Role Based Access

GSTAR · January 11, 2010, 9:47am

In my users table I have a "type" field - this can be set to either "Admin" or "User".

I needed a way of assigning permissions depending on the type of user. So I read up on this http://www.yiiframework.com/doc/guide/topics.auth#role-based-access-control

At the bottom where the comments are there are sample solutions on how to acheive this. Following this I created the following code:

UserIdentity.php:




$record=User::model()->findByAttributes(array('email'=>$this->username));

/* authentication code */

$this->setState('role', $record->type);

MyController.php:




array('allow', //allow only Admin users to create/delete records

	'actions'=>array('create', 'delete'),

	'expression'=>Yii::app()->user->role=='Admin',

),

This works OK, however when I access the page after a long period of inactivity, I get the following error message:

Property "CWebUser.role" is not defined.

I think this may be to do with the session data expiring. How can I fix this / is there a better way of doing this?

GSTAR · January 11, 2010, 2:24pm

Anyone able to help?

What’s strange is that I get this error upon calling url: index.php?r=admin/admin (view: admin, action: admin)

But the access rule I posted above is only applicable for ‘create’ and ‘delete’ actions.

horacio.segura · January 11, 2010, 3:02pm

hi

use Yii::app()->user->getState(‘role’)

I did a test on my site and it worked

but with Yii::app()->user->role I get the same error as your

GSTAR · January 11, 2010, 3:22pm

Thanks Horacio

Is there any way I can store the "role" variable somewhere else other than the session? Something like this maybe:


private $_role;


public function authenticate()

{

    $this->_role=$record->type);

}

It didn’t work for me though.

horacio.segura · January 11, 2010, 7:46pm

GSTAR:

Thanks Horacio

Is there any way I can store the "role" variable somewhere else other than the session? Something like this maybe:
private $_role;


public function authenticate()

{

    $this->_role=$record->type);

}
It didn’t work for me though.

What do you want to do?

But perhaps this is what you want http://www.yiiframework.com/doc/api/1.0.11/CWebUser#setFlash-detail

GSTAR · January 12, 2010, 10:19am

What I mean is this:


class UserIdentity extends CUserIdentity

{

    private $_id;

    public function authenticate()

    {

            $this->_id=$record->id;

    }

 

    public function getId()

    {

        return $this->_id;

    }

}

So in the above code, the id is not stored in the session and I can access it by Yii::app()->user->id

Can I do something similar to store the ‘role’ as a variable, but not in the session?

horacio.segura · January 12, 2010, 11:51am

maybe something like?




class UserIdentity extends CUserIdentity

{

    private $_id;

    private $_role;

   

    public function authenticate()

    {

            $this->_id=$record->id;

            $this->_role=$you_role;

    }

 

    public function getId()

    {

        return $this->_id;

    }


    public function getRole()

    {

        return $this->_role;

    }

}

GSTAR · January 12, 2010, 12:06pm

I actually tried that yesterday but it did not seem to work. Have you tested it?

horacio.segura · January 12, 2010, 2:07pm

sorry, not tested

see http://www.yiiframework.com/doc/api/1.0.11/CWebUser, It may help you

I think you should use getState and setState

or better explain that you need or want to make

…

or wait for another member to help you

good luck!!

GSTAR · January 12, 2010, 2:17pm

setState still uses session data (not very secure)

someone could easily modify the session to set their role to Admin!

horacio.segura · January 12, 2010, 10:32pm

hey, Look what I found!

http://www.yiiframework.com/doc/cookbook/60/

GSTAR · January 13, 2010, 10:24am

That’s brilliant! Thanks!

By the way, regarding your earlier message:

Do you have any idea why Yii::app()->user->role didn’t work? I’m using version 1.0.10. Could there be a config issue somewhere, my colleague says it should have worked…

horacio.segura · January 13, 2010, 10:44am

maybe

because user is an instance of CWebUser and role not defined in the class

that is why you should extend CWebUser and define role (and set and get)

GSTAR · January 21, 2010, 11:29am

Thanks Horacio,

How/where can I specify a default user login expiry period? I want login to expire after 6 hours of inactivity; user gets redirected to login page.

Also I noticed the login form is always available, even when a user is logged in.

horacio.segura · January 21, 2010, 10:02pm

see

http://www.yiiframework.com/doc/guide/topics.auth#login-and-logout




Yii::app()->user->login($identity,3600*6);

you want to hide the menu?,

use "visible"=>Yii::app()->user->isGuest

you want deny access to acction login

see http://www.yiiframework.com/doc/guide/topics.auth#access-control-filter

maybe like this





public function accessRules()

    {

        return array(

.....

            array('deny',

                'actions'=>array('login'),

                'users'=>array('@'),

........

GSTAR · January 22, 2010, 9:47am

No I mean when a user is logged in, if they navigate to /index.php?r=site/login the login form is displayed, even though they are still logged in! I think it should redirect user to the home page or something.

horacio.segura · January 22, 2010, 11:25am

put in the action login




  if (!Yii::app()->user->isGuest) $this->redirect('site');

.....