I’m looking for the user management approach/extension that best suits my needs. I need the basic stuff: registrations, login, public user profile (incl option wether the user wants this), 3 levels of rights (admins, orgs, players), some sort of password retrieval or reset. I also want to be free to name the user table as I want to (ie Player) or: I want my users to correspond to a model (players). In a recent yii1 project I solved this with making a relation (fk) from the model (person) to the yii1-user model. that would also do.
I know that Yii2 comes with some basic user stuff already implemented. Yesterday, I tried the yii2 user extension from dektrium. So far it seems to offer what I need and it’s fairly documented. The problem is, it doesn’t work. I made a post on their forum ( https://dektrium.com/d/19-yii2-user-register-action-not-working ) but haven’t received an answer so far (I know I’m being impatient here). Also their github forum sign up option is broken. These are minor, prob even temporary things, yet it still made me think whether my approach to user management is the right one.
I’ve seen yesterday that there’s another yii2 user extension ( https://github.com/amnah/yii2-user ), but it seems lesser known and less active (last version early this year). Maybe there are even other solutions?
What is your experience with yii2 user management, what does work for you? What do you think would work for me?
I don’t want to reinvent the wheel but I also don’t want to loose too much time chasing problems. With Yii1 I always used Yii-User which worked fine for me.
Whether you are running the basic or advanced version makes a difference. The advanced version has most of what you need built in and the RBAC can be added. The basic version will have you scrambling for a solution. I created a basic version site and borrowed the user management from the advanced as a quick and painless way to get going. The documentation explains the importance of secure user management and some clues as to how to build it, but if you follow it you wind up rebuilding the one from the advanced version which is more time consuming and more error prone than co-opting the advanced one like I did. I would recommend advice from people more expert than I am, and perhaps check for a user extension for the basic version if that’s what you have.
@newbiedo: Luckily, I’ve chosen the advanced template. I wasn’t aware that there was this difference, thanx, this might help me with my next project.
When you say that the advanced template has most of what I need - are you referring mostly to the RBAC stuff? or those it also come with password retrieval (for people for forgot their password) and stuff like that?
Because even tough I have advanced, I installed the yii2 user extension to take care of user management and I’m a little concerned about its inflexibility. I’m now in the process of adding another field to my user model and for that alone I have to (amongst other things) override several classes.
I’m now really not sure anymore what to do, if I should stick with yii2 user or not
What the advanced version has built in is the password hashing and retrieval. I am not sure what the yii2 user extension does. What I am using is just built on the user management as it comes out of the box from the advanced.
The user identity has to be configured to use the model I believe. I am not in my office so I can give you better details later. Once the user identity is using the user model/info from database, sign up as admin/yourpassword/youremail.
I created the database table and common\models\User as the model. When creating the database table, I created the normal rows, id, passwordhash etc. but added ‘role’ to manage RBAC. In the user model, I added
const ROLE_ADMIN = 60;
const ROLE_MANAGER = 50;
down to ROLE_USER = 10; for various levels of access. Then I updated the admin user role to 60. With that in place I could use the $user->role to allow or deny access to controller actions individually using a function in the user model something like User::checkAccess(Yii::$app->user->identiy->id, User::ROLE_ADMIN) which checks to see if the user is at or above a certain level of access. Like I said I can give you specific code later.
nice, i will the check tutorial. I also had to override a lot already. You have to specify new fields in quite some different places, it’s a bit cumbersome, but it works.
If I add a new field “role” to the user table to use it as a role, then it follows that a user can only have one role at a time. That’s enough for my use case but I find this still a but curious, as according to the yii2 guide about authorization ( which i’m in the process of reading: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html ), yii2 comes with a full fledged Hierarchical NIST RBAC System, which means you can assign multiple roles to one user. So the yii2 user extension can’t make use of the built-in yii2 rbac and uses a downtrodden version of rbac?
I did already install the yii2-rbac extension but there seems to be like almost no documentation at all. I have no idea where to go with this, so I prob will remove it from my config again.
I will now read the rest of the yii2 guide about RBAC and what I really would like to know now, is if I can use that in conjunction with the yii2 extension.
I use mdmsoft/yii2-admin for RBAC and ACF. It’s a good extension that does all the things that you need to do regarding the access controlling. And it’s clever enough to avoid integrating user management.
And, for user management, I do it on my own from scratch.
IMO, it’s rather simpler and easier to make my own “User” model that satisfies the specified needs of the app.
While the requirements for user management differ from app to app, any kind of "user management extension" looks too "generic" to me.
@softark: Ah, I didn’t knew about this extension. What does it offer over the rbac that now comes with yii2? I just finished reading and testing it, and I must say I’m really thrilled. Especially nice that with Rules you can check fe if an ‘author’ has created a post before you let him update it.
I was worried before that the native yii2 rbac stuff doesn’t work with the yii2 user extension but it seems to work.
Yes, that’s the trade-off I was worried about. I would really love to be as free as someone who started from scratch but on the other hand user management involves quite a lot of small things that add up to quite some work, if done properly. It’s nice to have stuff like user activation out of the box. Just before while testing I tried to login with an account that wasn’t activated and so I got a warning label that I had to activate the account first. For this, I didn’t have to code anything. But it’s actually a bad example as we won’t need email activation in the final production but I think there’s a simple option to deactivate it.
@mathiasa in my approach you can only have one role per user but if you need to have multiple roles you can create a a table for roles and then assign to a user. And you get a relation of one to many.
Then in the tutorial change the login in step 2 where you have "$role = \Yii::$app->user->identity->role;"
In many cases create a user managment from scratch is a good approach but I usually use yii2-user from dektrium it already have a lot of things that I use and I don’t need to spend days creating basic things
Although I would rather construct my RBAC hierarchy using “migrations”, it’s nice to have a web UI that enables you to check the RBAC hierarchy much more easier than reading the source code in the migration script. And sometimes it’s very handy when you want to tweak the RBAC structure.
And one thing I’m very happy with mdmsoft/yii2-admin is an integration of ACF(Access Control Filter) with RBAC structure. It’s implemented with an idea of “route” permissions — you can create an auth item for “route” (e.g. “site/login”, “site/about”, “site/*”, … etc.) and use it for ACF.
Yes, it should. Any decent user management extension must work nicely in the yii2 auth framework.
In my cases, the apps do not need self registration of the users, e-mail activation, … etc, although they need to have fairly fine-grained access control. They are in-house apps that run in an intra-net. And I didn’t dig deep into any user management extension.
It might be a good idea to use dectrium/yii2-user in your case, as kandalf suggests. Take your time before you decide.