Role Based Access Control Bizrule Gatekeepers

I’ve been looking at:

And found this piece of code which I implemented:

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';

$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);










The most interesting part of this code is adding the highly privileged "updatePost" as a child of the business rule based "updateOwnPost". I ASSUME that this is supposed to gate keep and not allow that child unless the biz rule passes.

I ASSUME this is so you don’t have to replicate the “own” code in PHP or write something annoying like:

if(check('updatePost') || check('updateOwnPost') 

Which would sort of deny the "trick" of having updatePost as a child of the business rule.

So how is this intended to be used in real code?


Does this comment further down that page help?

Intuitively it looks backwards to me; I would have made updateOwnPost a child of updatePost. Maybe someone else can explain the reasoning better.