When you use the standard CAccessControlFilter filter and define a controller’s accessRules() method to return rules, and specify a ‘roles’ parameter in one of the rules, CAccessControlFilter ultimately calls CWebUser::checkAccess() for each of the roles listed, to determine if the user have one of the roles.
However, CWebUser::checkAccess() also accepts as a default argument a $params array, which according to documentation is supposed to contain "name-value pairs that would be passed to business rules associated with the tasks and roles assigned to the user"
But I can’t find a place in the rules array to place such parameters, so that they get passed to checkAccess().
Is it possible? If not, how is the $params array intended to be used?
So that means the accessControl filter doesn’t allow you to use Yii’s basic Access Control features (like business rules)…
I guess I will have the same problem even if I use the RBAM extension, won’t I? The documentation explains everything about managing and assigning authorization items (and they do have bizrules and data) but doesn’t say a word about how to check permissions from the application. I guess I’ll still have to call checkAccess manually from the actions, right? (or extend AccessControlFilter)
when you need to create authorization items that have a parameter, are business rules the way to go, or is there a better strategy?
For example, soppose you have a blog application with multiple "sections" and that every post belongs to a section. Then you may want to create authorization items (operations, tasks and roles) relative to a given section: e.g. operation "write post in <section>", or role "author in <section>", etc etc.
Thinking about it, I’m afraid a business rule could never solve the problem, because the id of the section needs to be part of the unique identifier (name?) of the authorization item.
Let’s say we want to be able to assign users roles such as:
Athor in section 1
Author in section 2
Editor in section 1
Editor in section 2
where Author means he has permission to create posts in that section, Editor means he has permission to edit/delete posts in that section.
At first thought, one says: ok I’ll create a role called “Author in section”, and role called “Editor in section” (let’s ignore the child tasks and operations for the moment). These items need a business rule to determine whether the section the user wants to post/edit in is the section he is an author/editor for.
RBAM apparently allows you to store "data" together with an athrorisation assignment; and to store bizrule for a given role. So if I want to assign a given user the Author role for a given section, I would assign him the role "Author in Section" and put the id of the section in the "data". That data supposedly is passed to the bizrule when performing the check.
Than will only work if you can assign the same role to the same user multiple times with different values of “data” in each assignment, which I don’t think is the case. Or is it?
So, I couldn’t give have a user the role of author or editor for more than one specific areas.
When we have multiple dynamic sections, I think we have to have a look-up table that defines the auth relations between the users and the sections, so that we can pass the section ID to the business rule as a parameter.
Of course we need that table, but I don’t think the standard authManager mechanism provides a way to perform the check, without extending it.
What business rule would you pass the section ID to? Business rules belong to authorization items, or to assignments, but authorization items have a unique id, and assignments are uniquely identified by the auth item id and the user id. So you can’t assign the same auth item to the same user more than once with different section IDs…