RBAC

A.p · October 28, 2015, 5:31pm

Hello,

I like to use RBAC with Yii2.0. I have 3 user roles:

admin: can do everything (write/edit/delete) articles / products

author_1: can write and edit articles | can write and edit products

author_2: can write and edit products

auth_item-Table:

name | type

admin | 1

author_1 | 1

author_2 | 1

createArticle | 2

createProduct | 2

updateArticle | 2

updateProduct | 2

deleteArticle | 2

deleteProduct | 2

viewArticle | 2

viewProduct | 2

auth_item_child-Table

6779

roles.PNG

But unfortunatly, author_1 and author_2 can do everything the admin role can do. If I delete the admin-role rights, author_1 and author_2 can’t delete anything. Can anybody help me?

Thanks…

soultaker · October 28, 2015, 5:57pm

Could you please provide more images of the rest of the RBAC tables? It looks like everything is ok but maybe its something on the auth_assignemnt table. Also, instead of repeating the permissions like this:

updateProduct - author_1

updateProduct - author_2

I recommend you to use an hierarchy of roles, and if you use it you will probably get the permissions working in the right way.

These videos are pretty good, they helped me a lot regarding this topic:

RBAC explained & implemented

RBAC part 1

RBAC part 2

A.p · October 28, 2015, 6:40pm

auth_assignment:

6780

auth_assignment.PNG

auth_item:

6781

auth_item.PNG

auth_item_child:

6782

auth_item_child.PNG

I’m logged in with user_id=15. It also shows the right role:

array_shift(Yii::$app->authManager->getRolesByUser(Yii::$app->user->getId()))->name prints "author_2"

My main.php is:




 'authManager' => [

            'class' => 'yii\rbac\DbManager',

            'defaultRoles' => ['admin', 'author_1', 'author_2'],

        ],

My action for product update is:




 public function actionUpdate($id) {

        if (\Yii::$app->user->can('updateProduct')) {

        }

 }

Although author_2 cannot update product, I can update a product with user role "author_2". If I delete the "updateProduct" entry for author_1, author_2 also cannot update a product. If I insert it for author_1 oder admin, author_2 can update a product.