Hi,
I have the following code. It’s only very short as it is my first time using RBAC and I wanted to test little portions of it to make sure I’d done it right.
$auth = Yii::app()->authManager;
$auth->createOperation('viewProfile', 'View profile');
$task = $auth->createTask('viewOwnProfile', 'View your own profile', 'return $params["id"] == Yii::app()->user->id;'); // biz rule
$task->addChild('viewProfile');
$role = $auth->createRole('standardUser');
$role->addChild('viewProfile');
$role->addChild('viewOwnProfile');
$auth->save();
All that saved fine in my DB. I’ve assigned the authorisation to a user.
I’m trying this inside my view action
public function actionView($id) {
// Check access level
if(!Yii::app()->user->checkAccess('viewProfile', $id)) {
throw new CHttpException(403, 'You are not allowed to do this.');
}
//... Continue with code
}
I should mention I overwrote the getId() to id(). so my bizrule uses Yii::app()->user->id.
It currently lets me view any users record. I’m not really sure why. I have read around the topic and thought i’d done it correctly. I’ve also tried to call ‘viewOwnProfile’, still the same result.
Any guidance would be greatly appreciated.
Thanks