[Solved] Rabc, Using Cwebuser To Detect User Roles

Hi all,

I’m trying to create a user management module for my app. In this module I need to be able to assign roles to users, I’m trying to use the RBAC method, which is working great for access but I’m having trouble administering it.

What I’m trying to do is get a list of roles that any given user does not have access to, in order that I can select from that list to add a new privilege to the user.

I’m not sure there is a way to grab all the roles that a user doesn’t have access to, and I think I’m going in a very round-a-bout way, but one method I though might work would be to create a new CWebUser class and load a specific user into that class and call checkAccess() to see if they have access to that role. If they don’t, I can add it to the list of roles that I can assign them in future, if they do already have access I can discard it from the list as I don’t want to apply the same role twice.

However, doing this seems to overwrite the current logged in user, and my admin user assumes the privilages of the user I was editing! The code I’m using is:

$userRoles = AuthItem::model()->notAlreadyApplied($userId)->findAll();

$webUser = new CWebUser;


// Remove any remaining privilages that this user has

foreach(array_keys($userRoles) as $key)





The ‘notAlreadyApplied($userId)’ method is a named scope in the AuthItem model that filters all roles that are already applied to the user, and also their direct children (not descendants, as I can’t work out how to do that - hence having to use this CWebUser method).

As I mentioned, this feels very ‘hacky’ and I don’t like it much, but can anyone suggest a better method? Am I overlooking something really obvious? I’ve checked the methods available in CAuthManager, but none of them can return the descendants of a users roles, only the role and/or direct children.


Obviously, this is not the way to go, I’m an idiot, this works fine: