User permissions

Hi,

I am looking into ways to create a User permission system based on a "role" column in the database table on a user record.

Question one …

Could someone tell me what this is for …

class PostController extends CController

{

    ......

    public function filters()

    {

        return array(

            'accessControl',

        );

    }

}

As opposed to this …

class PostController extends CController

{

    ......

    public function accessRules()

    {

        return array(

            array('deny',

                'actions'=>array('create', 'edit'),

                'users'=>array('?'),

            ),

            array('allow',

                'actions'=>array('delete'),

                'roles'=>array('admin'),

            ),

            array('deny',

                'actions'=>array('delete'),

                'users'=>array('*'),

            ),

        );

    }

}

Question two …

Could someone tell me if this is a good way of producing the access permissions with the "role" column in database table …

class PostController extends CController

{

    ......

    public function accessRules()

    {

    	$role = $userModel->getRole();

    	

        return array(

            array('deny',

                'actions'=>array('create', 'edit'),

                'users'=>array('?'),

            ),

            array('allow',

                'actions'=>array('delete'),

                'roles'=>array($role),

            ),

            array('deny',

                'actions'=>array('delete'),

                'users'=>array('*'),

            ),

        );

    }

}

Question three …

Is there a better way of doing this?

The accessControl filter is using the accessRules function to figure out what rules it should follow.

About question #3:

Just code in the roles, like:

'roles'=>array('admin'),

The filter will figure out what role the current user has.

If you set up an authManager in your configuration, that is.

Read more about that in the guide:

role-based-access-control

Ahh I see, so "accessControl" filter simply states that there "are" rules, kind of like setting the a validation callback method, whereas the "accessRules" filter is the function where the actual rules are set?

So does "accessControl" filter, automatically look for the "accessRules" function?

Also about Q3, I did say that my "role" is an integer field in the database column on a user record, are you absolutely sure it is configurable this way? I am not using the standard "guest", "user", "admin" roles, I am talking about the real deal, a "role" integer field in database.

The real deal would be CDbAuthManager

auth->assign(user, role) does the trick, usually.

Maybe there’s a tutorial about that somewhere?

Yeah all these options seem very good, however it is my first application and they appear to be a bit over the top for me and a pain in the butt to set up.

I might just read the role in from the user model, and use a before filter on my controller actions. Thus producing a work around.

Hey, wait a minute here!

You just set the auth manager as db auth manager.

And then you write down some code to set it up:

$auth=Yii::app()->authManager;

 

$auth->createOperation('createPost','create a post');

$auth->createOperation('readPost','read a post');

$auth->createOperation('updatePost','update a post');

$auth->createOperation('deletePost','delete a post');

 

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';

$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);

$task->addChild('updatePost');

 

$role=$auth->createRole('reader');

$role->addChild('readPost');

 

$role=$auth->createRole('author');

$role->addChild('reader');

$role->addChild('createPost');

$role->addChild('updateOwnPost');

 

$role=$auth->createRole('editor');

$role->addChild('reader');

$role->addChild('updatePost');

 

$role=$auth->createRole('admin');

$role->addChild('editor');

$role->addChild('author');

$role->addChild('deletePost');

After that code is run, it’s stored in the database, so you can safely delete it, put it away, whatever.

It only needs to be done once.

Then you just store the role in the user table, and off you go.

It’s dead simple, really.

Try it.

You can create an extremely simple scheme for starters, right?

Then assign users when you need it:

$auth->assign('admin','adminD');

Also needs to be done only once.

After all of that, you can use the lovely functions of the Yii auth, like:

if(Yii::app()->user->checkAccess('createPost'))

{

    // create post

}

Give it a try.

And read this too:

http://www.larryullman.com/2010/01/07/custom-authentication-using-the-yii-framework/

Hmm you made it sound simple, might have to try it.

Maybe I’m advertising a bit but I couldn’t resist. You should try an extension I have written, Rights, which is basically a web interface for Yii’s CDbAuthManager (which jacmoe mentioned above). There is extensive documentation and it’s easy to set up.

Rights can be found here:

http://www.yiiframework.com/extension/rights

Hmmm, does it have user interface?

Hi, as I understand it "rights" allows you to define user operations and actions via a user interface. But how does rights know which user is which, in other words how does it link to the users database table to see which role the user has?

Rights does the standard auth routine:

$auth->assign('admin','adminD');

The rest is handled by the auth manager.

It basically looks in its own database table to see what role the current user has and then follow the rules you’ve set up for it. (Which is where Rights enters the picture: a nice interface)

Try your own stuff first, to understand how it works. Then use Rights in your real project if you have the need for sophisticated rights management.

Hello James,

It assigns permissions (AuthItems) to users using the authorization manager. The way the authorization manager does it is that it maps permissions, which can be roles, tasks or operations, to user ids. That’s basically in a nut shell how it works.