AccessRules: roles without RBAC

ycast · July 28, 2011, 6:18pm

Hi all

I have three user roles in my app: client/member/admin. During login process, I set the respective role with


$this->setState('role', $user->role);

Although I don’t need the RBAC features (operations, tasks, roles), I would like to use something like this in my controller:


public function accessRules()

    {

		return array(

			array('allow',

				'roles' => array('client', 'member'),

            ),

Obviously the roles property only works with RBAC. But can I use the value in setState somehow?

I think such use isn’t planned and I need the work with the expression property, right?

Regards,

ycast

phtamas · July 28, 2011, 7:07pm

I think so.

Btw, storing user’s roles in the session can become a security hole. After a successful login, roles can’t be revoked from the user until the session ends, and a session - technically - can be kept alive for years.

ycast · July 28, 2011, 7:24pm

Thanks for the tip, appreciate it. So I should rather retrieve the role on every request based on the user id?

phtamas · July 28, 2011, 7:35pm

Yes, that would be the only safe way, but it depends on the security requirements of application. For very simple websites with one or two admin users I do store user’s role in the session For anything with more complex acces control I wouldn’t do it.