RBAC

scieri · December 14, 2015, 9:51pm

Hello all,

I’m having difficulties in solving my issue so I’m looking for some advice:

The app has 2 sections: clients, offers

I’m working at an app that uses yii2-user, yii2-rbac for user management.

I have defined 3 users: admin, company and user.

Admin should be able to view/edit/add/delete in company and user’s records
Company should be able to create child users, view/edit/add/delete own + child created records in clients, offers.
Users should be able to view/edit/add/delete own records in clients and offers.

So far I’ve managed to view the records that belong to own user, but this is not restricting the view/edit/add/delete of records that can be guessed(changing the id in browser).

So the question is how to restrict every user to view/edit/add/delete only own records? The Yii2 documentation doesn’t have anything related to my issue, any pointers will be helpful.

yiqing95 · December 15, 2015, 1:46am

I don’t know how do you learn Yii ,but you should read the guide2 firstly : owner-rule

yiim · December 15, 2015, 5:39am

Example: User can create and modify his own post

http://www.yiiframework.com/forum/index.php/topic/60439-yii2-rbac-permissions-in-controller-behaviors/#entry269913

RBAC in general:

http://www.yiiframework.com/wiki/771/rbac-super-simple-with-admin-and-user/

http://www.fabioferreira.pt/rbac-with-yii2-user-quick-tutorial/

http://www.yiiframework.com/forum/index.php/topic/49104-does-anyone-have-a-working-example-of-rbac