RBAC Custom table structure

kyura · January 27, 2011, 1:31pm

Greetings,

I’ll get straight to the point.

I am developing a large scale web application, one that will make use of RBAC.

The table structure will look as followed

User m:1 Roles

Roles m:m action_groups

action_groups m:m actions

I am quite new to the yii framework, and I have read as much about the YII RBAC as I could find,

however, I could find nothing about making RBAC with custom tables.

Also, the content of these tables must be made editable in the application, we will create an action called: "create-action", "delete-action" etc, which then will be coupled as a group in the intersection table between actions and action_groups, which will then be assigned to a role, and finally to a user.

My question is as followed:

Is this possible within the yii framework? if so, could you possibly put me on the right track.

Any hint can be valuable. Keep in mind, I am a decent PHP developer, but quite a newbie at Yii.

Thank you for taking the time to read, I look forward to hearing from any of you.

gusnips · January 27, 2011, 1:47pm

No need for a custom setup

user belongs to role

role has many operations

each operation has many tasks

more can be found here

zaccaria · January 27, 2011, 1:59pm

Also there is no needs of create new action.

In the most detailed case, you will have a task (rbac permission) for every controller/action in your application, so create a new action will mean modify code (add new action in the application).

What is interesting to realize is to create new roles for group actions and assign roles to user, this can be easily done with the instrument provided by the framework.

If you will follow the Yii philosopy instead of implement custom variation, you will save lot of time and easily get help from the community.

kyura · January 27, 2011, 2:17pm

Thank you for taking the time to read my post and supply an answer. However it arises new questions.

before reading the rest of this post,

an action is indeed a task

an action group an operation

a role is a role

and a user a user.

I understand that my issue looks alot like what can be achieved using standard yii features. In this case, I would like to make usages of these features.

My main problem is in this case also, that I lack the knowledge to implement it. Let alone make it webbased, ie a certain user with a role as "admin"(a role can be anything, roles differentiate cause of the action groups assigned to it) should be able to make a new role, and assign action groups to this role, and actions to certain action groups.

I have actually taken the time to find as much information as possible, but for what i can see in the tutorial, the whole relationship is described in php, i need the actions to be directly inserted and read from the database, a user should obviously not touch any php whatsoever

actions, or tasks, will ofcourse be added as we develop.

What I saw in the tutorials, is that there is one huge php file, with an amount of roles, etc, I want to completely avoid this, I want everything in my database, and I want the authentication to be read from the database. how exactly does this work?

I apologise if im being vague.

My head is spinning atm. Im probably thinking to difficult. But I really need to get this sorted before I can continue.

During the development, I will be the one to create tasks for each controller action, the entire relation beyond that, needs to be managable by users that have no clue whatsoever, who only know how to press buttons, for example.

From what I saw, for yii rbac, in the scheme provided with the framework, upon importing it, it creates three tables, authItem, authItemChild, authAssignment.

I assume authItem is a task, authItemChild, an operation, but what is the assignment? is that a group? and how does it make the relations to any user or role?

I really need to be sure, which of these three tables is an action?

gusnips · January 27, 2011, 3:07pm

authItem is roles, tasks, and operations

authItemChild is the relation between the 3 categories - parent/child

authAssignment is the relation between user and some auth item

Yes, no one likes that part of the job

Anyway, im creating right now a module to check if the role exist, if not and if its the super user (me or other programmer) it pop’s up the roles that does not exist in a form to create them

Also implementing a system like the extension “rights”, but more fittable to my specific case, to the admin of the system to manage authorization (my client’s)

Its yet to be fixed and implemented a lot of things in this auth system of mine, and once im done i might put it under extensions … but i still have a couple months to deliver this project, so i cant be sure when im done ( before the deadline for sure )

anyway, Its just a suggestion for you to implement some kind of system like the one im doing

But yea, you can do it using Yii’s default RBAC system

I was thinking the same as you, to create my custom one but i found out that there’s no need

kyura · January 27, 2011, 3:18pm

Hehe, yeah, after breaking my brain and discussing it with the other programmer, we got to an ok, on using default Yii RBAC and that there is no need for us to have a custom one with the exact same purposes.

Thank you very much for opening my eyes atleast.

With the implementation of the default one, I reckon I should be fine.

thanks again, also for clarifying the relationship between the three tables, from the scheme based on Yii RBAC

As I tought, I was thinking to difficult.

I can sleep tonight after all.

as for that php file thing, I will find a workaround if i decide its needed.

zaccaria · January 27, 2011, 3:23pm

This is just a sample. If you use CDbAuthManager you will run once this huge php file and all rules will be saved in the database (you can also do it in the database, no differences at all).

You can create an interface for user in wich you will show lot of checkbox, one for each role/task/operation, and you will do assing/revoke accordingly to this checkboxes.

This will give admin complete control on all permission assigned to user.

What I wanted to say, is that there is no needs (althought is possible) to create an interface for allow admin to create new tasks, because you have to write in the code somewhere what actions this task will allow to.

By the way, an interface for create all role herarchy in a nice web-based way already exist, is an extension named srbac. This can be a nice tool for developers.

gusnips · January 27, 2011, 3:47pm

For me there is the need to create this interface, yes, but not for create tasks, just to manage the ones i try to use and does’nt exist, also if no specific roles/filters exist to that controller / action the task will be ‘$module-$controller-$action’ which generates a lot of tasks

The admin user, which is my client, can only manage operations and assign roles to users, to make it easier to them

Each task is a child of an operation, so a dropDown in the form of creating unexistent defined tasks I’ll choose an operation for this task

And yeah, Im basing mine in srbac module, which is pretty good

Anyway, just writing to give you some ideas, and maybe get some feedback on the way im doing my auth system module

Please tell me what you think

axgle · January 27, 2011, 4:36pm

like this?




$config=array(

        'reader'=>array('read'),

        'author'=>array('create','read', 'edit'=>'return $author_id==$user_id;'),     //edit own   

        'editor'=>array('author','edit','publish'),

        'master'=>array('editor','delete'),


        'create'=>array('createPost','createComment')

);

$ar=new AuthRelationship($config);

echo (int)$ar->checkAccess('master', 'createPost', array('author_id'=>1, 'user_id'=>1));

yiqing95 · June 29, 2011, 6:30am

i am very interested to your coming extension , do you finish your project