Web Services And Rbac/auth

I haven’t seen much by way of Web Services or RBAC discussed here, so I’m curious if any of it is changing.

For web services I am wondering if there will be any built in support for JSON (yes it’s trivial to do json_encode). Also any changes on SOAP/WSDL, since it is built in or are there any plans for a RESTful tools to ease the process?

Currently I am starting to build mobile apps and it is much easier to deal with JSON. But the security must be at the forefront (I work for Law Enforcement). So I am designing a system with a proxy server to feed the JSON data to the mobile devices through a secure connection and also need to be able to handle roles from RBAC. Any additions to the yii design to make this process easier would be beneficial.

For RBAC I ended up creating my own but I forget why (might have had something to do with the database and web services). But I’m curious if anything in RBAC is changing.

  1. See CJSON (json_encode is fine as well).

  2. What do you mean by changes on SOAP/WSDL?

  3. There is support of restful routing. Check wiki for ideas on how to use it.

  4. RBAC is stable and rock-solid. No need to change it.

Oops :) Haven’t noticed that it’s about Yii2.

  1. No need for things other than json_encode. CJSON was there because of PHP issues fixed in 5.3.

  2. No SOAP/WSDL support currently.

  3. Support for restful routing in the same manner as in Yii 1.1.x.

  4. Don’t know what we can change in RBAC. It already works well.

Yes, this is concerning Yii2.

  1. json_encode is trivial, but only if you are doing public read only services. For anything else you need secure services, and for that you need to send some sort of Auth on every request (RESTful services).

  2. That’s fine that there will be no SOAP, I won’t miss it.

  3. RESTful routing works well, I was thinking more of secure RESTful services.

  4. RBAC works alright. I think I didn’t like the many DB calls in the case of a deeply nested RBAC tree. I just see people on forums getting confused over RBAC, not sure if it is because the framework looks complex or because the examples need more detail. A visual tool would be very useful built in (not core, but package or something).

I know Yii gives me the flexibility to do all of this, which I like. But I also like when frameworks provide sane defaults. Right now I’ve built my own RBAC tools and have started building my own RESTful web service framework. Maybe the place for these things is packages. Thanks for the response.

  1. As I know, there’s no common standard for REST auth.

  2. What do you mean by RESTful services?

  3. It’s because RBAC itself isn’t a simple concept. Visual tool is a goode idea. I have some thoughts about it but it’s unlikely to be released with Yii2 release due to lack of time. btw., if you need less DB requests you can try CPhpAuthManager.

Integrated support for setting up a REST service might indeed prove valuable. With all those MV* JavaScript frameworks becoming more and more popular, it would be really cool if one could just drop them in as another theme, which uses the yii app as a backend through a REST api.

I started working on an extension that allows to use your existing ActiveRecords as resources, but I’m not yet happy with it. There are still many issues to solve:

  • not all of your models are suited to be used as rest resources

  • how to handle relations

  • when to use sub collections, when to use references (in your rest design)

  • proper solution for login

Yeah, I think the issue with RBAC has more to do with giving people a tool to navigate what is inherently a dodgy process.

For my part, I ended up downloading the rights module and using that, for exactly that reason: it gave me an interface tool that managed the process for me.

I think of this not in terms of functionality but usability. All kinds of frameworks have strong MVC support and work well with database tables and on and on, but one of the big big reasons I chose Yii over them? Gii.

Yes, a programmer worth his salt will know how to build these pieces by hand, and anyone competent will spend a lot of time tweaking the build to his specs anyway, but the point is a). the scaffolding saves time and increases consistency within each folder, and B). the generated code gives a huge step forward to offer new users a glimpse into how the code works.

When I was “shopping” frameworks, I also looked at CodeIgniter and CakePHP, recommended by other devs I know, but CodeIgniter deprecated their scaffolding, and CakePHP’s works in an odd way that I’m not sure is quite the right approach. Gii took Yii’s functionality and gave it out-of-the-box usability that vaulted me forward in developing my site.

In short, I think people asking about RBAC might be asking about an interface for better usability, and I have to say I’d be in support of that, if it’s anywhere as good as Gii for creating models and CRUD.

I agree with the comments about RESTful APIs - it seems to be a little more work than it should be, considering the rise of single-page, javascript-heavy frontends and native mobile apps consuming services directly. I don’t really have a ton of background on this topic, so take this more as an observation from a new Yii user than anything else…

This Laravel Controller example seems like a really nice way to do it - emphasizing the verbs, IMO helps create a more concise API:

// Process registration data.

public function post_register()


// Show change password form.

public function get_change_password()


// Process change new password.

public function post_change_password(){}

from https://github.com/h...ers/account.php

via http://www.larryullm…ing-frameworks/

Oops I thought I responded to this but I guess not.

  1. There is no common standard for REST auth, correct. There is also no standard for Active Record, every API does it different, yet Yii provides such a feature because it is valuable. I just think it would be a nice and valuable feature.

  2. RESTful services as compared to SOAP services (see below in References for comparison to SOAP).

  3. Thanks, though I think RBAC really isn’t that complex as a concept. I think it just gets difficult because people new to the idea don’t know or are confused by the correct way to map their access control to their organization (or non organization for simple apps). CPhpAuthManager would work if we were smaller, but I work in a large organization of over 1500 people with a large hierarchy.



Just for reference and anyone interested, I found what I was looking for… but in Ruby. Ruby on Rails actually does REST web services with ActiveResource. Would be a good additional package.

I found this while reading a good book on the subject: RESTful Web Services, which describes a standard way of representing web services.