[EXTENSION] Rights

jacmoe · November 19, 2010, 6:46pm

Did you check rights/authItem/permissions ?

In my system, Guest has User as parent and Issue.Index, etc. as children.

You don’t need that bizrule, because you’ve setup the filter.

Please check that you’ve applied the rights filter to your UserController and all other controllers for that matter.

<edit>

Check on the Generator page too to see if there’s anything missing.

</edit>

everyman · November 19, 2010, 7:17pm

It seems there is nothing strange in permission table, I generated all actions and assigned all Controller (User) actions to Guest, but, It is not working, I am doing something else wrong.

gluck · November 21, 2010, 9:42am

Good day! I use rights with yii-user. And I find the best way to assign user to some role after registration automaticly. How do you think how to do it?

jacmoe · November 21, 2010, 10:08am

I put this in modules/user/controllers/RegistrationController/actionRegistration:


if ($model->save()) {

   $profile->user_id=$model->id;

   $profile->save();


   // Assign to default role

   $model->attachBehavior('rights', new RightsUserBehavior);


   Yii::app()->getModule('rights')->getAuthorizer()->authManager->assign('User', $model->getId());

   $auth = Yii::app()->authManager;

   $auth->assign('User',$model->id);

Of course, it would be better if I extended it instead of modified it because it makes it harder to upgrade.

Maybe later.

But it works.

BTW: the role is ‘User’.

artist · November 22, 2010, 4:35am

Hi, great module!

not working checking the rights, if the submodule




class RightsFilter{

....

if( ($module = $controller->getModule())!==null )

    $authItem .= ucfirst($module->id).'.';

$authItem .= ucfirst($controller->id);

....

}

return - Admin/node.Node

RightsGenerator return Node.Node

=====> the right to pass

if we use $ module-> name then everything works




if( ($module = $controller->getModule())!==null )

   $authItem .= ucfirst($module->name).'.';

P.S.: I’m sorry for my english, I’m from Russia

Chris83 · November 22, 2010, 7:29am

jacmoe:

I put this in modules/user/controllers/RegistrationController/actionRegistration:
if ($model->save()) {

   $profile->user_id=$model->id;

   $profile->save();


   // Assign to default role

   $model->attachBehavior('rights', new RightsUserBehavior);


   Yii::app()->getModule('rights')->getAuthorizer()->authManager->assign('User', $model->getId());

   $auth = Yii::app()->authManager;

   $auth->assign('User',$model->id);
Of course, it would be better if I extended it instead of modified it because it makes it harder to upgrade.

Maybe later.

But it works.

BTW: the role is ‘User’.

You could also write:




$profile->user_id=$model->id;

$profile->save();




$model->attachBehavior('rights', new RightsUserBehavior); // why would you need this?


// Assign the default role

Rights::assign('User', $model->getId());

There are quite a few methods in the static Rights-class that you can use.

everyman · November 22, 2010, 8:32am

Chris83:

You could also write:




$profile->user_id=$model->id;

$profile->save();




$model->attachBehavior('rights', new RightsUserBehavior); // why would you need this?


// Assign the default role

Rights::assign('User', $model->getId());

There are quite a few methods in the static Rights-class that you can use.

I was using:




	protected function afterSave()

	{

		$auth=Yii::app()->authManager; 

		$auth->assign('Author', $this->id);

		return parent::afterSave();

	}

Thanks for the tip; I will start using Rights:assign() from now on;

Can you please set/mention about these functions on the documentation?

Chris83 · November 22, 2010, 10:41am

everyman:

I was using:
	protected function afterSave()

	{

		$auth=Yii::app()->authManager; 

		$auth->assign('Author', $this->id);

		return parent::afterSave();

	}
Thanks for the tip; I will start using Rights:assign() from now on;

Can you please set/mention about these functions on the documentation?

Great idea!

I like the idea of having a section about integration in the documentation but unfortunately I do not have time to write it right now. However, I will do this ASAP.

With your implementation you’re by-passing the RightsAuthorizer, which you should not because it will almost certainly cause problems.

WTF · November 23, 2010, 10:06am

Hello,

The same problem here - can’t configure module for guest access. For registered users all works fine.

I have in config:




  'rights' => array(

    ...

    'guestName' => 'Guest',                     // Name of the guest role. 

    'defaultRoles' => 'Guest',                  // List of role names that are assigned to all users. 

    'enableBizRule' => true,                    // Whether to enable authorization item business rules. 

    ...

  )

Next step - I’m create role ‘Guest’ and assign some task and operations, for example ‘Site.’. But not logged user still do not have access to controller 'Site.’. Try to add bizrule ‘return Yii::app()->user->isGuest;’ for role ‘Guest’. The same - no access to controller ‘Site.*’.

In user table I do not have user ‘Guest’, of course.

Where is problem?

artist · November 23, 2010, 10:26am

WTF:

Hello,

The same problem here - can’t configure module for guest access. For registered users all works fine.

I have in config:
  'rights' => array(

    ...

    'guestName' => 'Guest',                     // Name of the guest role. 

    'defaultRoles' => 'Guest',                  // List of role names that are assigned to all users. 

    'enableBizRule' => true,                    // Whether to enable authorization item business rules. 

    ...

  )
Next step - I’m create role ‘Guest’ and assign some task and operations, for example ‘Site.’. But not logged user still do not have access to controller 'Site.’. Try to add bizrule ‘return Yii::app()->user->isGuest;’ for role ‘Guest’. The same - no access to controller ‘Site.*’.

In user table I do not have user ‘Guest’, of course.

Where is problem?

Hi, I solved this problem by adding ‘defaultRoles’ => array (‘Guest’) in authManager




                'authManager' => array(

                    'class'=>'RightsAuthManager',

                    'defaultRoles'=>array('Guest'),

                ),

WTF · November 23, 2010, 11:07am

artist:

Hi, I solved this problem by adding ‘defaultRoles’ => array (‘Guest’) in authManager




                'authManager' => array(

                    'class'=>'RightsAuthManager',

                    'defaultRoles'=>array('Guest'),

                ),

Thanks a lot. It’s really works. Seems like ‘defaultRole’ not correct work in module and we need reassign it in authManager.

Chris83 · November 23, 2010, 10:48pm

Hello guys,

I’ve been a bit busy at work lately but I’ll try to answer a few things that you were wondering about.

Hopefully these problems has not caused too many headaches.

Actually, I tested and default roles works fine but it needs to be an array in the rights-configuration.

IMO Content.Update should be the parent of Content.Update.Own because the latter is a "lower" permission.

The bizRule should be:




return Yii::app()->user->id==$params["userId"];

And the checkAccess-call should be:




Yii::app()->user->checkAccess('Content.Update.Own', array(

	'userId'=>$content->user_id,

));

WTF:

I suggest to replace this (RightsFilter.php, line 29):
if( in_array($action->id, $this->_allowedActions)===false )    
to this:
if( !in_array($action->id, $this->_allowedActions) and !in_array('*', $this->_allowedActions) )
because:

I want to have posibility to allow all actions in controller that is nested from controller class with ‘rights’ filter. (Redefining of filters is ugly decision, because I have many usable filters defined in parent class)

in_array() always return boolean, so ===false is redundant

Actually, I didn’t include this because I simply do not set the controller to use the filter if I want to allow all actions.

nayjest · November 24, 2010, 11:03am

Ok, i will write some argumentation why this option woul be usable:

In many cases we use third party extensions(modules), where controllers is nested from Controller.php

The best way to integrate it with Rights without modification of extension sources is adding ‘rights’ to filters() in Controller.php, but in this case it would be nice to add there also


public function allowedActions() { return '*'; }

to allow all actions by default.

Supposing Yii gives posibility to configure filters via application config it wold be no problem, but we don’t have such posibility.

You can offer other way to integrate third party modules with Rights without modification of this module sources

jacmoe · November 24, 2010, 6:33pm

That sounds totally unheard of un-safe!

Never!

What if you forget an important permission/role/task?

And suddenly a guest can access the admin area or some obscure action somewhere…

Nah.

If so, it must be turned off by default.

Chris83 · November 24, 2010, 10:49pm

I’ve added the option to set allowed actions to “*” in order to allow access to all actions within the controller. However, I’m not willing to set that to the default value because of security reasons.

This improvement has been committed to the repository and will be available in the next release.

nayjest · November 25, 2010, 10:11am

Chris83

Thanks! Nice

jacmoe Yes, it don’t need to be a default option in Rights. But it is convenient to write


public function allowedActions() { return '*'; }

in common controller parent class of my application on development stage

rochdi80tn · November 26, 2010, 3:02pm

Hi,

Nice extension.

In order to include the class bases actions, I suggestion adding the following code (or something like this) in getControllerActions() function :




   include_once $controller['path'];

   $controllerClassName = ucfirst($controllerName)."Controller";

   $inst = new $controllerClassName(0);

   $classBasedActions = $inst->actions();

   foreach ($classBasedActions as $actionName => $actionParams){

      $actions[$actionName] = array ( 'name' => ucfirst($actionName) );

   }

just before this line




   $items['controllers'][ $controllerName ]['actions'] = $actions;

Chris83 · November 30, 2010, 10:29pm

Rochdi:

Hi,

Nice extension.

In order to include the class bases actions, I suggestion adding the following code (or something like this) in getControllerActions() function :




   include_once $controller['path'];

   $controllerClassName = ucfirst($controllerName)."Controller";

   $inst = new $controllerClassName(0);

   $classBasedActions = $inst->actions();

   foreach ($classBasedActions as $actionName => $actionParams){

      $actions[$actionName] = array ( 'name' => ucfirst($actionName) );

   }

just before this line




   $items['controllers'][ $controllerName ]['actions'] = $actions;

Hello Rochdi,

I looked into this but it’s not actually that simple because i ran into trouble when trying to import controllers from modules and submodules. Might be something silly but I don’t have time to test it thoroughly now. I’ll report back later.

fennellgb · December 1, 2010, 11:38pm

Hi, I love this extension, thank you very much for building it.

I’m running into a weird issue that I am sure is a simple fix, I’m just missing it.

I have the following code setup




'rights'=>array(

                    'superuserName'=>'Admin',

                    'authenticatedName'=>'Authenticated',

                    //'guestName'=>'Guest',

                    //'defaultRoles'=>array('Guest'),

                    'install'=>false,

                    'debug'=>false,

                ),

When I am not logged in the “Guest” is working correctly, but when I log in and expect to have “Authenticated” rules work, they are not working. I tested this by implicitly assigning “Authenticated” to a user and then it will work. For some reason my default assignment for “Authenticated” for an authenticated person isn’t happening.

Here is my authManager snippet as well:


'authManager'=>array(

                    'class'=>'RightsAuthManager',

                    'connectionID'=>'db',

                    'defaultRoles'=>array('Guest'),

                ),

I should note that I am using “Yii-User” as my authentication system. Tried to look to see if this is the issue (which is where I am betting it is), but can’t find anything.

Snippet of yii-user code used:


'user'=>array(

                    // enable cookie-based authentication

                    'class'=>'RightsWebUser',

                    'allowAutoLogin'=>true,

                    'loginUrl' => array('/user/login'),

		),

UPDATE:

Fixed my issue, it seems that "Authenticated" by default does not have the biz rule put in. I added


return !Yii::app()->user->isGuest;

to the biz rule for "Authenticated" and now it works. I knew it would be something simple… sorry for the trouble.

WTF · December 2, 2010, 7:19am

Greg Fennell:

UPDATE:

Fixed my issue, it seems that "Authenticated" by default does not have the biz rule put in. I added
return !Yii::app()->user->isGuest;
to the biz rule for "Authenticated" and now it works. I knew it would be something simple… sorry for the trouble.

The same problem is here. Yes, biz rule can help in this situation, but how I understand, "Authenticated" role must work without biz rules.