Rbac - Why Is Auth.php Or Db Tables Needed?


I wonder why I need file auth.php or DB tables when I define rules (for example) in my Controller. Why are roles transformed and saved?

Why are they hardcoded and assigned to particular users in the file or tables? When I rename a role in my controller, I just receive error, because new definition of rule is not in DB and Yii cannot update the table dynamically.

Or what if I change user-role in his profile (specified by column USER.role_id) ? How the file or DB will be updated?

I would like to use roles dynamically like this:

if ( login_ok() )




And if someone (admin) changes the role in users profile, new role would be used automatically next time.

Because roles of users, their names and nested operations can be changed every minute 10x. And if they are hardcoded in a file or table they are useless.

Or am I missing something?

You should use the authManager app component to do everything you described. It can create, delete and assign auth items.

It needs to be stored somewhere to be available in same form in each request.

But it is stored in my PHP code (see the definition below). Why to copy this definition to DB or file? This is what I don’t understand. Roles and operations are nothing complicated. They can be build (or their tree can be build) in the main controller on each request and stay only in memory or in session.

$auth = Yii::app()->authManager;

$auth->createOperation('create', 'add new data');


So you just built your own authManager. Now if you don’t want to use the provided authManager at all you should also build your own auth checking mechanisms.

Why would you rebuild the whole auth tree on each request? Isn’t that just wasting resources?

Why wasting? Yii also has to read and build the whole tree of permissions from DB (or auth.php) for each request. So why not to read it directly from PHP code which will always be up to date? DB or file won’t. (because it is some uncontrolled copy made by Yii)

Maybe the whole RBAC thing works in a different way than I understand so we probably both talk about different problem.

Biggest problem for me is that if I change PHP code of roles then DB or auth.php is not updated automatically and what more, can end with an exception. I have to manually delete it first so it can be rebuild. Why is this information about roles doubled?

From my point of view role should be assigned to user in USER table. Not in table with roles and operations. But for example file auth.php contains hardcoded info about which user has which role. So if I have 1500 users (and I have), will auth.php contain 1500 records? And who will update them if I change user role in USER table?

Or is my philosophy different from Yii RBAC?

Let’s get some things straight.

CPhpAuthManager stores data in a file. It’s useful if you don’t have a database at all, you don’t have a dynamic list of users, just a public site with some hardcoded profiles like guest and logged-in.

CDbAuthManager stores data in three tables, one for auth items, second for their relations and third for assignment to users. You only provide the user table yourself. This, along with auth checking mechanism provide a complete solution so you don’t have to implement anything yourself.

Now what you are describing is that you hold your profiles (roles) somewhere else and don’t like the need of synchronising those two. Why not store them just in the data structures provided by CDbAuthManager?

If there is something you don’t like in CDbAuthManager you could either extend it and reimplement some things, like to load the data from your tables, not the built-in ones. Or you can stop using it all together and implement your own auth mechanism.

CDbAuthManager assumes a user can have more than one role. So the relationship between a user and roles (or other auth items) is MANY_MANY. That’s why a junction table is required. But that doesn’t stop you from enforcing a one role per user in the UI, which you need to build on your own.

So, if you would use only the authManager to assign roles to users you don’t need to synchronise anything. And that’s the idea, you have one interface in the logic and can easily swap implementations later.

Hi. Thanks for clarification. This difference between auth.php and DB is not mentioned in manuals and it probably confused me. I’ll have a look at it on monday and think it over.

And if someone else reads this thread, I’ll be glad for his/her opinions and experiences too.