As far as I can see RBAC is aimed at protecting the application data (CRUD…). In all the examples I see it is used in the Controller to prevent unauthorised actions.
Is there any example or discussion about how I could re-use the RBAC data to determine what buttons to present on the View. E.g. I don’t want to have an Update hyperlink on an View if the user is not allowed to perform that action.
Methods I’ve thought of so far:
use the controller to pass in an array of buttons to the view - I’ll have to cache the user’s full Authentication data in the session to protect the database
(I’ll probably have to do caching to save the processing in CMenu anyway)
use the checkAccess method in the View - is this good practice
I would like to link the CMenu->run (e.g. visible/not) to the RBAC data too?
You can use something like this in the views to determine whether something can be shown or not, I’m not sure if this is the best way but it definitely works for me.
Both suggested options hammer the checkAccess() function every time I need to render a page, which will have an impact on performance - esp. if the site scales to many concurrent users.
I still think I have to create an in-memory Menu+Action authorisation map for the user session. That way I save the database from multiple hits.
It’s interesting to see how others are implementing this…
For the benefit of others… here is my components/MainManu.php file. As you can see I use setState and getState to store the menu items in the user session.