I’ll describe a simple use case: In the system there are two types of users: a regular user and a super user. A regular user can comment only on his own posts. Super user on the other hand can comment on any post. As far as I understand, in the relevant comment controller action (say, [font=“Courier New”]actionCreate()[/font]) I should use code in the form of [font=“Courier New”]Yii::app()->user->checkAccess(‘permission title here’)[/font] for the permission check, RBAC style (of course, after RBAC tree have been created…).
Now, since we have two possibilities when someone tries to comment on a post - whether its his post or not - the question is whether to create in the RBAC hierarchy two permissions like ‘comment on own post’ and ‘comment on any post’ or create only one permission of ‘comment on a post’ and implement either of the following logic, depending on the selection of the permission setup just described:
In the first case (two distinct permissions):
check if user can post on any post and if so, allow to continue… .
if first check above returned false, check for permission to ‘comment no own posts’ AND validate that post belongs to user that is trying to submit the comment on it as well.
if the above still returned false, disallow comment creation.
Or, if only ‘comment on a post’ permission is found in the RBAC hierarchy:
check if the user has permission to ‘comment on a post’ and that the post is his. if true, proceed and allow to create comment.
if not, check if the user is super user and if so allow anyway.
if still no, disallow comment creation.
I’m a little bewildered as to which option to take and in general. I think that in other words I’m not sure if to introduce ‘affinity’ permissions into the RBAC (plus matching code in the actions themselves) or not.
I’ll be happy for your 2 bits.