Yii Framework Forum: Chapter 8: RBAC implementation - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Chapter 8: RBAC implementation

#1 User is offline   Darwell.J 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 11
  • Joined: 23-April 11

Posted 23 April 2011 - 03:50 PM

Hello,

I'm new to Yii, so I'm reading this great book. I have a question though.
Currently I'm finishing the 8th chapter (RBAC) and in the end of the chapter, the author shows how to make use of the RBAC in the adduser action, which is this:

$project = $this->loadModel();
if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))
{
	throw new CHttpException(403,'You are not authorized to per-form this action.');
}


Then the author says that the similar checks should be done before every action. Is this really the best way to implement the access filter? Shouldn't we combine this with the accessRules() method? I have written the following accessRule:

array('allow',
	'actions' => array('admin', 'delete', 'adduser'),
	'expression' => array($this, 'isOwner'),
),


and it's expression:

public function isOwner($user, $rule) {
	$project = $this->loadModel(isset($_GET['id']) ? $_GET['id'] : null);
	return $project->isUserInRole('owner');
}


which I think is more efficient than writing the same IFs in 3 different methods (actionAdmin, actionDelete and actionAdduser). Also, in the author's approach, we are having two separate access filters and only the second is actually doing the actual work.

Please share your thoughts with me.

Kind regards,
Darwell
0

#2 User is offline   Junior - df9 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 416
  • Joined: 24-May 09
  • Location:Brazil

Posted 23 April 2011 - 04:10 PM

Darwell, in my humble opinion, it is way better to create your baseController class and implement the security check in the beforeAction method, thus, all your controllers which extend from baseController will inherit the permission checking and you won't have to write lots of "ifs"


hope this be usefull

regards!
______________________________________
Junior
df9.com.br
Linux Registered User #364954
GNU/Linux: together we're ready!
0

#3 User is offline   jefftulsa 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 168
  • Joined: 06-October 08
  • Location:Austin, TX

Posted 23 April 2011 - 10:23 PM

I think you have to be a little careful here, because the access check you are proposing is making an implicit assumption about the mapping of authorization permissions to specific roles, and this is really the responsibility of the RBAC hierarchy definitions themselves.

So, for example, your code is basically defining that a user in the role of "owner" has permission to perform the operation "createUser" (assuming that the actionAddUser is the same as what we mean by the operation "createUser"). Although you are using the RBAC structure when calling
$project->isUserInRole('owner');


this is only to see if a user is assigned to the role owner (for this project), it does not take into account tasks, operations
or other roles that may also be authorized to perform the operation "createUser".

There are certainly many ways to implement your use of the AuthManager::checkAccess() method, but side-stepping it altogether
starts to lead you away from full RBAC in Yii.


0

#4 User is offline   Darwell.J 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 11
  • Joined: 23-April 11

Posted 24 April 2011 - 04:11 AM

Okay, I get your point - we should check actions and not roles. But still, the question is, should the access check code be written inside the action methods or inside the accessRules() method?
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users