Performance considerations for RBAC Check Access

ncramer · June 29, 2012, 6:37pm

The current project dictates that menu items and links to which a user does not have access should be hidden from views.

Checks will obviously still need to be performed in the controller for security reasons, so will be redundant on the views.

Is there a method preferred over using a conditional for Yii::app()->user->checkAccess(’[Operation]’) before rendering each instance in the view?

Is there a measurable performance hit that should discourage this practice in general?

To clarify the scope of the scenario:

Number of total operations is in the 100s

Number of check access calls per page ranges from several to a max of 20

No complexity to the checks, eg params, bizRules

Thanks,

nc

Da_Sourcerer · June 29, 2012, 6:51pm

Hm, if you can easily determine the access level of a user from the DB and there’s some kind of link between models and users, you might do well to filter the models a user can see by setting a default scope for them in place.

ncramer · July 1, 2012, 4:21pm

Filtering is already handled by scopes. (I chose not to use default scope for this project and instead apply the appropriate scopes with each call for irrelevant reasons.)

A simple use case would be a Delete button. The actual security is already handled by RBAC in the controller, so if a user without permissions clicks the button they’ll receive an access/permissions error. To improve usability I am removing such buttons completely if the user does not have appropriate permissions. This creates redundant calls to checkAccess for each link or button on a view and exponentially increases the number of calls required during a user’s session.

I’m just trying to make sure I’m not setting myself up for performance issues down the line, or that there’s not a preferred method of implementing this functionality. eg extending one of the HTML rendering classes to incorporate the check or enabling caching features, etc.

Thanks,

nc

Da_Sourcerer · July 2, 2012, 10:32am

Well, if your rules are really that simple, you might try to cache them for each (authenticated) user. Apart from that, I’m out of ideas.

riaddiction · January 29, 2013, 1:50am

Hi ncramer,

nice question, could you share your conclusion?