RBAC with wildcard subdomains

jonmixnblend · April 19, 2012, 7:17am

Hey Guys

So i’m building a service where I’m implementing wildcard subdomains, so when you sign up the first user gets an admin account on say example.service.com.

He or she can then add users with different roles to that mini site. i’m using wildcard subdomains and routing to allow this to happen without separate yii installs.

If someone adds an email address of someone already in the system to their mini site in whatever role, they should then be able to log onto that minisite with that role, for that mini-site. so maybe I am an admin on example.service.com but just a user on example2.service.com

Now I can make this work pretty easily with a hand rolled group table.

I just have 3 tables, group site and user and then a join table called site_user_group where I can specify what group a user is part of for a particular site, the site being the subdomain part of things.

I’d rather use the built in auth manager though, as the RBAC design seems like a really nice way to do things. I see from the Mysql schema that AuthAssignment relates to userid , is there any way I could alter the Authmanager so I could relate an Authassignment to a user and a ‘site’ as defined above easily? Sorry for asking this, I’ve been thinking about it for a while but just can’t seem to come up with an easy solution.

Best

Jon

boynet · April 19, 2012, 7:25am

you can you the $bizRule to make this

jonmixnblend · April 21, 2012, 10:29am

Surely that is a really messy way of implementing permissions across multiple instances? I see Qiang advocates that as a solution Here:

However I have to agree with Marius when he says:

I cant’t really agree with your proposed approach.

The business rules shouldn’t serve this purpose but rather be kept for more useful tests, such as the “updateOwnPost” task from the documentation. Yes, bizRules can be defined at any level, but the one place I’d be adding it to may require another snippet at some time. Not good. I don’t want to micro-manage code generation when assigning roles to users: merging code snippets is going to be a maintenance nightmare I’m readily avoiding as much as possible.

Furthermore, this kind of filtering should be done by the database. After all, the information required to figure out whether a user may access a given resource or not will be present inside the AuthAssignment table in either case (be it serialized inside the data or in a dedicated column). No need to fetch the row and evaluate some PHP code in order to come to the same conclusion than the database would knows right away.

The RBAC overhead is already quite big in my case (7-15 queries for the menus alone). I don’t want to trigger a PHP code evaluation for most of these rows. For that same reason, I’d avoid executing checkAccess() twice (once with the domain suffix and once without). It just wouldn’t scale and can’t be done with numeric userId’s.

So, I guess I’m going to try my initial idea and modify the first few methods of CDbAuthManager and add dynamic filtering, although I fear it’s going to be quite a mess.

I see there was no reply. I don’t know maybe I’m being extremely dense here, but using bizRules to make this work seems really messy. So you’d set multiple roles of the same type for a user theoretically on different subsites, the only thing letting you know i user A has a certain role on site A is one of those role entries bizRule evaluates to true? How then would you retrieve a list of Roles for a user on a specific site?

Does anyone have any thoughts on this:)

Hope you are all having a great day.

Best

Jon

jbowler · August 10, 2012, 8:51am

I’m experimenting using Yii for my site, where users sign up, and have their own, unique, subdomain. Among users of an organization, there are multiple permission layers. How did you solve this issue?