I’ve worked with Yii2 RBAC quite alot and understand most of it. But still have some questions about permission to permission relation and permission-rule
6743
First question is about permission. Please see the screenshot above
Assume we are talking about user John
if ‘updateOwnPost’ is the parent of ‘updatePost’, and ‘updateOwnPost’ belong to ‘Author’ role,
now when we ask
if (\Yii::$app->user->can('updatePost')) {
// create post
}
should it return true because ‘updatePost’ is a child of ‘updateOwnPost’ which belongs to ‘author’ role ?
Why do I need to create a new permission ‘updateOwnPost’ and add ‘AuthorRule’ to it ? Can I just add ‘AuthorRule’ to ‘updatePost’ ?
It depends on which value the “AuthorRule” returns when the parameter ‘post’ is empty.
So, if the rule is defined in the same way as in the example of the guide, it returns false.
Note that “can(‘updatePost’)” is called with a parameter ‘post’ in the example of the guide:
if (\Yii::$app->user->can('updatePost', ['post' => $post])) {
// update post
}
The ‘post’ parameter is ignored in ‘updatePost’, but will be passed to ‘updateOwnPost’ to be checked by “AuthorRule”.
In order to allow John to update a post, you have to have a way from “updatePost” to “John” following the arrows. “updatePost” has a way to “admin”, but there’s no way from “admin” to “John”. So we have to follow the route of “updatePost” -> "updateOwnPost -> “author” -> “John”. And in the “updateOwnPost”, the rule is checked to see if the post is his own. If the post is his own, then he will be allowed to update it. But other "author"s like “Bizley” and “softark” are not allowed because the rule returns false and can’t proceed to “author”.
It’s because we want to have a role “admin” who can update any post without considering its author, and a normal role “author” who can update only the posts that he/she has created.
If you add “AuthorRule” to “updatePost”, either “admin” can not update other persons’ posts, or any “author” can update any posts, depending on how you specify the rule and how you call “can()” method.