Help With Biz Rule In Rbac

Hi,

I have the following code. It’s only very short as it is my first time using RBAC and I wanted to test little portions of it to make sure I’d done it right.




$auth = Yii::app()->authManager;

$auth->createOperation('viewProfile', 'View profile'); 

$task = $auth->createTask('viewOwnProfile', 'View your own profile', 'return $params["id"] == Yii::app()->user->id;'); // biz rule

$task->addChild('viewProfile');

$role = $auth->createRole('standardUser');

$role->addChild('viewProfile');

$role->addChild('viewOwnProfile');

$auth->save();




All that saved fine in my DB. I’ve assigned the authorisation to a user.

I’m trying this inside my view action




	public function actionView($id) {

		

		// Check access level

		if(!Yii::app()->user->checkAccess('viewProfile', $id)) {

			

			throw new CHttpException(403, 'You are not allowed to do this.');

		}


//... Continue with code

}




I should mention I overwrote the getId() to id(). so my bizrule uses Yii::app()->user->id.

It currently lets me view any users record. I’m not really sure why. I have read around the topic and thought i’d done it correctly. I’ve also tried to call ‘viewOwnProfile’, still the same result.

Any guidance would be greatly appreciated.

Thanks