[EXTENSION] srbac : Web interface for the administration of rbac

Yii 1.1 Extensions
701

Great tool although few things it took me a while to figure out (these may be documented somewhere but i couldnt find them) and feel free to correct me if im wrong (although if im not adding these to the manual would be great).

  1. Debug mode = AccessChecks are off. Nearly scrapped using SRBAC in my project as it looked like it wasnt working as all my users could access admin stuff. Debug=false and everything worked! Maybe different naming for this? Debug (true/false) = Debug statements, srbacOn (true/false) = turn SRBAC on or off, installMode (true/false) = create DB tables etc? Just an idea.

  2. Remove accessRules() and accessControl filter from controller. Took me a while to find something on this

  3. In views to check access in order to display content depending on role

if(Yii::app()->user->checkAccess(‘role or operation or task’)). Again not sure if this is the corrcet way to do this as i couldnt find any info on it but seemed to work for me. Only concern is if i change the role, operation or task name id need to update all my view checks. Probably is a better way to do this so please let me know.

Anyway cracking module Spyros and thanks for putting it out there for us newbies to use! :)

702

Sry, I posted it to a wrong topic - I’ll remove it if possible.

The following error was displayed after I had installed srbac - yii version 1.1.7 on PHP 5.1.6 apache2.2 fedora.

Thus I have inserted into the AuthItem.php that if isset $this->data block, because that data was null and it caused the error. Do you think it as a necessary fix or there’s nicer fix?




  protected function afterFind() {

    parent::afterFind();

      if(isset($this->data)){

    $this->data = unserialize($this->data);

      }

  }







PHP Error


unserialize() [<a href='function.unserialize'>function.unserialize</a>]: Argument is not a string


/var/www/html/kensaku/protected/modules/srbac/models/AuthItem.php(109)


097 //    parent::beforeSave();

098 //  }

099 

100 

101   protected function beforeSave() {

102     $this->data = serialize($this->data);

103     return parent::beforeSave();

104   }

105 

106   protected function afterFind() {

107     parent::afterFind();

108 //    if(isset($this->data)){

109     $this->data = unserialize($this->data);

110 //    }

111   }

112 

113   protected function afterSave() {

114     parent::afterSave();

115     $this->data = unserialize($this->data);

116     if($this->oldName != $this->name) {

117       $this->model()->updateByPk($this->oldName, array("name"=>$this->name));

118       $criteria = new CDbCriteria();

119       $criteria->condition = "itemname='".$this->oldName."'";

120       Assignments::model()->updateAll(array('itemname'=>$this->name),$criteria);

121       $criteria->condition = "parent='".$this->oldName."'";
703

Hi [color=#1C2837][size=2]Spyros,[/size][/color]

[color=#1C2837][size=2]

[/size][/color]

[color=#1C2837][size=2]I want to alter table ‘itemchildren’ to add a column called ‘direct_action’ to ‘module/controller/action’ or ‘controller/action’ that can be directly user in CHtml::link() - ideally when Task is saved.[/size][/color]

[color=#1C2837][size=2]

[/size][/color]

[color="#1C2837"][size="2"]At your convenience, can you please tell me how to do this easily in AuthItem.afterSave().[/size][/color]

[size="2"][color="#1C2837"]

[/color][/size]

[size="2"][color="#1C2837"]Thanks for the wonderful extension.[/color][/size]

[size="2"][color="#1C2837"]

[/color][/size]

[size="2"][color="#1C2837"]Regard,[/color][/size]

[size="2"][color="#1C2837"]D[/color][/size]

704

Sorry, On a closer look I think my ideal table will be items.

705

Done in AuthitemController::actionAutoCreateItems() with $auth->direct_action = trim($controller . ‘/’. (count($act) > 1 ? $act[1] : $act[0]));

706

I have set an action that has a parameter(e.g actionIndex($p)) to alwaysallowed in srbac system. And it’s saved in allowed.php in srbac system. When I try to access the page, I’ve got this message :

Error:403 ‘You are not authorized for this action’

Error while trying to access /page/index.

When I try to remove the parameter inside the allowed.php file.It works, I can access those action. What happen actually? is that a bug? or something that I miss???

thanks in advance…

P.S: I’ve already delete actionRules inside my controller, and I still found those message. ???

707

Hi

This really seems to be a great extension. Easy to use etc.

I installed it and it seem to work more or less…

in my case there I’m getting the same error when I click on “Autocreate AuthItems”, “Edit always allowed list” and “Clear obsolete authitems”

It say the alias "import.ImportModule" is invalid.

And I shall make sure that the alias points to an existing PHP File…

But unfortunately I couldn’t find anything about that error.

What could be the Problem?

Here is the Errormessage:




CException


Alias "import.ImportModule" ist ungültig. Stellen Sie sicher, dass er auf eine existierende PHP-Datei verweist. (/var/www/Yii/framework/YiiBase.php:310)


#0 /var/www/Yii/framework/YiiBase.php(190): YiiBase::import('import.ImportMo...', true)

#1 /var/www/Yii/framework/base/CModule.php(266): YiiBase::createComponent('import.ImportMo...', 'import', NULL, Array)

#2 /var/www/JobCockpit/protected/modules/srbac/controllers/AuthitemController.php(933): CModule->getModule('import')

#3 /var/www/JobCockpit/protected/modules/srbac/controllers/AuthitemController.php(915): AuthitemController->_getControllers()

#4 /var/www/Yii/framework/web/actions/CInlineAction.php(57): AuthitemController->actionAuto()

#5 /var/www/Yii/framework/web/CController.php(300): CInlineAction->run()

#6 /var/www/Yii/framework/web/CController.php(278): CController->runAction(Object(CInlineAction))

#7 /var/www/Yii/framework/web/CController.php(257): CController->runActionWithFilters(Object(CInlineAction), Array)

#8 /var/www/Yii/framework/web/CWebApplication.php(328): CController->run('auto')

#9 /var/www/Yii/framework/web/CWebApplication.php(121): CWebApplication->runController('srbac/authitem/...')

#10 /var/www/Yii/framework/base/CApplication.php(155): CWebApplication->processRequest()

#11 /var/www/JobCockpit/index.php(16): CApplication->run()

#12 {main}

B) B) B) B) B) B) B) B)

So then I found the problem an my ‘answer-my-posts-by-myself’-rate has increased once again…

The problem was…

Somehow I had a misconfiguration in the config/main.php:

‘import’=>array(

‘application.modules.srbac.controllers.SBaseController’,

),

-> This was causing the error ::)

I added that because it was written in the manual and I didn’t realize that ‘application.modules.srbac.controllers.SBaseController’,

should be added in the existing import array at the beginning of the config/main.php :rolleyes:

708

Why does "Superuser" need anything assigned to them?

709

Hi, thanks for this extension, i hope it will solve my role problems. I just installed it, i have generated demo data, and so far there was no problems. One thing I can’t solve is that ajax links under /srbac/authitem/manage don’t work. I mean Autocreate Auth Items, Edit always allowd links and clear absolete authItems. All links redirect to ../srbac/authitem/manage#

I’ve checked, javascripts are enabled. Is this a common problem ? (i hope so:)

Please let me know if you have this disabled ajax links problem.

regards

lukBB

710

I found one issue, which might and might not be bug.

Where there are no users with Authority roles, all users, and even guests will have access to srbac module. This case is explained in Helper::isAuthorizer function, so you might want to change code to ensure that when Authority role is not assigned, nobody will have access to srbac module.

711

Thanks,

This is not a bug but it can be confusing.

I 'll consider removing access to srbac when authority is not assign, but this way you can only access srbac (to actually set the authority role to a user) in debug mode

712

[b]CException

Alias "srbac.SrbacModule" is invalid. Make sure it points to an existing PHP file. [/b]

This is the exception i get after installing srbac…

I searched the forums, which said "the file can probably not be accessed by the webserver", which was true in the beginning. Now i set the chmod of the extension folder, the srbac folder and the SrbacModule.php file to "777" and still the same error occurs.

I also tried the advice to from This Topic:

which did not fix it either. Besides of that i fail to find the definition of a "valid alias" or where to define a valid alias.

The description of srbac simply says "must be a valid alias".

Can anyone tell me where i am wrong (probably simply too blind)?

Here is my config file:


<?php


// uncomment the following to define a path alias

// Yii::setPathOfAlias('local','path/to/local-folder');


// This is the main Web application configuration. Any writable

// CWebApplication properties can be configured here.

return array(

	'basePath'=>dirname(__FILE__).DIRECTORY_SEPARATOR.'..',

	'name'=>'My Web Application',


	// preloading 'log' component

	'preload'=>array('log'),


	// autoloading model and component classes

	'import'=>array(

		'application.models.*',

		'application.components.*',

		'application.modules.srbac.controllers.SBaseController',

	),


	'modules'=>array(

		// uncomment the following to enable the Gii tool

		'gii'=>array(

			'class'=>'system.gii.GiiModule',

			'password'=>'xxxx',

		 	// If removed, Gii defaults to localhost only. Edit carefully to taste.

			'ipFilters'=>array('127.0.0.1','::1'),

			'ipFilters'=>array('MyOwnIP'),			

		),


//---------------------------- SRBAC -------------------------------------------------------------------


		'srbac' => array(

			'userclass'=>'User', //default: User

			'userid'=>'user_ID', //default: userid

			'username'=>'username', //default:username

			'delimeter'=>'@', //default:-

			'debug'=>true, //default :false

			'pageSize'=>10, // default : 15

			'superUser' =>'Authority', //default: Authorizer

			'css'=>'srbac.css', //default: srbac.css

			'layout'=>

			'application.views.layouts.main', //default: application.views.layouts.main,

			//must be an existing alias

			'notAuthorizedView'=> 'srbac.views.authitem.unauthorized', // default:

			//srbac.views.authitem.unauthorized, must be an existing alias

			'alwaysAllowed'=>array( //default: array()

			'SiteLogin','SiteLogout','SiteIndex','SiteAdmin',

			'SiteError', 'SiteContact'),

			'userActions'=>array('Show','View','List'), //default: array()

			'listBoxNumberOfLines' => 15, //default : 10 

			'imagesPath' => 'srbac.images', // default: srbac.images 

			'imagesPack'=>'noia', //default: noia 

			'iconText'=>true, // default : false 

			'header'=>'srbac.views.authitem.header', //default : srbac.views.authitem.header,

			//must be an existing alias 

			'footer'=>'srbac.views.authitem.footer', //default: srbac.views.authitem.footer,

			//must be an existing alias 

			'showHeader'=>true, // default: false 'showFooter'=>true, // default: false

			'alwaysAllowedPath'=>'srbac.components', // default: srbac.components

			// must be an existing alias )

		)


//-----------------------------------------------------------------------------------------------

	),


	// application components

	'components'=>array(

		'user'=>array(

			// enable cookie-based authentication

			'allowAutoLogin'=>true,

		),

		// uncomment the following to enable URLs in path-format

		/*

		'urlManager'=>array(

			'urlFormat'=>'path',

			'rules'=>array(

				'<controller:\w+>/<id:\d+>'=>'<controller>/view',

				'<controller:\w+>/<action:\w+>/<id:\d+>'=>'<controller>/<action>',

				'<controller:\w+>/<action:\w+>'=>'<controller>/<action>',

			),

		),

   		'showScriptName'=>false,

		*/

		/*

		'db'=>array(

			'connectionString' => 'sqlite:'.dirname(__FILE__).'/../data/testdrive.db',

		),

		*/

		// uncomment the following to use a MySQL database

		'db'=>array(

			'connectionString' => 'mysql:host=xxxx;dbname=xxxx',

			'emulatePrepare' => true,

			'username' => 'xxxx',

			'password' => 'xxxx',

			'charset' => 'utf8',

		),

		'errorHandler'=>array(

			// use 'site/error' action to display errors

            'errorAction'=>'site/error',

        ),

		'log'=>array(

			'class'=>'CLogRouter',

			'routes'=>array(

				array(

					'class'=>'CFileLogRoute',

					'levels'=>'error, warning',

				),

				// uncomment the following to show log messages on web pages

				/*

				array(

					'class'=>'CWebLogRoute',

				),

				*/

			),

		),


//---------------------------- AuthManager-------------------------------------------------------------------


		'authManager'=>array(

			// Path to SDbAuthManager in srbac module if you want to use case insensitive

			//access checking (or CDbAuthManager for case sensitive access checking)

			'class'=>'application.modules.srbac.components.SDbAuthManager',

			// The database component used

			'connectionID'=>'db',

			// The itemTable name (default:authitem)

			'itemTable'=>'items',

			// The assignmentTable name (default:authassignment)

			'assignmentTable'=>'assignments',

			// The itemChildTable name (default:authitemchild)

			'itemChildTable'=>'itemchildren',

		),


//-----------------------------------------------------------------------------------------------

	),


	// application-level parameters that can be accessed

	// using Yii::app()->params['paramName']

	'params'=>array(

		// this is used in contact page

		'adminEmail'=>'xxxxx',

	),

);
713

It’s a silly question but have you put the srbac directory under

protected/modules/

714

Sad thing is…as silly the question might be. I did not. But now i do and the same problem remains entirely unchanged =(

The srbac-folder is now in

/protected/modules/

and still

"CException

Alias "srbac.SrbacModule" is invalid. Make sure it points to an existing PHP file."

*edit:

The srbac folder was in "protected/extensions" before that.

715

Hi,

Thanks to the web interface I was easily able to automatically create operations and tasks with my controllers. Then I create roles and I’ve assigned to my users.

Only once this is done, I was not able to use user roles to restrict their actions. I missed all the subtleties of this guide.

How can I do this?

And where do I do? In all my controllers or in a WebUser class?

Regards,

Fog

716

Your controllers (or the components/Controller if all your controllers extend this) should extend SBaseController.

Also remove the filter method from your controllers (or Controller)

717

Thanks, but I have already doing this.

Finally I misrepresented my problem.

I want to restrict access to different parts of my website and limit the actions, depending on the user’s role.

For that, I do not know if I have to use the method checkAccess in all methods of each controller.

Or if I have to use this method in my class WebUser.

Because for now, all my users are seen as guest ^_^

As you can see, the use of srbac is still fuzzy to me :P

718

With the end of the week I did my homework and I managed to run srbac the way I wanted :)

Surprisingly users are still connecting signature as a guest and I really do not understand why.

Because the backup without Srbac modules, authentication worked perfectly fine.

This may be unrelated Srbac, but I passed.

This is my authenticate method in UserIdentity : [size="1"]

[/size]


	public function authenticate()

	{

		Yii::trace('UserIdentity::authenticate');

		$ldap = new Ldap();

		

		//if ($_SERVER['PHP_AUTH_USER'] == ""  || $_SERVER['PHP_AUTH_PW']=='' ) {

			$_SERVER['PHP_AUTH_USER'] = $this->username;

			$_SERVER['PHP_AUTH_PW'] = $this->password;

		//}

		

		// authentication throw LDAP component

		$rep = $ldap->ldap_authenticate();

		//echo $rep;

		//if (is_array($rep) || is_object($rep)) {

		if ($rep[0]=='uid')  {

			$this->setState('rpi', Yii::app()->user->name);

			Yii::trace($this->getState('rpi'));

			$this->_attributes = $ldap->getallAttribute($this->username);

			$this->errorCode = ERROR_NONE;

			

		} else $this->errorCode = ERROR_PASSWORD_INVALID;

		$ldap->ldap_disconnect();

		unset($ldap);

		return $this->errorCode;

	}
719

Sorry, I don;t understand what you mean by that.

Users are connected but shown as guests?

Guest can behave as authenticated users?

Something else?

720

A user is never really authenticate because it is still considered a guest.

But when I log the user’s role is properly recognized.

Will I do it wrong when I get the role of the user as well?


        	$userid = Yii::app()->db->createCommand()->select('id')->from('user')

		       ->where('rpi=:rpi', array(':rpi'=>Yii::app()->user->name))->queryScalar();

		    $role = Yii::app()->db->createCommand()->select('itemname')->from('assignments')

		       ->where('userId=:user', array(':user'=>$userid))->queryScalar();

Obviously I should ask my questions in another topic, because my problem is not the module SRBAC.

But my lack of understanding of the use of authentication and Authorization

My problem is solved.

I commented lines of code and I forgot it, it’s a silly mistake.