User Management Problem

Hello everyone,

I have encountered what appears to be a flaw in the design of our application. I sure could use some help in getting a better understanding of Yii’s user management system and some advice regarding what you all think would be the best way to change our application’s model structure (if necessary).

We’re building an application that has 3 types of users: students (basic users), school administrators (intermediate-level admins) and site administrators (super admins). It’s not just the RBAC/user roles that differentiate the users, though; they also have different attributes.

Initially, when we did our application design, we believed we could have a single User model to manage state persistence, while using SRBAC (great extension, by the way, Spryos!) to manage the different access permissions for the users. In our database, the User table has a lot of columns, many of which are intentionally left null for different user types (e.g. student users have some data that school administrators do not, and vice versa).

However, due to a change in the project’s requirements, it has now become evident that the school administrator users will need to have relationships with other models in our domain (messages and schools) that other types of users do not need and should not have, for security reasons (e.g. student users must not be able to access school administrator messages).

I’m now thinking that it will be necessary to create three new models - one for each type of user, and then build relationships between them and some of the other models individually. But this will require a relatively significant restructuring of the database and application, so I’d like to avoid this if at all possible.

Even though it was a little confusing to me at first, I am now very glad that Yii’s authentication mechanism is decoupled from the modeling of users in a database. It seems that it might be possible to create new models for different types of users without having to make many changes (maybe none, I hope) to the WebUser class I extended from CWebUser.

If anyone had advice for me, I cannot wait to hear it. Thanks in advance!

Can’t you just use RBAC to restrict user access to other domain model?

You may want to take a look at the business rules you can apply to RBAC operations, I think that should solve your issue.


Suppose admins have access to messages: all messages.

Students have access to messages: public messages only.

Create an operation with a business rule (= a little piece of php code returning true or false) like:

if student and public message -> return true

else if admin return true

else return false.

@jamesmoey: Thanks - yes, I considered that. It will probably work for some of the scenarios in our application, but for others, for instance, when one type of user needs a relationship with another model (e.g. school administrators own many schools) but another type of user does not have the same relationship to the second model (e.g. students have no inherent relationship to the schools; they can just send them messages); it seems more appropriate to me for each type of user to have his own model.

However, I am still very new to Yii, so I am open to all advice. If there is a better way to accomplish this (especially if it means not having to re-model large parts of the system!), then I am all for it.

@Onman: Thank you! Yes, after thinking about the problem overnight, two possible solutions (as alternatives to creating new models and re-building a lot of the app) occurred to me:

[list=1][]BizRules that prevent users from doing things they shouldn’t[]New model relationship definitions

  • Isn’t it possible to define conditions within model relationship definitions, in the additional parameters? I have never tried to do that, and I haven’t been able to find any examples of how it might work. Can anyone provide an example, please?[/list]Bizrules seem like the easiest solution to implement now, but not necessarily the simplest. However, our deadline is upon us and I’m more willing right now to get it working and refactor in the next few weeks, if necessary.

I really don’t understand how bizrules work, though. Are there any examples anyone can provide?

Thank you all!