How does the rbac work exactly?

So I configured my app and made the migrations, but I am trying to make sure I know where I am going.

I assume after putting this code inside the command folder of the directory and executing yii rbac/init will create the authorizations; however, I am wondering if I need to use this if statement inside all create actions inside the 10 controllers I made.

if (\Yii::$app->user->can('createSomething')) {

    // create something


…Also, how do you assign a role to a user if you’re using the basic template? It seems you cannot assign a role if you’re using a basic template.

Also, one last thing, this code inside the doc, you need to put it inside the RbacController inside the command directory right? And you need to enter yii rbac/init to apply the changes if I understood correctly?

// add the rule

$rule = new \app\rbac\AuthorRule;


// add the "updateOwnPost" permission and associate the rule with it.

$updateOwnPost = $auth->createPermission('updateOwnPost');

$updateOwnPost->description = 'Update own post';

$updateOwnPost->ruleName = $rule->name;


// "updateOwnPost" will be used from "updatePost"

$auth->addChild($updateOwnPost, $updatePost);

// allow "author" to update their own posts

$auth->addChild($author, $updateOwnPost);


Basically yes.

But there are also other ways to check for access and have the "accessChecks" on a "central" position.

For example you could also write a "matchcallback".$matchCallback-detail

Or write you access checks in "beforeAction"…

(Just to get some ideas)

You can. ;)

Are you using RBAC with DB or with files?

If you using DB for your RBAC objects, you could use (for example):

Or - you just write your own RBAC management.

For example, according to the guide,

when you execute:

$auth->assign($admin, $userID);

And $admin role will be added to gived "user id".

That can be done in any controller action,

it does not have to be a “console command”. ;)

You understood it correctly.

But you do not HAVE to put the code inside the the command directory.

You can also write this code inside any action of any controller and execute it via web. ;)

(Just to get some ideas… ;) )

Best Regards

I ran into a problem and I still am not sure I understood how rbac works exactly.

This is the rule for checking whether the author of the post is trying to get the authorization for an action:

class AuthorRule extends Rule


    public $name = 'isAuthor';


     * @param string|integer $user the user ID.

     * @param Item $item the role or permission that this rule is associated with

     * @param array $params parameters passed to ManagerInterface::checkAccess().

     * @return boolean a value indicating whether the rule permits the role or permission it is associated with.


    public function execute($user, $item, $params)


        return isset($params['model']) ? $params['model']->createdBy == $user : false;



This is how I am trying to use the rule and Yii’s rbac:

public function actionUpdate($id)


    $model = $this->findModel($id);

    if (\Yii::$app->user->can('update', ['model' => $model])) {

        if ($model->load(Yii::$app->request->post()) && $model->save()) {

            return $this->redirect(['view', 'id' => $model->id]);

        } else {

            return $this->render('update', [

                'model' => $model,





However, I get this when I try to edit a Post:

Getting unknown property: app\models\Post::createdBy

So I thought I had to replace createdBy with userId which is a column in the table Post and I am getting a blank page meaning it doesn’t work. So I am trying to guess what $user is.

I also tried:

return isset($params['model']) ? $params['model']->userId == $user->id : false;

and I am getting:

Trying to get property of non-object.

What should I do to make it work? The doc seemed to suggest you just had to plug the conditional inside the controller action to make it work, but it doesn’t seem to be the case at all.


To understand rules a littlebit better.

First of all you have to understand what happends

when you execute the "can" method to check access.

Take a look at:


You will see:

    public function can($permissionName, $params = [], $allowCaching = true)


        $auth = Yii::$app->getAuthManager();

        if ($allowCaching && empty($params) && isset($this->_access[$permissionName])) {

            return $this->_access[$permissionName];


        // PLEASE NOTE: $this->getId() already passes the "user->id" to your "permission" or "rule"

        $access = $auth->checkAccess($this->getId(), $permissionName, $params);

        if ($allowCaching && empty($params)) {

            $this->_access[$permissionName] = $access;


        return $access;


Means that:

class AuthorRule extends Rule


    public $name = 'isAuthor';

    public function execute($user, $item, $params)


        // REGARDING $params['model']->createdBy

        // model "createdBy" must be the field name in YOUR table holding the creators user-id

        // for example in my database it is called: created_by

        // REGARDING $user 

        // $user should already contain the user id of the current logged in user. 

        return isset($params['model']) ? $params['model']->createdBy == $user : false;



Hope this makes it a littlebit more clear for you.

Best Regards