Specific Use Case - Can Rbac Save Code Here?


I have this use case:

In the system we have:

  • lists
  • subscribers - this is the ‘dumb’ crude user entity that is subscribed to a ‘list’
  • users - the administrative users of the system. those can do administrative actions like ‘send message’, ‘add user to list’, etc.

(there are other tables, such as list-subscribers linking table (many to many))

Now as far as the ‘auth items’, those might be:

  • send message (to a certain list, upon which multiple subscribers can be subscribed).
  • add user to list
  • delete user, etc… .

Now, RBAC seems not very useful since a lot of the actions involve specific user, specific list and specific action. For example, user A can send a message to a list X but not remove users from that list.

In other words, lots of authorization decision making is in specific context: ‘send message’ is not for every user that has the authorization but for certain user for certain list. Another example: “administer list subscribers” is not given for a user for all lists but for a certain list only.

I guess you can sense the limitation I’m facing.

Now, one solution would be to create a special table named ListUser, which is a linking table between users and lists. This table would have two columns - UserId and ListId.

The trick is to assign auth items not to user, but to a combination of User and list. This way we could assign for example “send message” to a combination of user id=3 and list id=14. This kind of solution seems to cut the chase but I’m not sure how well will it combine with the pre-existing RBAC layer. I now think that this layer probably need a primary key ‘id’ for this linking table as well, which replaces the unique ‘user id’ that exists for users. I’m not sure about the rest of the implications.

I’d be happy for any tips/insights on how I can utilize Yii the most and write as little code as needed.