RBAC with Dynamic roles

daniel1 · August 12, 2011, 7:17am

Consider the following scenario.

I have a blogging system
There are 2 classes of users: Authors and readers
Authors can create posts
Authors can edit of delete posts that they have created, but cannot edit or delete posts that other authors have created

Can the yii RBAC system handle the last requirement? How would I go about doing this ?

Daniel.

pommeverte · August 12, 2011, 7:39pm

Yes it should, You’ll need to use the ‘expression’ property in the AccessRules. ( http://www.yiiframework.com/doc/api/1.1/CAccessRule#expression-detail ).

I haven’t tested this but it should work or at least provide some kind of workaround.

Such as:




public function accessRules(){


    //Get $owner_id from DB using your GET or POST data


    return array(


         array('allow', 

                'actions'=>array('edit','delete'),

                'expression'=>'$user->id=='.$owner_id.' && $user->checkAccess("Author")',

          ),

         array('deny')




    );




}

Yeti · August 13, 2011, 11:58am

Certainly can.

From the Yii guide (in the documentation package):

If the authorization rule is associated with a business rule which requires additional parameters, we can pass them as well. For example, to check if a user can update a post, we would pass in the post data in the $params:
$params=array('post'=>$post);

if(Yii::app()->user->checkAccess('updateOwnPost',$params))

{

// update post

}

The business rule in the "updateOwnPost" authorisation item (also from the Yii Guide) is something like:




'return Yii::app()->user->id==$params["post"]->authID;';