Rbac Best Practice Question

I have been learning RBAC over the past couple of days, and everything functions as I want, but I am wondering if anyone can educate me on best practice for the following situation: I have an operation, ‘pageReject’, that relies upon:

  1. the user having the ‘publisher’ role

  2. an attribute in the record matching a certain value (in this case, page_status == ‘PROPOSED’)

My question is, where should the logic of 2. belong? It is not influenced by the user, but ultimately it is determining if the user can access the operation. Currently I have used the following:

$auth->createOperation('pageReject', 'Reject a page', 'return isset($params["page"]) && $params["page"]->page_status == "PROPOSED";');

$role = $auth->createRole('publisher');


This allows me to conveniently use:

Yii::app()->user->checkAccess('pageReject', array('page' => $model));

However, I am concerned this is bad practice in that the biz rule itself does not rely on user information at all, and so semantically it may not be right to include this logic here. Could anyone confirm or allay my concerns, and point me as to where this logic might be situated instead? (I could remove the biz rule and call a ‘checkReject’ method attached to the Page class, but this seems less watertight).

I believe that your approach is fine. The biz rule is designed to contain business logic, so it doesn’t have to be user specific. As you’ve mentioned, you could refactor the rule logic into a method of the Page class for better separation of concerns, but you should still call this method from your business rule.