admin: Thread Split from http://www.yiiframew…opic,191.0.html
Sorry that I continue this discussion in doc thread …
Now we can use RBAC with CAccessControlFilter so there is no problem to use it with ips, verbs, etc (I know that this can be also done by bizrule).
array('allow', 'actions'=>array('delete'), 'roles'=>array('admin'), 'ips'=>array('10.0.0.1'), )
I mean that such a method ([tt]checkActionAccess()[/tt]) would be much more flexible regardles of using RBAC.
It wolud also help in further development of application for example when will be need to introduce RBAC. I mean situation when we use user rule for controling access and when application becomes bigger we need to introduce RBAC, so we change only rules in conrtoler from 'user' to 'roles' and everything would work OK without any other changes in controler or views.
Without checkActionAccess() method we have to change all views or all controler methods such a [tt]canUpdatePost()[/tt],
Of course we can use [tt]checkAccess()[/tt] but it's not affected by rules defined in controler. When using it we have to define
(role or task or operation doesn't matter) <------> (action)
assingment at least twice (in controler and in view) so it can results in mistakes when there are many actions and roles.
$this->widget('application.components.ActionMenu',array( 'items'=>array( array('label'=>'Update post', 'url'=>array('post/update'), 'visible'=>Yii::app()->user->checkAccess('?.... // here we have to think how it was defined in controler maybe it was moderator, or maybe updateOwnPost ?? array('label'=>'Update post', 'url'=>array('post/update'), 'visible'=>=>Yii::app()->user->checkActionAccess('update'); // - no problem .
IMHO there is few kinds of application where we can use username based accessControl. Most of them will need RBAC unless we treat username as a role (but this is not very good solution), so i think that idea or [tt]checkActionAccess()[/tt] is not so bad.