So Im now at the point that I have password protected the admin pages, however I can only see a way of having global users (when I go to the front end I am logged in as admin also), what I really want is a way of making admin users have a static username and password, but then my ecommerce members have their chosen usernames and passwords which are hashed and saved in the db…is there a way of doing this or is it role based so I would say one are members and the other are admin?
I would make it role based. That way, your system should be able to use the same authorization structure throughout. So you don’t have two different authorization systems – one for admin and another for members (if I understand you correctly).
I am also developing a commercial site. My clients are companies with branches. So each branch will have a “User Manager” who will be able to assign roles to the users in the branch.
If I don’t want the User Manager to be able to assign the Amin role, I would flag the admin role record as being “not to be an option for the User Manager” or something.
I had to write my own RBAC procedures because gii generated controllers only check if the user is assigned a certain role. But I need the system to check if the user is assigned a certain role “for a specific branch”. Because the user could easily have different jobs to perform (different roles) at different branches.