RBAC defaultRoles with bizRule performance overhead?

We have a large user base on one of our sites, I wrote code to assign/revoke roles to users on login, on modification, and deletion.

Keeping this structure intact makes me cringe! Though the performance benefits may be worth it.

I would rather have default roles be assigned based on a bizRule that checks the type of the current user. This sounds like a lot of traffic though… every page load is going to require a query to the database.

How have you guys solved this in the past? Is the bizRule method worth the overhead?

Which authorization manager are you using?

you can use CPhpAuthManager which does not use the database, but a config file…it`s harder to maintain but has a smaller overhead

I am using CDbAuthManager, CPhpAuthManager seemed to be about the same from a visual inspection.

I ended up just modifying the auth assignment table each time a CRUD operation is performed on a user model.


  /**

   * (non-PHPdoc)

   * @see yii-dev/framework/base/CModel#afterSave($event)

   */

  public function afterSave()

  {

    $this->updateRole();

    

    return true;

  }


  /**

   * (non-PHPdoc)

   * @see yii-dev/framework/CActiveRecord#beforeDelete()

   */

  protected function beforeDelete()

  {

    $this->removeAllRoles();


    return true;

  }


  /**

   * update role

   *

   *

   */

  public function updateRole()

  {

    $auth = Yii::app()->authManager;


    $this->removeAllRoles();


    $auth->assign($this->type, $this->id);

    $auth->save();

  }


  /**

   * remove associated roles

   * 

   * 

   */

  private function removeAllRoles()

  {

    $auth = Yii::app()->authManager;


    $roles = $auth->getRoles($this->id);

    foreach($roles as $key=>$role)

    {

      $auth->revoke($key, $this->id);

    }

  }