Rbac. Checking Access

Hello,

I’m trying to figure out how RBAC works, but faced with interesting fact. Maybe I don’t understand something, or…

So, Let’s take a look what I have done. Firstly, I’ve created 6 operations and assigned 2 of them to user.




public function actionInstall() {


        $auth = Yii::app() -> authManager;


        $auth -> createOperation('createUrl', "createUrl");

        $auth -> createOperation('deleteUrl', "deleteUrl");

        $auth -> createOperation('updateUrl', "updateUrl");


        $auth -> createOperation('createCategory', "createCategory");

        $auth -> createOperation('deleteCategory', "deleteCategory");

        $auth -> createOperation('updateCategory', "updateCategory");


        $auth -> assign('createUrl', 1);

        $auth -> assign('createCategory', 1);




        $auth -> save();

}

 

Then in other action I decided to test how much queries using the API




    public function actionTest() {

        var_dump(Yii::app()->user->checkAccess('createUrl'));

        var_dump(Yii::app()->user->checkAccess('createCategory'));

    }

 

The result is 4. To chek each item API do 2 queries.




SELECT *

FROM `directory_authassignment`

WHERE userid=:userid. Bound with :userid='1'


SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='createUrl'


=======




SELECT *

FROM `directory_authassignment`

WHERE userid=:userid. Bound with :userid='1'


SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='createCategory'


 

While the first and third are same queries.

Okay, I thought, and decided to be a problem that user do not have role.

In the next try I’ve created 6 operations, 1 role and assign role to a user.




public function actionInstall() {


        $auth = Yii::app() -> authManager;


        $auth -> createOperation('createUrl', "createUrl");

        $auth -> createOperation('deleteUrl', "deleteUrl");

        $auth -> createOperation('updateUrl', "updateUrl");


        $auth -> createOperation('createCategory', "createCategory");

        $auth -> createOperation('deleteCategory', "deleteCategory");

        $auth -> createOperation('updateCategory', "updateCategory");


        $role = $auth -> createRole("creator");

        $role->addChild("createUrl");

        $role->addChild("createCategory");


        $auth->assign('creator', 1);


        $auth -> save();

}

 

Checking query count one more time.




    public function actionTest() {

        var_dump(Yii::app()->user->checkAccess('createUrl'));

        var_dump(Yii::app()->user->checkAccess('createCategory'));

    }

 

And application log says that now we need run 4 queries to check item.




SELECT *

FROM `directory_authassignment`

WHERE userid=:userid. Bound with :userid='1'


SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='createUrl'


SELECT `parent`

FROM `directory_authitemchild`

WHERE child=:name. Bound with :name='createUrl'


SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='creator'


=========================


SELECT *

FROM `directory_authassignment`

WHERE userid=:userid. Bound with :userid='1'


SQL: SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='createCategory'


SELECT `parent`

FROM `directory_authitemchild`

WHERE child=:name. Bound with :name='createCategory'


SELECT *

FROM `directory_authitem`

WHERE name=:name. Bound with :name='creator'


 

So, what I’m asking for.

Why am I this. I have web interface with about 14 items in menu which should be displaied or not depending on user access. To sum up:

If only operations will be assigned to the user and I will check all 14 items -> then it will took 14 * 2 = 28 queries into database.

If operations and roles will be assigned to the user, then it will take 14 * 4 = 56 queries.

Hmm… maybe I’m doing something wrong or… Please some one give me an advice how to reduce query count. Sorry for my bad English.

That’s why I’ve created my own auth manager class that loads up all auth item in a single query, much like the CPhpAuthManager does with the file.

Great. Thank you for this extension. I think it’s exactly what I’m looking for.

Lol. Seems it is quite needed functionality and everybody finally gets to this point. I have created my hybrid auth manager which reads roles/operations/etc from file configuration same as CPhpAuthManager, but assignements of auth item to users is done in database :)