daniel1
(daniel@garcia.net.au)
August 12, 2011, 7:17am
1
Consider the following scenario.
I have a blogging system
There are 2 classes of users: Authors and readers
Authors can create posts
Authors can edit of delete posts that they have created, but cannot edit or delete posts that other authors have created
Can the yii RBAC system handle the last requirement? How would I go about doing this ?
Daniel.
pommeverte
(Dylan Millikin)
August 12, 2011, 7:39pm
2
Yes it should, You’ll need to use the ‘expression’ property in the AccessRules. ( http://www.yiiframework.com/doc/api/1.1/CAccessRule#expression-detail ).
I haven’t tested this but it should work or at least provide some kind of workaround.
Such as:
public function accessRules(){
//Get $owner_id from DB using your GET or POST data
return array(
array('allow',
'actions'=>array('edit','delete'),
'expression'=>'$user->id=='.$owner_id.' && $user->checkAccess("Author")',
),
array('deny')
);
}
Yeti
(Chris)
August 13, 2011, 11:58am
3
Certainly can.
From the Yii guide (in the documentation package):
If the authorization rule is associated with a business rule which requires additional parameters, we can pass them as well. For example, to check if a user can update a post, we would pass in the post data in the $params:
$params=array('post'=>$post);
if(Yii::app()->user->checkAccess('updateOwnPost',$params))
{
// update post
}
The business rule in the "updateOwnPost" authorisation item (also from the Yii Guide) is something like:
'return Yii::app()->user->id==$params["post"]->authID;';