Roles And Rbac

sandinosaso · May 1, 2014, 9:26pm

I have tried to allow only admin Role to have access to adminAction

in the demo PostController via accessRules but without success

This way does not works:


public function accessRules()

	{

		return array(

			array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index,view'),

				'users'=>array('*'),

			),

			array('allow',

                              'actions'=>array('admin'),

                              'roles'=>array('admin'),

                        ),            

			array('allow', // allow authenticated users to access all actions

				'users'=>array('@'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

This way it works:


	public function actionAdmin()

	{

		$auth=Yii::app()->authManager;

		

		$model=new Post('search');

		if(isset($_GET['Post']))

			$model->attributes=$_GET['Post'];

		

		if($auth->checkAccess('admin',Yii::app()->user->name))

			$this->render('admin',array(

				'model'=>$model,

			));

		else throw new CHttpException(403, 'You are not authorized to perform this action');

	}

Anyone can help me with this?

nawincoimbatore · May 2, 2014, 5:25am

sandinosaso:

I have tried to allow only admin Role to have access to adminAction

in the demo PostController via accessRules but without success

This way does not works:


public function accessRules()

	{

		return array(

			array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index,view'),

				'users'=>array('*'),

			),

			array('allow',

                              'actions'=>array('admin'),

                              'roles'=>array('admin'),

                        ),            

			array('allow', // allow authenticated users to access all actions

				'users'=>array('@'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

This way it works:


	public function actionAdmin()

	{

		$auth=Yii::app()->authManager;

		

		$model=new Post('search');

		if(isset($_GET['Post']))

			$model->attributes=$_GET['Post'];

		

		if($auth->checkAccess('admin',Yii::app()->user->name))

			$this->render('admin',array(

				'model'=>$model,

			));

	else throw new CHttpException(403, 'You are not authorized to perform this action');


}

[/code]

Anyone can help me with this?

Hi san,

check the if(‘admin’,Yii::app()->user->name)…

instead of if(‘admin’,Yii::app()->user->isGuest)

rahif · May 3, 2014, 1:13pm


public function accessRules()

	{

		return array(

			array('allow', // allow authenticated users to access all actions

				'users'=>array('@'),

			),

		);

	}

With this you are allow to all authenticated users to do everything, the rol is not important here only if you are authenticated.

In this rule you have to put actions to be allowed, explicitly.

sandinosaso · May 3, 2014, 8:39pm

rahif:

public function accessRules()

	{

		return array(

			array('allow', // allow authenticated users to access all actions

				'users'=>array('@'),

			),

		);

	}
With this you are allow to all authenticated users to do everything, the rol is not important here only if you are authenticated.

In this rule you have to put actions to be allowed, explicitly.

Thank I tried what you suggested, I explicity put all action with a rule like this:




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index,view'),

				'users'=>array('*'),

			),

			array('allow',

                                'actions'=>array('admin'),

                                'roles'=>array('admin'),

                        ),            

			array('allow', // allow authenticated users to access all actions

				'actions'=>array('index,view,create,update,delete,SuggestTags'),

				'users'=>array('@'),

			),

			/*array('deny',  // deny all users

				'users'=>array('*'),

			),*/

		);

	}

But it does not work, an authenticated user still have access to actionAdmin().

I do not know what is wrong with this, thanks for your replies

Regards.

Sandino

sandinosaso · May 4, 2014, 5:56am

sandinosaso:

Thank I tried what you suggested, I explicity put all action with a rule like this:




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index,view'),

				'users'=>array('*'),

			),

			array('allow',

                                'actions'=>array('admin'),

                                'roles'=>array('admin'),

                        ),            

			array('allow', // allow authenticated users to access all actions

				'actions'=>array('index,view,create,update,delete,SuggestTags'),

				'users'=>array('@'),

			),

			/*array('deny',  // deny all users

				'users'=>array('*'),

			),*/

		);

	}

But it does not work, an authenticated user still have access to actionAdmin().

I do not know what is wrong with this, thanks for your replies

Regards.

Sandino

Putting roles with custom RBAC did not work as expected, however I was able to make the following:


	/**

	 * Specifies the access control rules.

	 * This method is used by the 'accessControl' filter.

	 * @return array access control rules

	 */

	public function accessRules()

	{

		return array(

			array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index','view'),

				'users'=>array('*'),

			),

		        array('allow',

                               'actions'=>array('admin'),

                               'expression'=>"Yii::app()->authManager->checkAccess('admin',Yii::app()->user->name)",

                               //'roles'=>array('admin'),

            ),            

			array('allow', // allow authenticated users to access all actions

				'actions'=>array('index','view','create','update','delete','SuggestTags'),

				'users'=>array('@'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

Here I used an expression: ‘expression’=>“Yii::app()->authManager->checkAccess(‘admin’,Yii::app()->user->name)”,

This way I do not have to check in all action I want some Roles to be checked but it would be better to use roles instead because if I want 2 roles to have access I have to make an OR expression with seems horrible to me

rahif · May 4, 2014, 3:36pm




public function accessRules()

{

	return array(

		array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index','view'),

				'users'=>array('*'),

		),

		array('allow',

			   'actions'=>array('admin'),

			   'roles'=>array('admin'),

		),            

		array('allow', // allow authenticated users to access all actions

				'actions'=>array('index','view','create','update','delete','SuggestTags'),

				'users'=>array('@'),

		),

		array('deny',  // deny all users

				'users'=>array('*'),

		),

	);

}

This seems fine to me, i dont see any error here, should work

phtamas · May 4, 2014, 10:01pm

Try to assign roles to user ids instead of usernames.

IAuthManager::assign()

sandinosaso · May 5, 2014, 2:38am

Ok I will have that on mind, if you say it is better, I used username because in the table AuthAssignment I see userId to be a character containing the username.

That does not solve my problem right?

sandinosaso · May 5, 2014, 2:42am

rahif:




public function accessRules()

{

	return array(

		array('allow',  // allow all users to access 'index' and 'view' actions.

				'actions'=>array('index','view'),

				'users'=>array('*'),

		),

		array('allow',

			   'actions'=>array('admin'),

			   'roles'=>array('admin'),

		),            

		array('allow', // allow authenticated users to access all actions

				'actions'=>array('index','view','create','update','delete','SuggestTags'),

				'users'=>array('@'),

		),

		array('deny',  // deny all users

				'users'=>array('*'),

		),

	);

}

This seems fine to me, i dont see any error here, should work

I know it should but it does not work.




In table AuthItem I have defined a Role: admin	2		NULL	N;

In table AuthAssignment I have a user to that role: admin	adminD	NULL	N;

In table tbl_user that user exists: 5	adminD	$2a$10$JTJf6...	adminD@gmail.com	NULL

phtamas · May 5, 2014, 7:27am

Have you tried it?

Access control filter uses the id - and not the username - of the current user when checking for roles.

rahif · May 5, 2014, 6:18pm

phtamas has reason, you need the id of the user not the name.

In table AuthAssignment you need 1 row in this way:

(itemname,userid,bizrule,data) = (admin,5,null,null)

With this sould work.

And change the name by user_id when create authitem

sandinosaso · May 6, 2014, 12:29pm

Thanks you guys!!! you are awesome (phtamas and rahif) you did it work as expected, I really appreciate your help with this, I am newbie in yii (3 weeks coding) and this is really helpfull for me.

As you have said (itemname,userid,bizrule,data) = (admin,5,null,null) solves the problem seems yii check userId as you suggested, for now on I am gonna use IAuthManager::assign() for assign auth, I did it the way it says here http://www.yiiframework.com/doc/guide/1.1/es/topics.auth (I think the documentation is old).

So doing as it suggests is wrong right?:




$auth=Yii::app()->authManager;

$auth->assign('reader','readerA');

$auth->assign('author','authorB');

$auth->assign('editor','editorC');

$auth->assign('admin','adminD');

It is better to do (assuming the user id’s are ok):




$auth=Yii::app()->authManager;

$auth->assign('reader',2);

$auth->assign('author',3);

$auth->assign('editor',4);

$auth->assign('admin',5);

Again, I am really happy with your help, hope some day can help you back.

Regards.

Sandino