Help With User Access

mambodin · March 4, 2014, 11:45am

Hi,

I am almost solving this but I must have slighted a few things.

I have created a User.php model with several access listed as below


'view_permit' => 'Allows user to view requisition record',

			'edituser_permit' => 'Allows user to edit their role',

			'control_permit' => 'Allows user to manage requisition',

			'maint_demo' => 'Allows user to maintain demo unit',

			'view_demopool' => 'Allows user to view demo pool',

These will return boolean values and they are stored in the database.

I have also created a function in User.php to obtain this boolean value and use this function on the accessRules() in UserController.php . The function is as below


public function getCreateUser()

	{	

		$canCreate = 'edituser_permit';

		

		 if ($canCreate != 1)

			return false;

		else return true; 

	}

The access rules (edituser_permit) is defined as follows


public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions' => array('index','view'),

				'users' => array('*'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions' => array('create','update'),

				'users' => array('@'),

				'expression' => 'User::getCreateUser()',

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions' => array('admin','delete'),

				'users' => array('@'),

			),

			array('deny',  // deny all users

				'users' => array('*'),

			),

		);

	}

The result:

So far I have been getting rather odd results. Having made the admin with all access rights, I am unable to gain access to create/update the records. Is there something wrong with the logic expressions? or am I missing something?

Cheers and thanks

bagwari65 · March 4, 2014, 1:25pm

try to remove




'users' => array('@'),

it may work

mambodin · March 4, 2014, 11:57pm

Hi again,

It doesn’t in fact. I have checked the logic by applying a hard coded value into the getCreateUser() function as below


public function getCreateUser()

	{	

		$canCreate = 1 ;//'edituser_permit';

		

		 if ($canCreate != 1 )

			return false;

		else return true; 

	}

The logic seems to work fine as I am able to gain access to create an update Users. However once I revert back to the original code where value is obtained from the database, it works inversely, ie:- when $canCreate value is 1 in the database, I will be denied access.

When $canCreate value is at 0 (done by manipulating the database values), I am still unable to gain access. Am I expressing the code wrongly here?


public function getCreateUser()

	{	

		$canCreate = 'edituser_permit';

		

		 if ($canCreate != 1 )

			return false;

		else return true; 

	}

To put it in simple terms, here’s the logic behind what I’m trying to achieve.

Permissions (stored in db with User) -> accessRules () checks with permissions in User -> allows/deny access

alirz23 · March 5, 2014, 4:39am

its likely that your database query returns a string try converting it to int before you do the check


    public function getCreateUser()

    {       

        $canCreate = 'edituser_permit';


        if ((int)$canCreate != 1)

            return false;

        

        return true; 

    }

mambodin · March 5, 2014, 6:06am

Thanks alirz for the suggestion.

I have made the input and actually printed the result. I believe the issue here isn’t the logic but rather a syntax one. After printing the result of


public function getCreateUser()

    {       

        $canCreate = 'edituser_permit';

		return (int)$canCreate;

    }

in the User model. I found out that the ‘edituser_permit’ was not initialised and it returned the exact same string value ie. ‘edituser_permit’.

In this case how should I call and obtain the ‘edituser_permit’ value from the db.

I guess the rudimentary question is how do I "get" the value after it has been "set" in the database from the User model.

thanks!

mambodin · March 6, 2014, 3:36am

Ok folks,

I’ve managed to solve this rather basic (Slap on the head) problem. I blame it on myself for not covering the basics in the documentation mostly.

Here is the solution.

Basically the idea as stated before is to check user’s permission before accessing any page for the CRUD facility.

I created a function in UserController class like this




public function getEditUser(){

		

		$id = Yii::app() -> user ->ID;

		$usercriteria = new CDbCriteria();

            $usercriteria->select="edituser_permit";

            $usercriteria->condition="username = '$id'";

            $getPerm=User::model()->find($usercriteria);

		

			return $getPerm->edituser_permit;

	}

This is to read the DB record of the current user permission.

Application is as follows




public function actionCreate()

	{	

		$perm = $this->getEditUser();

		if ($perm != '0'){

		

			$model=new User; 


			// Uncomment the following line if AJAX validation is needed

			// $this->performAjaxValidation($model);


			if(isset($_POST['User']))

				

			{

				$model->attributes=$_POST['User'];

				if($model->save())

					$this->redirect(array('view','id'=>$model->ID));

			}


			$this->render('create',array(

				'model'=>$model,			

			)); 

			}

		

		else {

		throw new CHttpException(403,'You are not allowed to Create New User.');

		}

		

	 

	}

Cheers!