RBAC library design


(Alexander Makarov) #1

I’ve spent some time cleaning up RBAC so now it passes tests: https://github.com/yiisoft/rbac

There are some questions I’d like to hear your opinion about:

  1. Is it useful to have an ability to assign permission directly to a user instead of adding to role that is assigned to user?
  2. Is ManagerInterface complete enough to RBAC management UI?

(demonking) #3

Seems complete enough, but it’s only my opinion.

Edit: To Point 1, have misunderstood the question.
This was a general question, have deleted my quote


#4

Yes, it is useful. Are there any drawbacks of having it?


(Alexander Makarov) #5

Yes. It’s abused. What are use cases?


(Kavitama) #6
  1. To me it is wrong to assign permission directly to a user, somehow is an old heritage of monolithic apps

#7

More granular permissions for editing articles in wiki-like website. Each article has its own permission, and I’m assigning them directly to users (there is too many combinations to create roles).

This is Yii 1.1 website, so I’m not using RBAC from Yii 2, but something similar.

How? If there is a need for assigning permission directly to user, people will do this anyway - they will just create roles instead of permissions.


(Alexander Makarov) #8

So far:

  1. Decided no to remove ability to add permissions directly to user.
  2. Removed ability to check for a role with userHasPermission(). Hope that would result in more correct RBAC usage.

Yii 2.0.28, extensions and Yii 3 progress
(Insolita) #9

1 it depends on project, in some cases it useful to assign permissions directly without roles


(Schmunk) #10
  1. Would be nice to have an option, to explicitly enable assigning of permissions to users. I agree that this is abused often.

(Alexander Makarov) #11