Is there a suggested way to protect data using RBAC?
For example, I want Managers and Customers to have the same permission, let’s call it “ViewOrder”. Now I want a group of customers to view that order but not other orders.
How do I setup a rule to handle that case?
What if I want to add more people to that group of customers?
What if I want some users to view ALL orders?
Do I need to create my own tables to handle this or can RBAC help somehow?
In the issue I was wrong about concrete order permissions and group. It could be done like the following:
Define hierarchy:
Everyone -- role
ViewOrder -- permission
CheckOrder -- rule
Manager extends Everyone -- role
Customer extends Everyone -- role
Admin -- role
ViewAllOrders -- permissions
Create CheckOrder rule class:
class CheckOrder extends Rule
{
$name = 'checkOrder';
public function execute($user, $item, $params)
{
$roles = Yii::$app->getRolesByUser($user->id);
$roleNames = [];
foreach ($roles as $role) {
$roleNames[] = $role->name;
}
return OrderPermission::find()->where(['order_id' => $params['orderId'], 'role' => $roleNames])->exists();
}
}
Create OrderPermission AR model and a table order_permission that contains order_id and role columns and holds permissions for a certain role to edit order specified.
In order to assign more users to a certain group use RBAC API.
If you want someone to be able to work with all orders, assign him an admin role.