Simplifying the use of RBAC

I think my use of RBAC could be much simpler. I think I was confusing the auth item hierarchy with auth item assignment.

I’m interested in what y’all think of this idea. I think it can be implemented with a simple extension to CPhpAuthManager.

Yii’s authManager uses its own persistent storage (either a set of DB tables or a PHP file) to keep two things:


[*]A graph of auth items, each with its relevant properties

[*]Assignments of users to auth items


This is flexible and allows fine-grained access control. If you have a graph of auth items complex enough so that a user can have multiple auth item assignments then this system seems like the way to go.

But what if the app requires that each user only ever has one auth item assignment? And maybe it’s convenient to keep that assignemnt in the user table rather than in the authManager’s persistent store?

In my case I have ‘superuser’, ‘staff’, ‘user’, and ‘guest’; each user has one of those, stored in the user’s record in the user table. But the graph of auth items is still useful and so are all of Yii’s handy APIs that I use throughout my apps. So I don’t want to ditch RBAC.

What I do now is: at login I read the role from the user table, do authManager->assign() and authManager->save(). Then when the user comes back, Yii looks after things, reading the user’s auth items from the RBAC persistent storage. (See wiki 65)

That’s not very clever. In fact, it’s quite inefficient (and possibly insecure, given that users’ roles can change).

Instead of this, what if the authManager’s persistent storage had only the auth item graph? At login, read the user’s role from the user table and save it in the user session. Then, and every time the user returns, do authManager->assign() but don’t do authManager->save(). So the persistent authManager data will never be updated with assignments. It will only store the auth item graph, which will be fairly small and mostly static. That makes CPhpAuthManager suitable (it will end up being cached).

I think a fairly simple extension of CPhpAuthManager can manage to implement the above. Override CPhpAuthManager::getAuthItems so that it checks to see if the user has the assignment shown in session data, and, if not, assign it.

Any opionions on the idea?

If you like it, is it worth proposing this as a feature for Yii?

More thoughts:


[*]The key distinction I am looking for is not whether each user has only one assignment; it is where to store assignments.

[*]Something like a SessionAuthManager that reads the auth item graph from a PHP file and assignments from the session is what I want.

[*]This auth manager would be different from CDbAuthManager and CPhpAuthManager in that it can only answer questions about the current user’s auth items—CDbAuthManager and CPhpAuthManager can answer questions about any user id.