One of the Apps I built has multiple company accounts. A user is bound to one or more accounts while can also be restricted to particular properties within the assigned accounts.
Adjusting RBAC to support multiple accounts was quite a lot of work whilst I had to modify some function signatures to accommodate for all the required changes.
Although It can be done in a fast and dirty way by formulating ids (like, “%s-%s-%s” and deconstructing on permission check level) but this hinders the queries performed in the db (quickly with a single query check if user is eligible). So I had to actually restructure a lot of stuff to add additional fields in the RBAC schema.
The problem in the existing RBAC is that almost all queries had to be reworked and additional functions introduced to handle the data loaded from the DB to properly populate the Objects.
It would be great if the RBAC in Yii3 is more extensible allowing us to easily accommodate additional data changes by simply extending the base classes. It would also be great if the functions performing RBAC checks supported by default structures (starting from User::can(…) all the way down to permissions).
By structures I mean
- UserId is an Object (extending some base class will allow us to extend the data used to identify a user or resource in the system)
- Permissions and etc. can be data-vectors (carry all kinds of additional custom data that might be needed accessible in a magic getter-setter or with concrete functions built in classes extending the base class)
- Allow be default the use of Contexts that identify under which application contexts an RBAC item is valid (especially useful in GUI permissions assignment - think Admin, Frontend, Api, etc). Can be emulated similar to messages (translations) but it would be nicer to be cleaner and separate for improved db performance.
What do you think? Is it worth adding this type of extensibility in the RBAC system of Yii3?