RBAM - Role Based Access Control Manager


(Chris) #1

Role Based Access Manager (RBAM) is a Yii module that provides complete management of Authorisation Data (Authorisation Items, Authorisation Hierarchy, and Authorisation Assignments) for Yii’s Role Based Access Control system via a browser interface; it is intended for use in development and end-user administration environments.

RBAM has an intuitive “Web 2.0” interface to easily manage Authorisation Items (Roles, Tasks, and Operations), their hierarchy, and Authorisation Assignments. It presents all of an Authorisation Item’s information in one place providing a comprehensive overview and complete management of the item.

RBAM’s “Drill-down” and “Drill-up” features quickly show an item’s position in the Authorisation Hierarchy, what permissions it inherits (Drill down) and which Roles inherit its permissions (Drill up).

RBAM is built on top of Yii’s CAuthManager component and supports both of Yii’s built-in Authorisation Managers, CDbAuthManager and CPhpAuthManager, and authorisation managers extended from them.

The manual contains full configuration and usage details, and has loads of screenshots.


(Maurizio Domba Cerin) #2

And just to have all together… here is the link:

http://www.yiiframework.com/extension/rbam/

@Yeti

NOTE that on the extension page the resources group is misleading… try a demo just goes to yiiframework/demo… please delete this part if you don’t have a project page and/or a demo page


(Mjkulet) #3

I would like to test this one,but the documentation doesn’t come with any sample data to play with.

It would be really nice if it has a working test site to check its features.


(John Eskilsson) #4

Hi,

This extension is the start of something really good.

I have installed it and tried it using CDbAuthManager. I have it installed as a top level module.

This is my config:




	'modules'=>array(

		'rbam'=>array(

		'development'=>true,

		)

	),

...

    'authManager'=>array(

            'class'=>'CDbAuthManager',

            'connectionID'=>'db',

    ),



I have set the login to validate towards the tbl_user. I can log in and after initializing RBAM I can see my user having the role RBAC Manager.

If I now go to the page where I have http://www.johnspage.com/rbam_test/index.php?r=rbam/authitems/index (this is an internal link on my system so don’t bother trying to go there). I can see the roles listed “RBAC Manager” claims to have two children. According to the documentation clicking the number of parents will drill down so I can see the sub roles of “RBAC Manager”. Unfortunately this doesn’t work.

The problem seems to be that I have a my site in a sub-folder of the web root. The javascript code running the ajax code is not prepared for that.

If I change the code for show children to look like this it works:




	$.fn.rbam.showChildren = function(el,url) {

		var jRow = $(el).parents('tr').first();

		if (jRow.hasClass('showing-children')) {

			jRow.next().remove();

			jRow.removeClass('showing-children');

		}

		else {

			var strItemName = jRow.children('td.item-name').first().text();

			$.get(

				'/rbam_test/index.php',

				{r:url.replace(/\/rbam_test\/index\.php\?r=/i,''),item:strItemName},

				function(data) {

					jRow.after('<tr class="children" style="display:none;"><td colspan="'+jRow.children('td').length+'">'+data+'</td></tr>');

					jRow.next().show();

					jRow.addClass('showing-children');

				},

				'HTML'

			);

		}

	};



This is not very elegant solution and was only a hack to find out what the problem was.

Maybe you could recode this to take sub-folders in to consideration?

I have the same problem on the page where you can drag and drop the the auth items so I assume that we have the same problem there.

Thanks for a great extension.

/John


(Chris) #5

V1.1 released and a demo site is now available at http://rbam.pbm-webdev.co.uk/index.php

@br0sk

I have made some changes to fix the issue you found - many thanks for reporting it. Please let me know if it works OK for you now.

@mjkulet

RBAM does not come with sample data - your application is the sample data in terms of its modules, controllers, and their actions.

There is now a demo site at http://rbam.pbm-webdev.co.uk/index.php

@mdomba

Thanks for the link, though there is one already in the topic. Do not understand your comments about the resources. I have changed it to include a link to a demo site and the manual, but from text about the manual, not any links to non-existent resources. Perhaps some confusion with an other extension?


(Maurizio Domba Cerin) #6

Didn’t note the link in the post, sorry… the demo link is now OK


(John Eskilsson) #7

Works like a dream now!

Thanks for fixing it.

This is quite a big and complex extension, maybe you should setup a Google Code repository for it?

I will do some more testing later on, I will let you know if I find any more problems.


(John Eskilsson) #8

I think I found another issue.

As soon as I add more than one role to a user I get an error message when trying to click the icon for "View roles assigned to this user" on the page http://www.johnspage.com/rbam_test/index.php?r=rbam/authAssignments/index.

The error message is:

"Error 324 (net::ERR_EMPTY_RESPONSE): Unknown error.","heading":"This webpage is not available"

If I remove one of the AuthAssignments directly from the database I can click the link and it works again.

I was able to reproduce the problem in your demo too http://rbam.pbm-webdev.co.uk/index.php?r=rbam/authAssignments/userRoles&uid=1 .


(Chris) #9

Thanks for this. Not sure what is happening here but will investigate (it of course all works just fine on my local test system :rolleyes: )


(John Eskilsson) #10

Let me know if you need any help testing or debugging this problem. It looked very odd to me too. I didn’t really see a reason for why it would return an empty page.


(Chris) #11

It seems the use of array_walk() to attach a behavior to the assignments causing the problem. I have changed the demo to use a foreach loop and it now works OK - would be great if you can confirm.

I need to go out now, so (assuming the demo works OK for you) I’ll upload a fixed version this evening (UK time).


(John Eskilsson) #12

The demo works fine now. I added a new role and assigned to user test1. I had no problems viewing the roles for this user now.

I think you must have added some debug information to this page http://rbam.pbm-webdev.co.uk/index.php?r=rbam/authAssignments/assign&uid=2 .

It looks like this.

0

RbamAuthItemBehavior

1

RbamAuthItemBehavior

2

RbamAuthItemBehavior

3

RbamAuthItemBehavior

4

RbamAuthItemBehavior

5

RbamAuthItemBehavior

Don’t forget to remove that before releasing the code tonight.

Let me know when you have uploaded the new code and I will test it in my local environment to see that it works.

Thanks


(Chris) #13

V1.2 is released.

  • Fixed issue with multiple assignments to a user (only seen on some servers)

  • Added validation to biz rule to ensure it is a valid PHP "return" statement

  • Changed initialisation to always add RBAM and default roles if not present. This allows RBAM to be easily added to existing RBAC authorisation data

  • Added count of users with permission for an item to Auth Item Overview and Auth Item relationship tabs

There is also now a downloadable demo with some pre-installed authorisation data.


(John Eskilsson) #14

Looks good. Multiple assignments are now working in my local environment.

I think you need to remove line 213 in AuthAssignmentsController.php.

It includes a call to


debugbreak();

. You probably only have that method locally.

I get this error message if I don’t remove it:

Fatal error: Call to undefined function debugbreak() in /media/win_ws/johns_page/trunk/rbam_test/protected/modules/rbam/controllers/AuthAssignmentsController.php on line 21


(Chris) #15

Thanks for spotting


(Mjkulet) #16

I am encountering this error:


PHP Error

Description


Parameter 1 to array_multisort() expected to be a reference, value given

Source File


/home/dataline/YiiRoot/framework/web/CArrayDataProvider.php(122)


00110:         if(empty($directions))

00111:             return;

00112:         $args=array();

00113:         foreach($directions as $name=>$descending)

00114:         {

00115:             $column=array();

00116:             foreach($this->rawData as $index=>$data)

00117:                 $column[$index]=is_object($data) ? $data->$name : $data[$name];

00118:             $args[]=$column;

00119:             $args[]=$descending ? SORT_DESC : SORT_ASC;

00120:         }

00121:         $args[]=&$this->rawData;

00122: call_user_func_array('array_multisort', $args);

00123:     }

00124: 

00125:     /**

00126:      * Converts the "ORDER BY" clause into an array representing the sorting directions.

00127:      * @param string the "ORDER BY" clause.

00128:      * @return array the sorting directions (field name => whether it is descending sort)

00129:      */

00130:     protected function getSortDirections($order)

00131:     {

00132:         $segs=explode(',',$order);

00133:         $directions=array();

00134:         foreach($segs as $seg)


Stack Trace


#0 /home/dataline/YiiRoot/framework/web/CArrayDataProvider.php(122): call_user_func_array()

#1 /home/dataline/YiiRoot/framework/web/CArrayDataProvider.php(70): ApArrayDataProvider->sortData()

#2 /home/testings/tet/protected/modules/rbam/extensions/alphapager/ApArrayDataProvider.php(47): ApArrayDataProvider->fetchData()

#3 /home/dataline/YiiRoot/framework/web/CDataProvider.php(122): ApArrayDataProvider->fetchData()

#4 /home/dataline/YiiRoot/framework/zii/widgets/CBaseListView.php(105): ApArrayDataProvider->getData()

#5 /home/dataline/YiiRoot/framework/zii/widgets/grid/CGridView.php(220): ApGridView->init()

#6 /home/testings/tet/protected/modules/rbam/extensions/alphapager/ApGridView.php(57): ApGridView->init()

#7 /home/dataline/YiiRoot/framework/web/CBaseController.php(140): ApGridView->init()

#8 /home/dataline/YiiRoot/framework/web/CBaseController.php(165): AuthItemsController->createWidget()

#9 /home/testings/tet/protected/modules/rbam/views/authItems/_indexTab.php(93): AuthItemsController->widget()

#10 /home/dataline/YiiRoot/framework/web/CBaseController.php(119): require()

#11 /home/dataline/YiiRoot/framework/web/CBaseController.php(88): AuthItemsController->renderInternal()

#12 /home/dataline/YiiRoot/framework/web/CController.php(798): AuthItemsController->renderFile()

#13 /home/testings/tet/protected/modules/rbam/views/authItems/generate.php(41): AuthItemsController->renderPartial()

#14 /home/dataline/YiiRoot/framework/web/CBaseController.php(119): require()

#15 /home/dataline/YiiRoot/framework/web/CBaseController.php(88): AuthItemsController->renderInternal()

#16 /home/dataline/YiiRoot/framework/web/CController.php(798): AuthItemsController->renderFile()

#17 /home/dataline/YiiRoot/framework/web/CController.php(739): AuthItemsController->renderPartial()

#18 /home/testings/tet/protected/modules/rbam/controllers/AuthItemsController.php(431): AuthItemsController->render()

#19 /home/dataline/YiiRoot/framework/web/actions/CInlineAction.php(50): AuthItemsController->actionGenerate()

#20 /home/dataline/YiiRoot/framework/web/CController.php(300): CInlineAction->run()

#21 /home/dataline/YiiRoot/framework/web/filters/CFilterChain.php(133): AuthItemsController->runAction()

#22 /home/dataline/YiiRoot/framework/web/filters/CFilter.php(41): CFilterChain->run()

#23 /home/dataline/YiiRoot/framework/web/CController.php(1049): CAccessControlFilter->filter()

#24 /home/dataline/YiiRoot/framework/web/filters/CInlineFilter.php(59): AuthItemsController->filterAccessControl()

#25 /home/dataline/YiiRoot/framework/web/filters/CFilterChain.php(130): CInlineFilter->filter()

#26 /home/dataline/YiiRoot/framework/web/CController.php(283): CFilterChain->run()

#27 /home/dataline/YiiRoot/framework/web/CController.php(257): AuthItemsController->runActionWithFilters()

#28 /home/dataline/YiiRoot/framework/web/CWebApplication.php(324): AuthItemsController->run()

#29 /home/dataline/YiiRoot/framework/web/CWebApplication.php(121): CWebApplication->runController()

#30 /home/dataline/YiiRoot/framework/base/CApplication.php(135): CWebApplication->processRequest()

#31 /home/testings/tet/index.php(13): CWebApplication->run()




This happens when I am directed to http://localhost/mysite/index.php/rbam/authItems/generate.

How can I solve this?


(Chris) #17

Not sure. Because the error is coming from CArrayDataProvider, which in turn is called from ApArrayDataProvider, my guess is this is a bug in one of those.

I seem to recall that there are some differences between PHP 5.2 and 5.3 regarding array_multi_sort(). Please confirm which version of PHP you are using.

Also, do you see the error on other pages, for example the Auth Items overview page? The reason for asking is that the ApGridView and ApArrayDataProvider classes are used extensively in RBAM, so I would expect the same error to show itself on many pages (most in fact).

Final question, how many and what authorisation items already exist in your system when you try to generate more?


(Chris) #18

V1.3 released

This improves I8n and data validation error handling in the JUI dialogs


(Gwydion04) #19

If I set in main.php of the deno application…

‘authManager’=>array(

        'class'=&gt;'CDbAuthManager',


),

than I get a error that the table "AuthItem" not exist.

Could you please make the install routine database indepentend such like in "Rights"?

The german translation isn’t great. Do you need help?


(Jacob Moen) #20

Volkmar:

Do take a look at the extension page.