Using function to determine Access Rule doesn't work ?

Hi guys,

Actually, I should have labeled this "… to determine checkAccess…"

As background, I have a complex authentication system that I’m trying to get RBAC to support. An organization with global reach has several levels of access:

Global, which contains several…

Regions (e.g., Europe — can view/edit events in Europe only), which contains several

Locations (e.g. The Louvre — can view/edit events at the Louvre only), which contains several

Programs (e.g., Special Art Exhibit — can view/edit things associated with this event only), which contains several

Applications (e.g., someone applying to come to an exhibit — can view/edit things associated with their particular application only)

To do this, I defined the discrete operations (viewApplication, viewApplicationFinancialInfo, editApplication, etc.) and grouped them into tasks with business rules applied to them to determine authentication based on location or ownership of an Application. I then assigned groups of tasks to roles, and assigned users to roles. Users will often have more than one role, since staff members may work in one regional office, but be hired as staff for a program outside of their region. Staff at all levels have varying levels of access to view or modify sensitive data.

Here’s the problem :

I have one task called editOwnApplication:


$tasks = array (

      'editOwnApplication' => array(

            	'bizRule' => 'return Yii::app()->user->checkApplicationOwner("edit",$params);',

            	'description'=>'allow people to edit their own applications',

            	'children' => array(

                	'editApplication',

                	'editApplicationFA',

            	),

   		...

      	);


//FURTHER DOWN I assign these variables in proper RBAC fashion. I'm showing it here so you can see the bizRule.




I’ve extended CWebUser to add the function checkApplicationOwner:


class WebUser extends CWebUser {

   public function checkApplicationOwner ($action,$params)	{

		$out = false;

		foreach ($params as $param)

			if (is_object($param))

				$myModel = $param;

		if ($myModel->modelName == 'Application') {

			if ($action == 'view' || ($action == 'edit' && $myModel->application_date == null)) // NO EDITS ARE ALLOWED BY USER AFTER APPLICATION IS SUBMITTED

				$out = Yii::app()->user->members_id == $myModel->members_id;

		}

		return $out;

	}

}

When called from within the application, I’m doing something like this :


if (Yii::app()->user->checkAccess('editApplication',array($model))) { ... }

However, this returns false when it should return true. I’ve placed checks in WebUser->checkApplicationOwner() to verify that it is receiving $params correctly, and returning the appropriate value in $out. I’ve also checked within the RBAC bizrule and verified that it is validating correctly. But what ends up coming back to the Yii::app()->user->checkAccess() is not accurate;

Is there something I’m missing here?

This is solved.

The problem was that I was assigning the custom editOwnApplication task as a child of a role called “applicant”, which had its own rule (return !Yii::app()->user->isGuest’). I would have thought this would have worked, providing multiple levels of validation, but it didn’t!

Thanks.