RBAC and bizrule


I’m using rights extension to manage access control and it works well so long as I only do some basic CRUD operations filter.

Now, I want to do this simple acces check based on $user->id :

  • I’ve got a Content model. It has a ‘belongs_to’ User relation through the user_id foreign key. This relation is declared as ‘owner’ in Content.php.

  • I want that users having the AUthenticated role can only update their own content

  • I’ve create a COntent.Update.Own operation with the following bizrule:

return Yii::app()->user->id==$params['content']->user_id;

  • I’ve declared Content.Update as a child of Content.Update.Own

  • Authenticated role has Content.Update.Own for children

And this gives me always an error 403 … I think my bizrule is not well written.

Any help will be very appreciated.


What I did was put a function in my model:

	public static function isOwnerOf() {

    	if(Yii::app()->controller->id !== 'issue') {

        	return false;


    	if((isset(Yii::app()->user->id))&&(isset($_GET['id']))) {

        	$criteria = new CDbCriteria();

        	$criteria->select = 'user_id';

        	$criteria->compare('user_id', Yii::app()->user->id, true);

        	$criteria->compare('id', $_GET['id'], true);

        	$owner = Issue::model()->findAll($criteria);

        	return !empty($owner);

    	} else {

        	return false;


    	return false;


And then the bizrule:

return Issue::isOwnerOf();

I am well aware that the function could be written better, but it does the job for me. ;)

Excellent, thanks a lot.

I’ve modified the following block:

                /*$criteria = new CDbCriteria();

                $criteria->select = 'user_id';

                $criteria->compare('user_id', Yii::app()->user->id, true);

                $criteria->compare('id', $_GET['id'], true);

                $owner = Content::model()->findAll($criteria);               

                return !empty($owner);*/

                if (Content::model()->findByPk($_GET['id'])->user_id == Yii::app()->user->id) {return true;} else {return false;};