Yii Framework Forum: Chapter 8 : RBAC misunderstandings - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Chapter 8 : RBAC misunderstandings

#1 User is offline   sebstein 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 29-January 11

Posted 02 February 2011 - 04:25 AM

Hi,

I'm a litle bit disapointed about the chapter 8. Here are the reasons:
  • Why adding this kind of bizrule in the AuthAssignment table: "return isset($params["project"]) && $params["project"]->isUserInRole("owner");" as the "owner" information is hold on the ItemName column and the rest remain constant, this information can easily be genarated bu the logic of the application.

  • What's the purpose of the "AuthAssignment" table since all of these informations can be easily retrived in the "tbl_project_user_role" table. Just imagine we remove that first table, all the RBAC stuffs can be done with the "tbl_project_user_role" and the other tables.

  • Since RBAC roles are very limited in the TrackStar application, isn't it a leak off performances to keep them inside a database table ? Keep them in a php array inside a file isn't faster ?

The chapter 8 comes to me as a difficult one. All help or precision will be very appreciate.
0

#2 User is offline   Lucas Vasconcelos 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 14
  • Joined: 25-August 09
  • Location:Salvador, BA

Posted 16 February 2011 - 02:03 PM

I just finish the chap 8 and agree with you...

But, about the use of database I think that the author wants to demonstrate the RBAC capabilities.. so, the use of database was a great choice.

The RBAC is one of the most important features [to me] from Yii... and it's very hard to find out good samples using it.

I really expected a little more from this chapter.
0

#3 User is offline   jefftulsa 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 168
  • Joined: 06-October 08
  • Location:Austin, TX

Posted 17 February 2011 - 01:00 AM

View Postsebstein, on 02 February 2011 - 04:25 AM, said:

Hi,

I'm a litle bit disapointed about the chapter 8. Here are the reasons:
  • Why adding this kind of bizrule in the AuthAssignment table: "return isset($params["project"]) && $params["project"]->isUserInRole("owner");" as the "owner" information is hold on the ItemName column and the rest remain constant, this information can easily be genarated bu the logic of the application.
  • What's the purpose of the "AuthAssignment" table since all of these informations can be easily retrived in the "tbl_project_user_role" table. Just imagine we remove that first table, all the RBAC stuffs can be done with the "tbl_project_user_role" and the other tables.
  • Since RBAC roles are very limited in the TrackStar application, isn't it a leak off performances to keep them inside a database table ? Keep them in a php array inside a file isn't faster ?

The chapter 8 comes to me as a difficult one. All help or precision will be very appreciate.


1) This biz rule allows us to add an extra dimension to using RBAC to check authorization access. We need to assign users to roles, and that is handled by the Yii RBAC implementation (AuthAssignment table in this case), but the thing is, the role is only applicable within the context of a specific project. The user can be an "owner" of Project A, just a "member" of Project B, and yet again only a "reader" of Project C. The AuthAssignment table just makes the association between the role and the user, i.e. it will just say User 1 is an "owner". The business rule makes the extra check to ensure that role does, indeed, apply to the context of the project they are currently within. This allows us to ask: "Okay, great, User 1 is an owner, BUT is user 1 really an owner of Project A?"

2) You still need AuthAssignment to play by the rules of the underlying Yii RBAC implementation and get the advantage of the its hierarchical nature. We don't just checkAcccess() at the role level, we do this at the task and operation levels as well.

3) Housing this information in the DB will make it easier to wrap a nice GUI management around the rules, but Yii provides for a multiple implementations, so the choice is certainly yours to make, based on whatever specifications and requirements you are facing in your specific application.

Hope this helps, let me know if you have more questions.



1

#4 User is offline   pcs2112 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 79
  • Joined: 31-July 10

Posted 17 February 2011 - 01:26 AM

View Postjefftulsa, on 17 February 2011 - 01:00 AM, said:

1) This biz rule allows us to add an extra dimension to using RBAC to check authorization access. We need to assign users to roles, and that is handled by the Yii RBAC implementation (AuthAssignment table in this case), but the thing is, the role is only applicable within the context of a specific project. The user can be an "owner" of Project A, just a "member" of Project B, and yet again only a "reader" of Project C. The AuthAssignment table just makes the association between the role and the user, i.e. it will just say User 1 is an "owner". The business rule makes the extra check to ensure that role does, indeed, apply to the context of the project they are currently within. This allows us to ask: "Okay, great, User 1 is an owner, BUT is user 1 really an owner of Project A?"

2) You still need AuthAssignment to play by the rules of the underlying Yii RBAC implementation and get the advantage of the its hierarchical nature. We don't just checkAcccess() at the role level, we do this at the task and operation levels as well.

3) Housing this information in the DB will make it easier to wrap a nice GUI management around the rules, but Yii provides for a multiple implementations, so the choice is certainly yours to make, based on whatever specifications and requirements you are facing in your specific application.

Hope this helps, let me know if you have more questions.


Question, does this implementation assign every user each role(OWNER, MEMBER, READER) by default in the authassignment table?

for example,

lets say user 1 had a the OWNER role for project 1 and project 2, but then lets say we remove the OWNER role for user 1 for project 1 and 2, do we also have to remove row in authassignment for the OWNER role to user 1, and then lets say later on we want to make user 1 an OWNER for project 3, do we have to add a row in authassignment for the owner role for that user?


So basically if a user does not have a row in tbl_project_user_role for the OWNER role does it mean it also doesn't have a row in authassignment for the OWNER role, and if a user has a row in tbl_project_user_role for the OWNER does that mean we create a row in authassignment for the OWNER role for that user???


iknow its confusing, i hope you can understand what i'm trying to ask :)
0

#5 User is offline   ngc.7000 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 11
  • Joined: 07-September 11
  • Location:Trondheim, Norway

Posted 08 September 2011 - 07:17 AM

When I read through the book and came to the chapter about RBAC, I thought this was a nice feature. BUT... when I saw that they stored PHP code in the database I began to worry... do the framework rely on eval()?. I took a closer look into the Yii core and found it - they DID use eval().

eval() is one of the functions I disable on a new PHP installation. Having eval() enabled is like asking for problems, IMHO.

And if you have to use eval() - check your code very carefully.
0

#6 User is offline   christoph 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 8
  • Joined: 29-December 11

Posted 17 January 2012 - 08:09 AM

I'm really having trouble with this database setup, too.
I would also like to quote the first answer in the "Identified issues"-thread:

View PostBackslider, on 25 October 2010 - 11:17 AM, said:

My understanding of the RBAC for this was that users would be assigned a global role, plus individual roles for projects. The table 'authassignment' (which should be AuthAssignment) however has 'itemname' and 'userid' as a primary keys, thus causing a MySQL error when trying to assign a user to a project.


Every time I assign a user to one of the three roles (member, reader, owner) in any of my infinite number of possible project, a row is added to AuthAssign:
itemname = role, userid = i, bizrule = ...

So, let's say I have my Test_user_two, id = 2.

I want him to be a member of both Project 1 and Project 2.

I add him to Project 1: the assignment is made in tbl_project_user_assignment and tbl_project_user_role, but also in AuthAssign.

I add him to Project 2: I get an error message, because the exact same row was already inserted into AuthAssign.

This seems like kind of a big issue to me. Am I getting anything wrong?

edit: I found a solution here in the forum, simply checking, before adding the row to AuthAssign, if this row is already in there. Unfortunately, the forum always tells me my post would look like spam if I try to link these posts or insert code.
0

#7 User is offline   msallen 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 09-March 12

Posted 09 March 2012 - 01:14 PM

Hi - my first post. I've managed to overcome all the typos etc up to this point (and that's not necessarily a bad thing as even though its made my progress through the book slower, I think I've gained a better understanding by having to fix the errors). However ...

I'm now having the same issue that christoph describes above - whenever I add the same user/role to two or more projects I get ...

Quote

CDbCommand failed to execute the SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'owner-1' for key 'PRIMARY'. The SQL statement executed was: INSERT INTO `AuthAssignment` (`itemname`, `userid`, `bizrule`, `data`) VALUES (:itemname, :userid, :bizrule, :data)


... originating from the last line of my ProjectUserForm.verify() method :

Quote

/**
* Verifies that the username is not already associated to the project, and then associates user/project/role.
* (Note that username's prior existence is checked by 'exist' rule, so can be assumed here as long as no others errors already found)
*/
public function verify($attribute,$params)
{
if(!$this->hasErrors())
{
// Get user record which has username field matching contents of username input field
$user = User::model()->findByAttributes(array('username'=>$this->username));

// Is this user already associated with the project?
if($this->project->isUserInProject($user))
{
$this->addError('username','This user ('.$user->username.', '.$user->id.') is already associated with the project.');
}
else
{
$userId = $user->id;
$this->project->associateUserToProject($user);
$this->project->associateUserToRole($this->role, $userId);
$bizRule='return isset($params["project"]) && $params["project"]->isUserInRole("'.$this->role.'");';
Yii::app()->authManager->assign($this->role, $userId, $bizRule);
}
}
}


Whilst I can see that checking for an existing entry prior to calling authManager->assign() would get round this, it seems to go against what we are being "sold" as the way to manage permissioning with with RBAC. Is this really the correct approach (and if so am I right in thinking that a simple call to authManager->isAssigned() is the best way to check this)?

Many thanks.
Mark
0

#8 User is offline   azad6026 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 5
  • Joined: 01-December 13

  Posted 12 December 2013 - 08:02 PM

I am new to Yii and this is my first post. I am in chapter 7 of the book and I managed to solve the problem of duplication an authassinment able.I hope it is a good solution for this error:
CDbCommand failed to execute the SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate .... by using isAssigned methos of authManager in assign method in ProjectUserForm.php model like this:

public function assign()
{
if($this->_user instanceof User)
{

//assign the user, in the specified role, to the project
$this->project->assignUser($this->_user->id, $this->role);
//add the association, along with the RBAC biz rule, to our RBAC hierarchy
$auth = Yii::app()->authManager;
$bizRule='return isset($params["project"]) && $params["project"]->allowCurrentUser("'.$this->role.'");';
if(!$auth->isAssigned($this->role,$this->_user->id))
$auth->assign($this->role,$this->_user->id, $bizRule);
return true;


}
else
{
$this->addError('username','Error when attempting to assign this user to the project.');
return false;
}

}

so in the if statement {if(!$auth->isAssigned($this->role,$this->_user->id))} , if the user has owner role assigned t them prior this,it won't be duplicated and project will be assigned to user as owner and they are also available to add different users by different roles to that specific project.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users