yii-user with rights


(Kostya Molchanov) #1

Good day! I need 3 type of users(user, moderator, administrator) with different roles. I decide to use yii-user and rights extensions. I have 2 questions: 1. How to make 3d type of users in yii-user and how to use yii-user with rights?


(Mail) #2

I use ‘Yii-user’ and ‘Rights’ extensions in one project. Just install ‘Rights’ as described in documentation, no modifications in ‘Yii-user’ needed. (Probably excepting setting of RBAC for controllers of Yii-user, but all of them is nested from Controller class, and if you will inherit Controller from RightsBaseController and add there all needed for your project functionality, all will be ok) ;)


(Luc Pfister) #3

Hi,

in your config:




	'import'=>array(

		'application.models.*',

		'application.components.*',

                'application.modules.user.models.*',

                'application.modules.user.components.*',

                'application.modules.rights.models.*',

                'application.modules.rights.components.*',                

	),


	'modules'=>array(

	


                'rights

	),


	// application components

	'components'=>array(

		'user'=>array(

			// enable cookie-based authentication

			//'class'=>'RightsWebUser',

			'allowAutoLogin'=>true,

                        'loginUrl' => array('/user/login'),

		),class Controller extends RightsBaseController

		'authManager'=>array('class'=>'RightsAuthManager'),

                ..........			



in component/controller.php:


class Controller extends RightsBaseController

in your controller:




	public function filters()

	{

		return array(

			//'accessControl', // perform access control for CRUD operations

			'rights',

		);

	}



Create atomic operations based on controllers actions with right’s generator.

Create Tasks: each task must have children (operations)

Create your 3 roles and assign them tasks

Assign your users to their differents roles


(Kostya Molchanov) #4

Thanks a lot! Everything work!


(Luc Pfister) #5

good :slight_smile:


(Johizzle) #6

I tried what was suggested above but I cannot get the rights top menu to show up. Apparently,


Yii::app()->user->checkAccess('RightsAdministration')



Is coming false for some reason, even though I am signed in as admin.


(Luc Pfister) #7

That’s an issue that I’ve solved like this.


(Tomas Sara) #8

Hi everyone,

I am trying to to integrate these two modules together as well but I haven’t succeeded yet. Could anyone who did it share his/her skeleton application?

Thanks in advance.


(Gzav) #9

Hello everyone, I’ve just installed both extensions and it seems to get working. Nevertheless, I have a practical question.

Is that right to say that when a user register to the web app (using the registration form of yii user) something must be done to give that registered user the appropriate role defined in rights ?

Thus, yii user extension code should be adapted !

Just tell me if I’m wrong and if there is a more straightforward mechanism ?

Regards,

xav


(Cniska) #10

Hello xav,

You should call Rights::assign() in your registration action to assign the desired role to the users when they register. Does this answer your question? :)


(Gzav) #11

Yes, totally. Many thanks Chris83.

Kind Regards,

xav

…and best whishes by the way.


(Rob Anderson) #12

Managing Guest and Authenticated Role Permissions

I hope the following is useful for those trying to configure Yii-user with Rights and want to configure ACAC access using Rights. Admittedly, I am very new to the yii framework, so I present this mainly in the hope of getting feedback on the approach (for better or worse).

Edit: please read Chris’s response immediately following this for an alternative approach that does not use business rules and is therefore faster. I have also followed his response with guidelines for this method.

Assumptions

[list=1]

[*]You have successfully installed Yii-user and Rights extensions.

[*]You have extended your application base controller (normally called Controller) from the RightsBaseController [Edit - RController for version 1.2.0]

[*]You have added ‘rights’ to your controllers’ filters (you can then remove ‘accessControl’ filter and accessRules() function).

[*]You have determined which actions should always be allowed by implementing the allowedActions() function (optional).

[/list]

Note: instructions for 2 & 4 are in the Rights documentation (yii-rights-doc-1.1.0.pdf on page 7).

In main/config.php, I added the following ‘defaultRoles’ definition:




    'authManager'=>array(

        'class'=>'RightsAuthManager',	// provides support for authorization item sorting

        // assign default roles to all users, then use bizrules in Rights

        // to distinguish between 'Guest' and 'Authenticated' users

        'defaultRoles'=>array('Guest','Authenticated'), 			

    ),



Edit - the above code is for Rights version 1.1.0. If you have upgraded to 1.2.0 (see below), the class should be renamed to ‘RDbAuthManager’.

This is only half the solution though. Now, in the Rights Roles screen, add the following business rules to the ‘Guest’ and ‘Authenticated’ roles:

Guest (Role) business rule:


return Yii::app()->user->isGuest;

Authenticated (Role) business rule:


return !Yii::app()->user->isGuest;

So in effect, all users are assigned both roles, but the business rules then determine whether a user is anonymous (Guest) or authenticated. This avoids having to assign roles to users as they register (you may still want to do this for other roles, but it makes no sense to me to do this for the Guest and Authenticated roles).

Note: it took me a while to cotton on to this as I thought that the default Rights configurations: ‘authenticatedName’=>‘Authenticated’ and ‘guestName’=>‘Guest’ would allow for this automatically. This doesn’t seem to be the case, or these are used in other ways…

Now that all this is established, Rights can control access for all controllers that are configured to use the Rights access control filter, e.g.




    /**

    * @return array action filters

    */

         public function filters()

	 {

	    return array(

	        'rights',

	    );

	}



Controlling Access to User Lists and Profile Views

This method can be used to manage access to the default user list and user profile view (Yii-user makes these available to all users by default and I didn’t want this), e.g. in user/controllers/DefaultController.php and user/controllers/UserController.php, add the above filter code (in UserController.php you will need to remove the ‘accessControl’ filter and accessRules() function).

Then in Rights, you can use the Permissions screen to generate items for controller actions (e.g. UserModule Default.* and User.*) and Assign rights to roles as you see fit, e.g. you may only want to allow Authenticated users to be able to see a list of users and their user profiles.

Allowed Actions

For now, I don’t tend to use the allowedActions() function to assign default permissions as this then overrides any permissions you may manage with Rights for those controllers. You may find cases where you want to do this, however.

You can also apply the Rights filter to the Site Controller (controllers/SiteController.php) and then use Rights to manage access to the general site pages (or lock them down entirely).

Summary

It took me quite a while to get all this working and I found it frustrating piecing bits of information from documentation, tutorials, and forum posts. I’m sure a lot of this is just ignorance on my part, but when you’re a complete beginner, sometimes the simplest things are difficult!

These are two fantastic extensions that naturally seem to fit together. I hope my experiences may help out those trying to do likewise!

I welcome comments from more experienced users to confirm that this approach is valid or whether I have assumed something that may be problematic.

/Rob


(Cniska) #13

Hello Rob,

First of all I want to say that it’s much appreciated that you’ve written this tutorial. I’m sure it will be of great use for community members who wishes to integrate both of these extensions into their Yii application.

About your role assignment, I would do it a bit differently because doing the permission check using business rules always comes with a performance penalty.

Instead I would suggest changing the default roles only to include the ‘Guest’-role and instead assign the ‘Authenticated’-role to each user when they are created. This can be done using the Rights::assign()-method, for more information check out the Rights documentation which can be downloaded here. This way you can avoid using business rules and therefore avoid the performance penalty.

About the allowedActions()-method, I’m thinking of removing it because you can accomplish the same result using the +/- operators that Yii supports for controller filters. You could e.g. specify your filters as following:




public function filters()

{

	return array(

		'rights - index, suggestedTags',

	);

}



You can read more about Yii’s controller filters here.

Myself I also try to avoid using the allowedActions because there is always another way of doing this. If you’re curious in how to avoid this method you should check the PostController.php in my demo package (Yii Blog demo with Rights) which can be downloaded here.

As a side note I could add that some things are going to be changed in version 1.2.0 which is shortly coming out, e.g. the RightsBaseController is now called RController, so you need to update your post after the release.


(Rob Anderson) #14

Hi Chris, thanks so much for your comments - much appreciated :)

That makes sense, I wasn’t really thinking about performance! I’ve tested this out and can confirm it works. So the modifications if anybody wants to use this method to automatically assign the ‘Authenticated’ role to users on registration (and admin creation) are as follows:

In main/config.php, add only the ‘Guest’ role in the ‘defaultRoles’ definition (needs to remain as an array I believe):




    'authManager'=>array(

        'class'=>'RightsAuthManager',   // provides support for authorization item sorting

        // assign default roles to all users, then use bizrules in Rights

        // to distinguish between 'Guest' and 'Authenticated' users

        'defaultRoles'=>array('Guest'),                         

    ),



Edit - the above code is for Rights version 1.1.0. If you have upgraded to 1.2.0 (see below), the class should be renamed to ‘RDbAuthManager’.

Now to automatically assign the ‘Authenticated’ role to users on registration, modify the user/controllers/RegistrationController.php page.

In the actionRegistration() function, change:




    ...

    if ($model->save()) {

        $profile->user_id=$model->id;

        $profile->save();

        if (Yii::app()->controller->module->sendActivationMail) {

    ...



to…




    ...

    if ($model->save()) {

        $profile->user_id=$model->id;

        $profile->save();					

        // assign user the 'Authenticated' role for Rights module

        $authenticatedName = Rights::module()->authenticatedName;

        Rights::assign($authenticatedName, $model->id);

        if (Yii::app()->controller->module->sendActivationMail) {

    ...



And to ensure that users created using the admin creation screen are also assigned to the ‘Authenticated’ role, modify the user/controllers/AdminController.php page.

In the actionCreate() function, change:




    ...

    if($model->validate()&&$profile->validate()) {

        $model->password=Yii::app()->controller->module->encrypting($model->password);

        if($model->save()) {

            $profile->user_id=$model->id;

            $profile->save();

        }

        $this->redirect(array('view','id'=>$model->id));

    }

    ...



to…




    ...

    if($model->validate()&&$profile->validate()) {

        $model->password=Yii::app()->controller->module->encrypting($model->password);

        if($model->save()) {

            $profile->user_id=$model->id;

            $profile->save();

            // assign user the 'Authenticated' role for Rights module

            $authenticatedName = Rights::module()->authenticatedName;

            Rights::assign($authenticatedName, $model->id);

        }

        $this->redirect(array('view','id'=>$model->id));

    }

    ...



Note: using this method, business rules are no longer needed in Rights for either the ‘Guest’ or ‘Authenticated’ roles (which as Chris points out, will improve performance).

This solution worked for me, but I appreciate any suggestions for improvements, i.e. maybe there are less intrusive ways to assign these roles. Suggestions welcome, and thanks again to Chris who provided the code for the above role assignments!

Cheers, Rob


(Gzav) #15

Hi, I don’t know for what reason but I keep getting this error


YiiBase::include(RightsBaseController.php) [<a href='yiibase.include'>yiibase.include</a>]: failed to open stream: No such file or directory 

thou I’ve been getting through the installation process. Everything was fine until I extended the RightsBaseController. Maybe I’m so much in it that I can’t see my mistake ? Any ideas on this anyway?

Regards,

xav


(Gzav) #16

Ok, it’s solved ! I renamed RightsBaseController to RController (v1.2) and it works fine.

Great extension.

Regards,

xavier


(Cniska) #17

I’ve mentioned this is quite a few places. Glad you were able to find the information. :)


(Yii) #18

Hey Chris83, or anyone that has a moment to help… I have installed both modules per the instructions. As soon as I enable rights in the Controller filter, when not logged in, and I visit /user/login I get an infinite redirect… any ideas?


(Rodrigo Barrera) #19

First of all, great extensions both yii-user and rights.

I’ve a question for those who manage to make them work together. I’m a begginer at Yii so maybe this is to basic, but while the two extensions work with users, which model is loaded? I need to extend the user model or access the profile fields but when I call user->something it tells me RWebUser doesn’t have that field or method.

Thanks, and congratulations all for the good work.


(Cniska) #20

Hey kingsol,

I’m not entirely sure but I think that’s a bug that I have fixed in the latest release. Please update Rights and try again. If you’re already running the newest version please report back and we’ll try to figure out what the problem is.