RBAC with Dynamic roles

Consider the following scenario.

  • I have a blogging system

  • There are 2 classes of users: Authors and readers

  • Authors can create posts

  • Authors can edit of delete posts that they have created, but cannot edit or delete posts that other authors have created

Can the yii RBAC system handle the last requirement? How would I go about doing this ?


Yes it should, You’ll need to use the ‘expression’ property in the AccessRules. ( http://www.yiiframework.com/doc/api/1.1/CAccessRule#expression-detail ).

I haven’t tested this but it should work or at least provide some kind of workaround.

Such as:

public function accessRules(){

    //Get $owner_id from DB using your GET or POST data

    return array(



                'expression'=>'$user->id=='.$owner_id.' && $user->checkAccess("Author")',





Certainly can.

From the Yii guide (in the documentation package):

The business rule in the "updateOwnPost" authorisation item (also from the Yii Guide) is something like:

'return Yii::app()->user->id==$params["post"]->authID;';