User Access based on URL

I’m thinking about converting one of my existing applications into Yii, and have been spending quite a bit of time researching into it.

The way the app currently works is that there are different projects that people can have access to. Users can have access to multiple projects, and in each project have a different set of permissions. Currently the system simply takes the project ID from the URL, and defines all permissions from that. The permissions get even further complicated than that as in each project there are documents, and users have certain access to each document.

How would that be done in Yii’s RBAC? Any code examples or pointers into the right direction? I think that if I understand how to separate user’s access by which project they are viewing, I can then figure out the rest.

I think for such a complicated access control you might want to read about CDbAuthManager

Yes I agree that is the right direction, and do plan on using it. My one problem though is that I cannot figure out how to implement it with the RBAC instructions on the documentation page. Are there any good examples of that out there?

What do you want to know? There are a few extensions that provide the RBAC management as a module, You could look at those as an example.

There are 2 options from CDbAuthManager (or CPhpAuthManager) you’ll have to use.

  1. The static option:

Define an operation id (like “op_project_view”) for each possible action in your application and define it in Yii’s RBAC system.

You can now assign this operation to tasks or roles or users (whichever you prefer).

  1. The dynamic option:

Define a business rule like: “only allow access to a project which I’m a member of”.

Suppose you have a table which links users to projects, you then can write php code to check if the user/project combination exists. This php code should return true if this combination exists (i.e. the user is granted access) or false if it does not exists. Your business rule could look something like:

($userInProject==‘Yes’ ? true : false);

For more info in the biz rules look at

And find this string: $bizRule

Where do you recommend placing the code that checks? Should that be in the SiteController? Is there some sort of "Before page load" or something similar that I can use?

I have these methods:

public function validateTopid($topid)



   return true;


public function checkAccess($topid)


//check user_access table and see if there is a row where it matches userid && topid

//return true

//or block access


You can create a BaseController that extends CController and override it’s beforeAction function to do the checks

Then have your all controllers extend BaseController