Route based access control

I am planning on creating a Role-based access control system for an application, based on application routes instead of authorisation items built into Yii’s RBAC.

I have only been using Yii for a short while, learning as much as I can about the framework (and it is awesome! :D ). I would appreciate any thoughts, suggestions or criticisms.

The idea is simple:

1) I want a component/module that can analyse an application for its all its routes by looking at its controllers & actions. Permissions must be fluid/dynamic, as it will be reused across applications.

2) Then the routes are assigned to a role as permissions.

3) Whenever a controller action is accessed, the controller must check whether the current user has the right permission based on the route that is being accessed before it allows the action to run.

At the moment I think the best approach to this as follows:

4 database tables will be required:

  1. A user table (obviously)

  2. A role table (id, name, description) - has many permissions

  3. A permission table (id, route, roleid) - belongs to role

  4. A role2user table (id, userid, roleid) - handles role assignments to users

When creating a role, I plan on using something like Jtreeview or EcheckboxTree to display the application routes with check boxes (together with a name and description field for the role). The Tree will receive it’s data from a component that analyses the application for its routes. A user would simply tick the desired permissions for a new role that is being created.

In the application controller, I plan to extend the beforeAction method to do a simple check by resolving and passing the requested route to a method in my User model, which checks whether the given user has the permission to access the route in question.

I know that Yii has a great native permission based access control system based on authorisation items, but I don’t need something that granular. 90% of the application I am building requires user authentication (Invoicing & client management system), so almost all the routes will need a permission based on user role.

The other consideration I have is that the role/permission interface (view) has to be really, really user friendly, as the people that will be using it is, uhmm, not exactly web-savy, to put it lightly :P . The other RBAC extensions I played with is awesome, if you are a developer. Their user interfaces are too complex for the average joe wanting to create a limited user role for his receptionist needing view-only to look at client info.

Any thoughts on a better approach would be much appreciated.

rights is a very good extension to handle with the RBAC.

Maybe you can get some ideas from it. :)

Thank you for the suggestion Davidhhuan. Rights certainly does look promising - very clean & simple user interface, perhaps I can get some ideas from it.