Role Based Access Control Bizrule Gatekeepers

I’ve been looking at:

http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control

And found this piece of code which I implemented:


$bizRule='return Yii::app()->user->id==$params["post"]->authID;';

$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);

$task->addChild('updatePost');


$role=$auth->createRole('author');

$role->addChild('reader');

$role->addChild('createPost');

$role->addChild('updateOwnPost');

 

$role=$auth->createRole('editor');

$role->addChild('reader');

$role->addChild('updatePost');

The most interesting part of this code is adding the highly privileged "updatePost" as a child of the business rule based "updateOwnPost". I ASSUME that this is supposed to gate keep and not allow that child unless the biz rule passes.

I ASSUME this is so you don’t have to replicate the “own” code in PHP or write something annoying like:


if(check('updatePost') || check('updateOwnPost') 

Which would sort of deny the "trick" of having updatePost as a child of the business rule.

So how is this intended to be used in real code?

Steve

Does this comment further down that page help?

Intuitively it looks backwards to me; I would have made updateOwnPost a child of updatePost. Maybe someone else can explain the reasoning better.