RBAC explained?

webscriptz · August 28, 2009, 9:15pm

I’ve read the article twice in the documentation on RBAC but i can’t seem to piece the thing together. I’m haven’t written a letter of code with the framework but i’m very excited about it but for that to happen i need a bit of an crash course in this:


$auth=Yii::app()->authManager;

 

$auth->createOperation('createPost','create a post');

$auth->createOperation('readPost','read a post');

$auth->createOperation('updatePost','update a post');

$auth->createOperation('deletePost','delete a post');

 

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';

$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);

$task->addChild('updatePost');

 

$role=$auth->createRole('reader');

$role->addChild('readPost');

 

$role=$auth->createRole('author');

$role->addChild('reader');

$role->addChild('createPost');

$role->addChild('updateOwnPost');

 

$role=$auth->createRole('editor');

$role->addChild('reader');

$role->addChild('updatePost');

 

$role=$auth->createRole('admin');

$role->addChild('editor');

$role->addChild('author');

$role->addChild('deletePost');

 

$auth->assign('reader','readerA');

$auth->assign('author','authorB');

$auth->assign('editor','editorC');

$auth->assign('admin','adminD');

This code, does it need executing every time or is it just once to fill the db with it? And where do i put it ? the docs are a little foggy when it comes to this.

Then there’s the bizrules i can’t get my head around that at all, please someone explain me :s

And in the controller when checkAccess(‘deletePost’) I presume it’s the same name used in the roles above?

THX,

pestaa · August 28, 2009, 9:32pm

It actually happens backwards most of the time. If you have very simple and straightforward permission system, you can manually handcraft a code like the above in order to have permission hierarchy set in place.

It only needs to be ran when you want to grant permissions used later in checkAccess(). It depends on your application type how often you need that.

You may want to create a generic controller filter or an onBeginRequest event handler to set up roles and tasks for you.

There are special cases when item type (blog entry for instance) and user rights and roles (author for example) is not enough to compare. If you don’t want authors to edit other authors’ entries, you want to add a business rule where you can make sure the entry belongs to the current user so she/he is able to modify it.

Partially correct. You can also check access for operations and rules as well.

mikl · August 29, 2009, 2:25pm

You have to differ two things:

Creating the hierarchy

This is only done once. That’s this part of the code:


$auth=Yii::app()->authManager;

   

  $auth->createOperation('createPost','create a post');

  $auth->createOperation('readPost','read a post');

  $auth->createOperation('updatePost','update a post');

  $auth->createOperation('deletePost','delete a post');

   

  $bizRule='return Yii::app()->user->id==$params["post"]->authID;';

  $task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);

  $task->addChild('updatePost');

   

  $role=$auth->createRole('reader');

  $role->addChild('readPost');

   

  $role=$auth->createRole('author');

  $role->addChild('reader');

  $role->addChild('createPost');

  $role->addChild('updateOwnPost');

   

  $role=$auth->createRole('editor');

  $role->addChild('reader');

  $role->addChild('updatePost');

   

  $role=$auth->createRole('admin');

  $role->addChild('editor');

  $role->addChild('author');

  $role->addChild('deletePost');

Assigning roles to users

This needs to be done once for every user you want to assign a role to. (Except for default roles that are automatically assigned to all users). Or when you want to change access rights for a specific user. That’s this part of the code:


$auth->assign('reader','readerA');

  $auth->assign('author','authorB');

  $auth->assign('editor','editorC');

  $auth->assign('admin','adminD');

So for creating the hierarchy you can use any kind of script, e.g. a custom yiic command or a controller action that you only call once to setup your environment. Whereas for assigning roles to users you could build some kind of user management in your application where you can add or remove users and assign roles to them.

pestaa · August 29, 2009, 4:54pm

I think he wondered if a single installation script is enough or he has to prepare the authManager in each request.

webscriptz · August 29, 2009, 6:32pm

Mike you’re explanation was very good and pestaa thanks that was exactly what i needed to hear

webscriptz · August 29, 2009, 7:26pm

still i don’t know why, i’ve executed the sql found in framework/web/… but when doing the large chunk of code like above i get a mess saying authItem doesn’t exist

pestaa · August 29, 2009, 7:43pm

Is the schema loaded into your primary database defined in ‘db’ component? Or have configured database at all?

webscriptz · August 29, 2009, 9:47pm

thanks for urging me to review my settings, i had it configured to the wrong db, it was just a difference of one character

webscriptz · September 3, 2009, 6:17pm

Seeing the solution, everything seems logical except for one thing… $auth->assign() Doing it like the guide says, could be quit bombastic and you’ll get a very large db with many rows in it for assign so can I do this with a group assign?

Meaning that I have 2 tables: users and usergroups with a relation to user belongs to 1…* usergroups, can that be done?

mikl · September 4, 2009, 8:14am

That’s pretty much the same what RBAC already does: simply exchange “usergroup” with “role”