RBAC again

kvl · April 7, 2009, 8:13am

Hi All!

I red already the posts concerning RBAC, they didn’t help me…

I have some lines in my UserIdentity::authorization():



$roleName='admin';


$auth = Yii::app()->authManager;


$role = $auth->createRole($roleName);


$task = $auth->createTask($roleName . 'Panel');     


$role->addChild($roleName . 'Panel');


$auth->assign($roleName, $user->id);

Then, access rules in the controller:



public function accessRules()


	{


		return array(


			array('allow',


		'roles'=>array('admin'),


                'users'=>array('@')


			),


			array('deny',  // deny all users


				'users'=>array('*'),


			),


		);


	}

of course,



public function filters()


	{


		return array(


			'accessControl',


		);


	}

And it doesn't work in any case!

My user has access to nothing at this controller!

Wat's wrong? help me, please, if you can see my error!

emix · April 8, 2009, 11:43am

how did you configure the auth manager? (copy code from main config)
this code:



$auth = Yii::app()->authManager;


$role = $auth->createRole($roleName);


$task = $auth->createTask($roleName . 'Panel');     


$role->addChild($roleName . 'Panel');

is meant to be run only once. After that it will be saved in a persistent storage and remembered.

The role assign thing $auth->assign($roleName, $user->id) MUST BE RUN every script run, not only at authorization!

You can do so by overriding init() method in the controller.

example. At authorization point set isAdmin flag if user is admin or not.



class yourController extends CController {


   public function init() {


      if (Yii::app()->user->isAdmin) Yii::app()->authManager->assign('admin', Yii::app()->user->id);


   }


}

simple.

kvl · April 8, 2009, 12:56pm

Quote

1) how did you configure the auth manager? (copy code from main config)



<?php


'authManager'=>array('class'=>'CPhpAuthManager'),

Quote

2) this code:

…

is meant to be run only once. After that it will be saved in a persistent storage and remembered.

The role assign thing $auth->assign($roleName, $user->id) MUST BE RUN every script run, not only at authorization!

You can do so by overriding init() method in the controller.

example. At authorization point set isAdmin flag if user is admin or not.

Thanks, it seems, I'm beginning to understand slowly…

But - if I need to set 'admin' flag manually and check it in my controllers - what advantage of this approach?

One step remains to mark all needed rules in a filter - that is that I did after all…

emix · April 8, 2009, 2:02pm

I assumed you need only user/admin groups and showed an example how to make rbac working. The final method is up to you.

raslam · October 15, 2009, 7:47am

Hi,

I need some guide here.

I want to use RBAC based on PHP code only and not database.

The code I have put in the auth.php is…




//authorization manager object

$auth = Yii::app()->authManager;


//create roles

$sales = $auth->createRole('sales');

$screening = $auth->createRole('screening');

$admin = $auth->createRole('admin');


$bizRule = 'return !Yii::app()->user->isGuest;';

$auth->createRole('authenticated', 'authenticated user', $bizRule);


$bizRule = 'return Yii::app()->user->isGuest;';

$auth->createRole('guest', 'guest user', $bizRule);


if (Yii::app()->user->role == User::SALES) {

	$auth->assign('sales', Yii::app()->user->id);

}

elseif (Yii::app()->user->role == User::SCREENING) {

	$auth->assign('screening', Yii::app()->user->id);

}

elseif (Yii::app()->user->role == User::ADMIN) {

	$auth->assign('admin', Yii::app()->user->id);

}


$auth->save();

I was using “expression” for access control that’s why I have those conditional statements but now want to use RBAC.

Now I have read that this code executes only one time, really?

Then where is it saving?

what is happening behind the scene?

Plus, I’m also getting this error in auth.php

which is this line


$sales = $auth->createRole('sales');

Thanks.

mikl · October 15, 2009, 9:30am

You could for example put it into a (obscured) controller action and call this action one time. Then comment it out again to make it unaccessible from outside. Or use any other mechanism that makes this action only accessible for you.

Also make sure you configured a authManager component.

Edit:

Also check CPhpAuthManagers options on where the hierarchy will be saved.

raslam · October 15, 2009, 9:46am

Yeah, i guess that will be better and let say if I have to change the roles on production I can enable and call the action again.

I have following enabled component in my config.php


'authManager'=>array(

    'class'=>'CPhpAuthManager',

    'defaultRoles'=>array('guest'),

),

Yep… going to read that now.

Thanks allllot again Mike.

regards,

raslam · October 15, 2009, 10:13am

The documentation says…

which means that what we write in the auth.php is actually saved and that has to be executed once per session of the visitor. Because there is not other storage medium defined it can be possible that the auth.php is running every time which would be poor approach.

right?

I can’t clear the mist about it in my head. Need some explanation on this.

regards,

mikl · October 15, 2009, 10:18am

Create some mechanism to set up RBAC hierarchy (e.g. controller action as mentioned above)
Call this action once: The hierarchy will be saved to the data file
Whenever you add or revoke users to roles, this will also be written to the data file.

On every request the data file is read automatically by CPhpAuthManager. You should never touch that file manually!

mikl · October 15, 2009, 10:21am

Maybe the confusion comes from this. The above is wrong (sorry emix )! The assignments are also saved persistently.

raslam · October 15, 2009, 11:02am

It’s not working this way…

I had put up all the auth.php code in an action of site controller. The auth.php is empty now. When I exec the action in browser it gives error like this while trying to load authorization data from auth.php

. Now this means I have to create the hierarchy in auth.php but when I do that… it doesn’t create the object and I get the method call error on non-object error.

So I gave a thought about it and deleted the auth.php and called the action again. Guess what… IT WORKED!!!

Yii has created a new auth.php and the roles have been created in it. Now I know how the roles look like.




return array (

  'sales' => 

  array (

    'type' => 2,

    'description' => '',

    'bizRule' => NULL,

    'data' => NULL,

  ),

  'recruitment' => 

  array (

    'type' => 2,

    'description' => '',

    'bizRule' => NULL,

    'data' => NULL,

  ),

  'screening' => 

  array (

    'type' => 2,

    'description' => '',

    'bizRule' => NULL,

    'data' => NULL,

  ),

  'admin' => 

  array (

    'type' => 2,

    'description' => '',

    'bizRule' => NULL,

    'data' => NULL,

  ),

  'authenticated' => 

  array (

    'type' => 2,

    'description' => 'authenticated user',

    'bizRule' => 'return !Yii::app()->user->isGuest;',

    'data' => NULL,

  ),

  'guest' => 

  array (

    'type' => 2,

    'description' => 'guest user',

    'bizRule' => 'return Yii::app()->user->isGuest;',

    'data' => NULL,

  ),

);

Now I don’t have to call the action anymore for minor changes… I can change the roles directly in this array.

Thanks Mike again, you last 3 points helped a lot. I think the documentation needs to provide a bit more detail on this thing as most people are asking the same question. Will catch you some time later

Hope this whole discussion will help someone get their rbac started right away without hassle.

Good Luck and regards,