params in controllers accessRules

Hi Qiang,

we have a business rule that need a parameter.

Of corse we can do "checkAccess" and pass it the parameter, but we use this role to control the access to an action, and so we would like to put this stuff in accessRules() in the controller.

This is not possible because in CAccessControlFilter, in the method isRoleMatched() the checkAccess is called without parameters.

We think that can be nice to specify parameters like that:



	public function accessRules()


	{


		return array(


			array('allow',


				'actions'=>array('update'),


				'roles'=>array('update_own_camping'=>array('campingId'=>$_GET["ID"])),


			)


		}


This may seem to work, but it has the drawback that the parameters are evaluated for ALL actions. In your example, it is possible that $_GET['ID'] doesn't even exist.

ok but the solution in that case will be to do for example an allow only for the action list (with for example 'users'=>array('@')) and another allow rule for the update (with 'roles'=>array('update_own_camping'=>the parameters).

is it correct? what do you think about?

The whole array will be evaluated no matter what action is being requested. That's why the problem.

…mh…I don't understand…

this is our accessRules():



	public function accessRules()


	{


		return array(


			array('allow',


				'actions'=>array('list'),


				'users'=>array('@'),


			),


			array('allow',


				'actions'=>array('update','show'),


				'roles'=>array('update_own_camping'),


			),


			array('deny',  // deny all users


				'users'=>array('*'),


			),


		);


	}


the rule for update and show should have something like:



'roles'=>array('update_own_camping'=>array('campingId'=>$_GET["ID"]),


what's the problem you are talking about? that this params will be evaluated also if the action list is requested?

it's strange, isn't it?! to solve this without params I have to do 2 roles and 2 bizrule and in the second bizrule I have to do exactly the same stuff but instead of using $_GET['something'] I'll have to use $_POST['something other'], otherwise do the checkAccess in the action code!

both solution are not clean compared to what is explained in the RBAC feature…

What I mean is the whole array in accessRules() will be evaluated before the access filter has the chance to use it to check authorization. This is done by PHP.

I understand the need for parameters by some biz rules, but having them evaluated each time accessRules() is called is not acceptable, I think.

ah ok. i agree.

Hello there…

I solve this just getting the $_GET["id"]; in the Business Rule in the database in the bizrule of the authitem table.

With this you don’t have the error that maybe the $_GET[“id”] is not defined because we only check this rule when we are in the correct action (for example in update)