The rbac does not work when changing an entity

Yii 2.0 General Discussions
1

There is a problem with rbac work.

I want to gradually rewrite the site from yii2 to another framework.
For this purpose I have created a new entity User. Properties are described by date objects, inheritance from ActiveRecord is there, IdentityInterface is implemented.

#[ORM\Entity]
#[ORM\Table(name: 'amqp_auth_user')]
class User extends ActiveRecord implements IdentityInterface
{
    #[ORM\Column(type: IdType::NAME)]
    #[ORM\Id]
    private ?Id $id = null; // Uuid 
    *************************
    #[ORM\Column(type: Types::STRING, nullable: true)]
    private ?string $passwordHash = null;
    #[ORM\Column(type: Types::STRING, nullable: true)]
    private ?string $authKey = null;
    **************************
    public function getAuthKey(): ?string
    {
        return $this->authKey;
    }

################## YII2 ##############

    public function afterFind(): void
    {
        /** @psalm-suppress UndefinedThisPropertyFetch */
        $this->authKey = (string)$this->auth_key;
        $this->passwordHash = (string)$this->password_hash;

        parent::afterFind();
    }

    public function beforeSave($insert)
    {
        $this->auth_key = $this->authKey;
        $this->password_hash = $this->passwordHash;
        parent::beforeSave($insert);
    }

    public static function tableName()
    {
        return 'amqp_auth_user';
    }
    /** @psalm-suppress MixedInferredReturnType */
    public function validatePassword(string $password): bool
    {
        /** @psalm-suppress UndefinedClass */
        return Yii::$app->security->validatePassword($password, $this->passwordHash);
    }

    public static function findIdentity($id): ?User
    {
        return static::findOne(['id' => $id, 'status' => Status::STATUS_ACTIVE]);
    }

    public static function findIdentityByAccessToken($token, $type = null)
    {
        throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
    }

    public function validateAuthKey($authKey): bool
    {
        return $this->getAuthKey() === $authKey;
    }
}

I specify this entity in the configuration.

// backend/config/main.php

use yii\web\User;
use App\Entity\User as UserEntity;

'components' => [
        'user' => [
            'class' => User::class,
            'identityClass' => UserEntity::class, <---- My class
            'enableAutoLogin' => true,
            'identityCookie' => ['name' => '_identity-backend', 'httpOnly' => true],
        ],
],
**********
'as access' => [
        'class' => AccessControl::class,
        'except' => ['site/login', 'site/error', 'site/logout'],
        'rules' => [
            [
                'allow' => true,
                'roles' => ['admin'],
            ],
        ],
 ],

// common/config/main.php

'authManager' => [
    'class' => DbManager::class,
],

There is an entry in the auth_assignment table

admin | d32ad83b-badb-4638-9748-885b983b726c | 1686934538

A user has been created in the table amqp_auth_user

d32ad83b-badb-4638-9748-885b983b726c | admin@admin.com | active

When trying to authorize, I get a 403 response.

I made such a check in actionIndex.

    public function actionIndex()
    {
        if (Yii::$app->user->identity?->id) {
            echo "<pre>";
            print_r(Yii::$app->getAuthManager()->getRolesByUser(Yii::$app->user->identity->id)); 
            if (Yii::$app->user->can(Rbac::ROLE_ADMIN)) {
                exit(' access!!!');
            } else {
                exit(' no access!!!');
            }
        }
        return $this->render('index');
    }

In response, I get arrays

Array
(
    [admin] => yii\rbac\Role Object
        (
            [type] => 1
            [name] => admin
            [description] => Admin
            [ruleName] => 
            [data] => 
            [createdAt] => 1709156762
            [updatedAt] => 1709156762
        )

)
 no access!!!

As I understand the authorization is successful, the user has the role “admin”, but still get 403.

How to solve this problem?

2

What does your RBAC hierarchy look like?

3 
parent             child
ownManage          manage
user               ownManage
moderator          user
moderator          manage
admin              moderator

That’s probably not the case.

This line returns an empty array

print_r(Yii::$app->authManager->getRolesByUser(Yii::$app->user->id));
4

But this check outputs a filled array.

print_r(array_column(Yii::$app->authManager->getRolesByUser(Yii::$app->user->identity->id), 'name'));
print_r(Yii::$app->authManager->getRolesByUser(Yii::$app->user->identity->id));
if (Yii::$app->user->can(Rbac::ROLE_ADMIN)) {
   exit(' access!!!');
} else {
   exit(' no access!!!');
}

// output
Array
(
    [0] => admin
)
Array
(
    [admin] => yii\rbac\Role Object
        (
            [type] => 1
            [name] => admin
            [description] => Admin
            [ruleName] => 
            [data] => 
            [createdAt] => 1709156762
            [updatedAt] => 1709156762
        )

)
 no access!!!
5

Does it matter what exactly this method returns, an object or a string?

public function getId(): Id
{
    return $this->id;
}

//OR

public function getId(): ?string
{
     return $this->id;
}
6

Yes. It matters. Should be a string.