rights module - business rule

How i write a business rule in ,for YII rights module ?


Hi Rajith,

There are 2 scenarios where we want to define biz rule.

  1. Defining actual checking method for "default" roles.

// protected/config/main.php

	'authManager' => array(

		'class' => 'RDbAuthManager',			// yii-rights

		'defaultRoles' => array('Guest', 'Authenticated'),

		'itemTable' => 'auth_item',

		'itemChildTable' => 'auth_item_child',

		'assignmentTable' => 'auth_assignment',

		'rightsTable' => 'rights',


In the above ‘Guest’ and ‘Authenticated’ roles are the default roles.

It means that every user is assumed to have ‘Guest’ role and ‘Authenticated’ role.

It’s OK with ‘Guest’, because every user should have the right as a guest.

But we have to define biz rule for ‘Authenticated’ role in order to check if the user is really logged in as a registered user.

So we set the biz rule for ‘Authenticated’ like the following:

return !Yii::app()->user->isGuest;

In this way we can spare some administrative job. Otherwise we have to explicitly assign ‘Authenticated’ role to every registered user using yii-rights assignment page.

  1. Defining checking method for the right to execute specific operation

For example, we want to grant a user the right to update and/or delete his/her own post.

In such a case, we use biz rule with parameters.

// biz rule for 'PostOwner' role

return Yii::app()->user->id == $params['owner_id'];

// usage

$params['owner_id'] = $post->created_by;

if (Yii::app()->user->checkAccess('PostOwner', $params) || Yii::app()->user->checkAccess('Admin'))




Note: As far as I understand, we can not expect this kind of access checking (I mean, roles with biz rule using parameters) work as the preliminary controller filter.

And, if we don’t want either of the above for a role, then you can leave biz rule empty. It won’t do any harm. There should not be so many roles that require biz rule, I think. :)

ok… thank u very much …

I am now creating a school management application. so i need to give access to Parents. so i created a user ‘Role’ in rights, and give permission to see students view etc etc … so he can see view’s of all students, i just want to give parent to see their children only…

can i write a biz rule to check something like if($students->parent_id==yii::app()->user_id ) , then parent can view…

this is my requirement.

is it possible or not? or i need to check this manually for each view page ?

Well, you can pass anything you want using an array of name-value pairs.

And in the business rule you can access their values by the syntax of ‘$params[name]’.


// biz rule for 'ViewOwnChildren' role(or task)

return Yii::app()->user->id == $params['parent_id'] && !$params['protected'];

// usage

$params = array(

    'parent_id' => $child->parent_id,

    'protected' => $child->protected,


if (Yii::app()->user->checkAccess('ViewOwnChildren', $params) || Yii::app()->user->checkAccess('Teacher'))


    $this->render('view', array('model'=>$child));




    ... error / exception


The trouble is, we can not use this kind of business-ruled access checking for the controller pre-filter, because we can’t pass those parameters at the moment when pre-filter works.

In short, it seems that we have to check access manually in the controller action. :(

There might be a smart solution, I hope. But I’m not sure for the moment.

There’s a similar thread going on now. Come and join there.


Thank u very much softark … :)

[color="#006400"]/* Moved from General Discussion to Extensions */[/color]

i m using yii rights extension and installed it. when i’m going to create new task ,there is having a text field call Business rule.

my question is what are things can enter in that text filed?

Hi chamara, welcome to the forum.

Please read the post #3 of this thread. And I think you can leave them empty if you don’t want to do something specific.

But I’d rather encourage you to read the section of “Authentication and Authorization” in the official guide before you try to use yii-rights.


thanks lot for your reply…

Hi, I have a question on this.

I’ve registered an operation called “EditProfile” that allow the access to update/delete action to every registered user with the business rule:

return Yii::app()->user->id == $params['owner_id'];

then in the controller/update:

            $params['owner_id'] = (int)$id;


            if (Yii::app()->user->checkAccess('EditProfile', $params))


               //my operations


            else echo "This is not your profile, looser!";

But this works only if I define:

public function allowedActions() { return 'requestpassword, register, update'; }

Otherwise the access control block me before the if statements with $params get executed. Is this correct or i have to place the $params stuff in someother place?

Thanks in advance for any suggestion.

Hi teo_ne,

It is the expected behavior.

Sometimes we have to allow questionable access in the filter before we examine the exact right in the controller action.

i have all done this

but its not working still

my steps:

1.i want make roles like:author and admin

so ,author can edit his articles only

i have a model [Post]


2.i give business rules like this,in business rules fields

my task name is :updateownPost

‘return Yii::app()->user->id==$params[“owner_id”];’

3.in update action of Post controller

i use this code

public function actionUpdate($id)










		echo "You are ok";



also use this in controller

public function allowedActions()



 return 'update';



but this is not ,what i want??

need solution with example:

[note] in my ‘post’ table i use relational ‘user_id’ with ‘user’ table 'id ’