And, as in security is better to wear the belt and also the suspenders, you can override the beforeControlerActionin admin module and deny access to the whole module.
Hmmmm but isn’t RBAC designed for permissions on controller actions? For example if a user is logged in to ‘member’ module and then tries to access a page in the admin module (e.g /admin/articles/update/id/2) then they should be redirected to the admin module login page. They should not be given a ‘400’ error.
The only way I can see this working is having seperate login systems in place. Will look in to the gii module and see how that works.
Cheers sniper. I think that Rights extension looks good but I probably won’t be using it here.
The ideal solution is to have multiple login systems, so that if you are logged in to one particular module it does not log you in to any other module. I’ve gone with jayrulez’ suggestion and looked at how gii works, and this is how I’ve configured the member module:
I do something similar for a project of mine which needed 4 separate login systems.
This is what I did.
Create module for each sub login system,
Wrote an class that extended from CWebmodule that automatically overwrites the app setting with app local settings.
public function init()
{
// Change applicaiton components to the ones defined in module
// need to add false flag so it will return all components otherwise it would only return the loaded components
Yii::app()->setComponents($this->getComponents(false));
}
Extended the default module class from the module from my new WebModule class and configured with
public function init()
{
// this method is called when the module is being created
// you may place code here to customize the module or the application
// import the module-level models and components
$this->setImport(array(
'admin.models.*',
'admin.components.*',
));
// this sets default settings for admin module
$this->setComponents(array(
'errorHandler' => array(// set error handler specificly for this module
'errorAction' => "/{$this->name}/{$this->defaultController}/error"
),
'user' => array( // set user and authentication options
'class'=>'WebUser',
'loginUrl' => "/{$this->name}/{$this->defaultController}/login",
'logoutUrl' => "/{$this->name}/{$this->defaultController}/logout",
'stateKeyPrefix' => "_{$this->id}",
),
));
// set all the features for a WebModule automaticly by init functionality
parent::init();
}
Made a copy of UserIdentity class and put them in each modules components class and modified the authentication method so it would target the right user login logic.
Made all actions that are needed across multiple modules externally.
Worked fine for me and what best way I could keep everything separated.