to perform this action.” The problem is that getSuperusers() is hardcoded to get the username from the ‘name’ column in the user table and is ignoring the configuration setting userNameColumn. The documentation seemed to imply otherwise which was a source of confusion for me.
Source of the problem is here in Rights/Components/RAuthorizer.php line 299:
foreach( $users as $user )
$superusers[] = $user->name;
I made the following change which seems to fix this:
I am developing a POS application based on yii, bootstrap, yii-user and rights.
I have two roles, supervisor and operator. Operator cannot delete or update the line item, where supervisor can. The thing is that sometimes, operator does a silly mistake that needs to be edited or deleted. I want the supervisor able to update or delete without the operator logout first. Is that possible to do that? probably by providing a form that need to be filled by the supervisor. the form contains username and password of the supervisor. And I want the submitted form is only regarded for this one action.
I ran into this. I believe you need to call checkAccess from within an access filter method in your controller rather than in the controller action itself … access control happens before the controller action is called
mine code is similar but has a few differences … it did work… here it is for you to compare
maybe instead of :
‘changePassword + changePassword’
do
‘changePassword + update’
??
public function filters()
{
return array(
// 'accessControl', // perform access control for CRUD operations
'accessOwn + view, update', // Apply this filter only for the view action.
'rights',
);
}
/**
* Filter method for checking whether the currently logged in user
* is the owner of the location being accessed.
*/
public function filterAccessOwn($filterChain)
{
$id = Yii::app()->request->getParam('id');
$model=$this->loadModel($id);
// Remove the 'rights' filter if the user can manage the location
if(Yii::app()->user->checkAccess('ManageLocations', array('userid'=>$model->company->owner->id)))
$filterChain->removeAt(1);
$filterChain->run();
}
I have a problem with the class-based actions of the site-controller. When you look at the default site-controller there is a page action to display static pages. It looks like this:
public function actions()
{
return array(
// page action renders "static" pages stored under 'protected/views/site/pages'
// They can be accessed via: index.php?r=site/page&view=FileName
'page'=>array(
'class'=>'CViewAction',
),
);
}
I don’t want Guests to access every action of the site controller, so I cannot grant access to the site.* operation. So when I want my users to display static pages with the page action defiened above I have to grant access to that particular action, but the permission cannot be created with the rights-generator, because it is not defined in the classic way with a actionPage() function.
Of course I could create a actionPage() function replacing the standard yii code, but i was wondering if there is a more elegant solution within yii.
I just add the below line to my controller where I do images uploads by CSwfUpload, and I get Erro #2038 just in the first time that I try, then everything works.
public function allowedActions() { return '*'; }
Now I am trying to understand if this line will make my app unsafe. Do you know about it?
I imagine that you are using the swfupload extension (I’ve never used it). Did you set in the widget call the correct allowed file extensions ?
In your controller (the one that is handling the uploads actions), comment all the stuff related to access control, does then the upload work well ? If not, the problem doesn’t come from Rights
For access control with Rights, you have to configure your controller as says in post 541 above. Then you can use Rights Web interface to allow or not the access to the controller upload action…
Okay this question is kind of stupid I guess, but:
rights is compatible with Yii’s default “accessControl”, but it’s maybe not perfect, right?
If I want to manage multiple admins via rights, I could use accessControl to determine which actions are allowed for everyone and which are allowed for registered users only, since accessControl’s “admin”-group is something different.
Then, I could use rights +adminAction1 +adminAction2 +adminAction3… as a secondary filter.
Whenever a logged-in standard user tries to access “adminAction1”, first accessControl let’s him through, but then right looks up the user’s permissions and denies him access.
(Meaning that rights automatically follows this ‘deny if I don’t have an explicit permission for you’-approach, which accessControl only gains from the deny-array.)
That said, the in most cases better option would still be to use right as the only filter for all actions, then create the according auth items within rights and use the RBAC-scheme for everything, I guess.
I have installed according to documentation. for me it seems nothing really happens when I change an assigment. I’m sure I’m missing something because I’m a beginner. would you be so kind to help me?
sorry for disturbing, now I begin to get the picture. what was missing is changing to RController in Controller.php and put this into projectcontroller:
return array(
//'accessControl', // perform access control for CRUD operations
'rights',