I’ve been looking at:
http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control
And found this piece of code which I implemented:
$bizRule='return Yii::app()->user->id==$params["post"]->authID;';
$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);
$task->addChild('updatePost');
$role=$auth->createRole('author');
$role->addChild('reader');
$role->addChild('createPost');
$role->addChild('updateOwnPost');
$role=$auth->createRole('editor');
$role->addChild('reader');
$role->addChild('updatePost');
The most interesting part of this code is adding the highly privileged "updatePost" as a child of the business rule based "updateOwnPost". I ASSUME that this is supposed to gate keep and not allow that child unless the biz rule passes.
I ASSUME this is so you don’t have to replicate the “own” code in PHP or write something annoying like:
if(check('updatePost') || check('updateOwnPost')
Which would sort of deny the "trick" of having updatePost as a child of the business rule.
So how is this intended to be used in real code?
Steve