Why should I create operations? What is the benefit of creating separate operations like below? I know I can use checkAccess method if I create operations, but in accessRules I list all actions that certain role is allowed to perform so I don’t have to add operations to that role right ?
_authManager->createOperation("createPost ", "create a new post");
_authManager->createOperation("readPost ", "read post");
$role = $this->_authManager->createRole("role1");
$role->addChild("createPost");
$role->addChild("readPost");
I checked, If I allow role1 actions of delete and admin, it will allow be to perform those actions even though I didn’t add that operation to role1.
Because, depending on the actual application, you might not want to hardcode access rules. Roles and operations can be configured by "admin" users from an administration interface without touching the code.
I just started using RBAC mysel so I may be wrong in some points but this is how I understand it.
In this block of code, you’re only saying that the logged user has to have role1 attached to it to access these actions. In your rbac initialization code, you said people with the role “role1” should be able to “Create a Post” and “Read a Post” but that doesn’t mean that the framework would automatically know that. It just looks at what roles you have assigned to what actions and allows or disallows access depending on if you have that role or not. If you assigned role1 to lets say yourself, you will have access to any action that’s controlled by this role, just like in your example above. You could even remove the operations assigned to role1 and still have access to the admin and delete actions (and any other actions you attach under “role1”) above.
Roles, tasks and operations are there to help you fine tune and create an authorization tree that is easy to read and understand.
phtamas is also correct in the fact that you can assign individual tasks and operations to the roles key for more control.
